defaultRole doesn't work exactly as I expected - you still need to provide role search info. But here is something that worked for me. I want anyone who logs in to have the "loggedin" role, and I want to use only that role in web.xml (and other locations) to provide access control. I was able to do this with the following ling module (with obfuscated data, this is for Exchange 2003 which doesn't allow anonymous access, hence the bindDN entry):
<application-policy name="peterj"> | <authentication> | <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule"> | <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> | <module-option name="java.naming.provider.url">ldap://xxx:389/</module-option> | <module-option name="java.naming.security.authentication">simple</module-option> | <module-option name="bindDN">--full DN for my account--</module-option> | <module-option name="bindCredential">--my password--</module-option> | <module-option name="baseCtxDN">OU=Users,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com</module-option> | <module-option name="baseFilter">(sAMAccountName={0})</module-option> | <module-option name="defaultRole">loggedin</module-option> | <module-option name="rolesCtxDN">OU=Groups,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com</module-option> | <module-option name="roleFilter">(member={1})</module-option> | <module-option name="roleAttributeIsDN">true</module-option> | <module-option name="roleNameAttributeID">name</module-option> | </login-module> | </authentication> | </application-policy> In typical Exchange fashion, all users are define in OU=Users, and they belong to security groups defined by OU=Groups. The groups have an attribute named "member" which contains the users in that role. I will now see if there is any way I can lookup a simple attribute value of the User to set a role, but offhand I don't see anything in LdapExtLoginModule that will let me do this. If that fails, I will try using LdapLoginModule. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4242727#4242727 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4242727 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user