[JBoss-user] LdapLoginModule support for ActiveDirectory Groups

Randy Shoup Fri, 15 Nov 2002 08:37:36 -0800

Several people, including me, have tried to get LDAP authentication to
work with Microsoft Active Directory. I searched on the lists and the forums, and the approaches people have come up with for working with Active Directory don't seem to be able to do the user-role mapping. In particular, it seems that we ought to be able to create JBoss roles based on Active Directory Groups.

I did a little digging, and LdapLoginModule in JBoss 3.0.3 does not seem to have sufficient flexibility to support reading user-role information from user-Group assignments in ActiveDirectory.

In the user record, ActiveDirectory stores the DNs of
the Groups to which the user has been assigned.
LdapLoginModule in JBoss 3.0.3 assumes that the role
attribute of a user record would be the role name
instead of a DN to a role object.

In the spirit of open-source, I submitted patch #638718 to SourceForge which adds this capability to the 3.0.3 source, and filed the corresponding bug #638724.

This patch adds two additional config parameters:
+ roleAttributeIsDN: whether role attribute is a DN or a role name
+ roleNameAttributeId: the name of the role name attribute of the role object

If `roleAttributeIsDN` is true, the patch looks up the
object corresponding to the role DN, then gets the
attribute named by `roleNameAttributeId` to provide the
role name.

For ActiveDirectory, the appropriate login-module
config settings would look like:

testLdapToActiveDirectory {
org.jboss.security.auth.spi.LdapLoginModule required
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url="ldap://ldaphost.jboss.org:1389/";
java.naming.security.authentication=simple
rolesCtxDN=cn=Users,dc=ldaphost,dc=jboss,dc=org
uidAttributeID=userPrincipalName
roleAttributeID=memberOf
roleAttributeIsDN=true
roleNameAttributeID=name
};

Thanks for a great product.

-- Randy
_________________________________________________________________
Randy Shoup (650)216-2038
Tumbleweed Communications Corporation [EMAIL PROTECTED]

-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] LdapLoginModule support for ActiveDirectory Groups

Reply via email to