jQuery in Action, 2nd edition*
The moose likes JBoss/WildFly and the fly likes Configuring the application policy in login-config.xml for LDAP Apache DS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Configuring the application policy in login-config.xml for LDAP Apache DS" Watch "Configuring the application policy in login-config.xml for LDAP Apache DS" New topic
Author

Configuring the application policy in login-config.xml for LDAP Apache DS

Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

Hi,
I am using JBoss AS 5.1.0 GA and Apache Directory Server.
Can anyone tell me what lines to put in the application policy configuration of my login-config.xml file
for the following LDIF file that i imported in Apache Directory Server ?

This LDIF file defines 3 users and 2 roles :
uid : system userPassword: manager Roles: admin
uid : user1 userPassword: p1 Roles: guest
uid : user2 userPassword: p2 Roles: admin

Here is the LDIF file that I imported with success in Apache DS :



I have tried the following application policy in my login-config.xml file but it does not work :



Being not too familiar with LDAP, I am not too sure about certain options, like bindCredential, bindDN, baseCtxDN ...

Can someone please help me with the configuration of this application policy ?

Thanks in advance.


SCJP 1.4, SCWCD 1.4, SCBCD 1.3, SCBCD 5
Visit my blog
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

I cover this in great detail in the security chapter in JBoss in Action - I'm not sure how much of that I want to repeat here. I start for an LDAP schema, describe how you can query it using some LDAP command-line tools, and from there determine what the settings in the LdapExtLoginModule should be.

The baseCtxDN must match the "dn" for the users (either the full dn or a partial dn). Look at the dn for you users and use only the part that is common.

The baseFilter must identify the attribute that is used to identify the account name. I can't tell where the suer ids are in your schema, it could be either "givenname", in which case you would use "(givenname={1})"

Ditto for the roleXXX entries.


JBoss In Action
Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

I have your book. I even checked the chapter on LDAP and the different login modules in JBoss.
I will take a deeper look tomorrow.

Thanks.
Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

This is the new application policy i got :




From a Java class, I am trying to connect with the usual lines of code :



I keep getting an invalid user error. I am still not too sure about several parameters i put in that application policy.

Any idea ?

Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

I can connect with that code though :




Where's the problem then ?
Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

By the way,
which login module should i use with Apache DS ?

org.jboss.security.auth.spi.LdapLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule ?

Thanks
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

You can use the LdapLoginModule only for simple LDAP trees,. The LdapExtLoginModule can be used for simple trees and complex LDAP forests (where you have the possibility of multiple trees, i.e., multiple authenticating servers). I prefer the LdapExtLoginModule but then at work we have a very complex Active Directory setup that LdapLoginModule cannot handle.
Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

No idea about this problem ? I'm still stuck with it.

Do we still need a jaas.conf file ?
Celinio Fernandes
Ranch Hand

Joined: Jun 28, 2003
Posts: 547

I fixed it, the login-config.xml was not configured well.
Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 642
Celinio Fernandes wrote:I fixed it, the login-config.xml was not configured well.


Can you please share what was wrong with it and what you did to correct it?

Thanks,
dhaval joshi
Greenhorn

Joined: Mar 18, 2011
Posts: 1
I got it working. try this configuration in you login-config.xml

<application-policy name="myTestWAR">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=admin,ou=system</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=system</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">true</module-option>
</login-module>
</authentication>
</application-policy>
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Configuring the application policy in login-config.xml for LDAP Apache DS
 
Similar Threads
ApacheDS 1.0.2 LDAP java.net.ConnectException: Connection timed out: connect
LDAP: roles by attribute value
Configure JNDI Realm
JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext
LDAP Integration with JBoss