Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Configuring the application policy in login-config.xml for LDAP Apache DS

 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am using JBoss AS 5.1.0 GA and Apache Directory Server.
Can anyone tell me what lines to put in the application policy configuration of my login-config.xml file
for the following LDIF file that i imported in Apache Directory Server ?

This LDIF file defines 3 users and 2 roles :
uid : system userPassword: manager Roles: admin
uid : user1 userPassword: p1 Roles: guest
uid : user2 userPassword: p2 Roles: admin

Here is the LDIF file that I imported with success in Apache DS :



I have tried the following application policy in my login-config.xml file but it does not work :



Being not too familiar with LDAP, I am not too sure about certain options, like bindCredential, bindDN, baseCtxDN ...

Can someone please help me with the configuration of this application policy ?

Thanks in advance.
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I cover this in great detail in the security chapter in JBoss in Action - I'm not sure how much of that I want to repeat here. I start for an LDAP schema, describe how you can query it using some LDAP command-line tools, and from there determine what the settings in the LdapExtLoginModule should be.

The baseCtxDN must match the "dn" for the users (either the full dn or a partial dn). Look at the dn for you users and use only the part that is common.

The baseFilter must identify the attribute that is used to identify the account name. I can't tell where the suer ids are in your schema, it could be either "givenname", in which case you would use "(givenname={1})"

Ditto for the roleXXX entries.
 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have your book. I even checked the chapter on LDAP and the different login modules in JBoss.
I will take a deeper look tomorrow.

Thanks.
 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is the new application policy i got :




From a Java class, I am trying to connect with the usual lines of code :



I keep getting an invalid user error. I am still not too sure about several parameters i put in that application policy.

Any idea ?

 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can connect with that code though :




Where's the problem then ?
 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By the way,
which login module should i use with Apache DS ?

org.jboss.security.auth.spi.LdapLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule ?

Thanks
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use the LdapLoginModule only for simple LDAP trees,. The LdapExtLoginModule can be used for simple trees and complex LDAP forests (where you have the possibility of multiple trees, i.e., multiple authenticating servers). I prefer the LdapExtLoginModule but then at work we have a very complex Active Directory setup that LdapLoginModule cannot handle.
 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No idea about this problem ? I'm still stuck with it.

Do we still need a jaas.conf file ?
 
Celinio Fernandes
Ranch Hand
Posts: 549
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I fixed it, the login-config.xml was not configured well.
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Celinio Fernandes wrote:I fixed it, the login-config.xml was not configured well.


Can you please share what was wrong with it and what you did to correct it?

Thanks,
 
dhaval joshi
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I got it working. try this configuration in you login-config.xml

<application-policy name="myTestWAR">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=admin,ou=system</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=system</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">true</module-option>
</login-module>
</authentication>
</application-policy>
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic