• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Configuring the application policy in login-config.xml for LDAP Apache DS

 
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I am using JBoss AS 5.1.0 GA and Apache Directory Server.
Can anyone tell me what lines to put in the application policy configuration of my login-config.xml file
for the following LDIF file that i imported in Apache Directory Server ?

This LDIF file defines 3 users and 2 roles :
uid : system userPassword: manager Roles: admin
uid : user1 userPassword: p1 Roles: guest
uid : user2 userPassword: p2 Roles: admin

Here is the LDIF file that I imported with success in Apache DS :



I have tried the following application policy in my login-config.xml file but it does not work :



Being not too familiar with LDAP, I am not too sure about certain options, like bindCredential, bindDN, baseCtxDN ...

Can someone please help me with the configuration of this application policy ?

Thanks in advance.
 
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I cover this in great detail in the security chapter in JBoss in Action - I'm not sure how much of that I want to repeat here. I start for an LDAP schema, describe how you can query it using some LDAP command-line tools, and from there determine what the settings in the LdapExtLoginModule should be.

The baseCtxDN must match the "dn" for the users (either the full dn or a partial dn). Look at the dn for you users and use only the part that is common.

The baseFilter must identify the attribute that is used to identify the account name. I can't tell where the suer ids are in your schema, it could be either "givenname", in which case you would use "(givenname={1})"

Ditto for the roleXXX entries.
 
Celinio Fernandes
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have your book. I even checked the chapter on LDAP and the different login modules in JBoss.
I will take a deeper look tomorrow.

Thanks.
 
Celinio Fernandes
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is the new application policy i got :




From a Java class, I am trying to connect with the usual lines of code :



I keep getting an invalid user error. I am still not too sure about several parameters i put in that application policy.

Any idea ?

 
Celinio Fernandes
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can connect with that code though :




Where's the problem then ?
 
Celinio Fernandes
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By the way,
which login module should i use with Apache DS ?

org.jboss.security.auth.spi.LdapLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule ?

Thanks
 
Peter Johnson
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can use the LdapLoginModule only for simple LDAP trees,. The LdapExtLoginModule can be used for simple trees and complex LDAP forests (where you have the possibility of multiple trees, i.e., multiple authenticating servers). I prefer the LdapExtLoginModule but then at work we have a very complex Active Directory setup that LdapLoginModule cannot handle.
 
Celinio Fernandes
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No idea about this problem ? I'm still stuck with it.

Do we still need a jaas.conf file ?
 
Celinio Fernandes
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I fixed it, the login-config.xml was not configured well.
 
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Celinio Fernandes wrote:I fixed it, the login-config.xml was not configured well.



Can you please share what was wrong with it and what you did to correct it?

Thanks,
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got it working. try this configuration in you login-config.xml

<application-policy name="myTestWAR">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>;
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=admin,ou=system</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=system</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">true</module-option>
</login-module>
</authentication>
</application-policy>
reply
    Bookmark Topic Watch Topic
  • New Topic