Now in order to use LDAP for Authentication, you can use the LdapExtended Login module, entering the values of the bindDN and bindCredential contained in slapd.conf. You need to specify as well which organization unit contains the users, through the baseCtxDN option and as well the organization which contains the roles through the rolesCtxDN. Additionally you need to specify the following properties:
The baseFilter option is a search filter used to locate the context of the user to authenticate.
The roleFilter is as well a search filter used to locate the roles associated with the authenticated user.
The searchScope sets the search scope to one of the strings. ONELEVEL_SCOPE searches directly under the named roles context.
Finally the allowEmptyPasswords: It is a flag indicating if empty(length==0) passwords should be passed to the LDAP server.

Here's the configuration to be added as security-domain for a JBoss AS 7 installation:

<security-domain name="LDAPAuth">
    <authentication>
      <login-module code="LdapExtended" flag="required">
        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
        <module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
        <module-option name="java.naming.security.authentication" value="simple"/>
        <module-option name="bindDN" value="uid=admin,dc=acme,dc=com"/>
        <module-option name="bindCredential" value="secret"/>
        <module-option name="baseCtxDN" value="ou=People,dc=acme,dc=com"/>
        <module-option name="baseFilter" value="(uid={0})"/>
        <module-option name="rolesCtxDN" value="ou=Roles,dc=acme,dc=com"/>
        <module-option name="roleFilter" value="(member={1})"/>
        <module-option name="roleAttributeID" value="cn"/>
        <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
        <module-option name="allowEmptyPasswords" value="true"/>
      </login-module>
    </authentication>
</security-domain>

If you are running a JBoss 4/5/6 security domain, here's the corresponding configuration:
<application-policy name="LDAPAuth">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
         <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">uid=admin,dc=acme,dc=com</module-option>
         <module-option name="bindCredential">secret</module-option>
         <module-option name="baseCtxDN">ou=People,dc=acme,dc=com</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>

         <module-option name="rolesCtxDN">ou=Roles,dc=acme,dc=com</module-option>
         <module-option name="roleFilter">(member={1})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">true</module-option>
      </login-module>
    </authentication>
</application-policy>    

Done with the application server configuration, last step will be enabling security at application level; supposing you are going to secure a web application, the first step will be declaring the protected resources in your web.xml file, which are allowed just to the Manager role:


<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    id="WebApp_ID" version="3.0">

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HtmlAuth</web-resource-name>
            <description>application security constraints
</description>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Manager</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>LDAPAuth realm</realm-name>
    </login-config>
    <security-role>
        <role-name>Manager</role-name>
    </security-role>
</web-app>


And here’s the jboss-web.xml configuration file which links the application to the LDAPAuth security domain. This file needs to be placed into the WEB-INF folder of your web application:

<jboss-web>
    <security-domain>java:/jaas/LDAPAuth</security-domain>
</jboss-web>

0
0
0
s2smodern

Related articles available on mastertheboss.com

JBoss security framework

Security is a fundamental part of any enterprise application .The

Configuring Single Signon on JBoss AS 7

This tutorial describes how to configure Single Signon for a JBos

Securing AS 7 applications using the ApplicationRealm

JBoss AS 7 and the EAP 6 provide out of the box a Security Domain

Securing access to JBoss-WildFly Management console

In this tutorial we will demonstrate how to secure access to the

Configuring a MongoDB Login Module

Creating a Login Module with JBoss AS 7 or WildFly can be done by

Creating a Custom JBoss Login Module

This tutorial is a simple walk through the creation of a custom L