A.2.2. Full LDAP Authentication for Free IPA
The following is an extract of the dumped ldiff from the example FreeIPA domain:
dn: uid=darranl,cn=users,cn=accounts,dc=jboss,dc=org displayName: Darran Lofthouse uid: darranl title: Mr objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetUser objectClass: posixAccount objectClass: krbPrincipalAux objectClass: radiusprofile sn: Lofthouse mail: darran.lofthouse@jboss.com krbPrincipalName: darranl@JBOSS.ORG givenName: Darran cn: Darran Lofthouse initials: DL memberOf: cn=banker,cn=groups,cn=accounts,dc=jboss,dc=org memberOf: cn=Trader,cn=groups,cn=accounts,dc=jboss,dc=org dn: cn=Banker,cn=groups,cn=accounts,dc=jboss,dc=org objectClass: top objectClass: groupofnames objectClass: posixGroup objectClass: inetUser cn: Banker memberOf: cn=trader,cn=groups,cn=accounts,dc=jboss,dc=org member: uid=darranl,cn=users,cn=accounts,dc=jboss,dc=org dn: cn=Trader,cn=groups,cn=accounts,dc=jboss,dc=org objectClass: top objectClass: groupofnames objectClass: posixGroup objectClass: inetUser cn: Trader member: cn=Banker,cn=groups,cn=accounts,dc=jboss,dc=org
The following configuration requires a username and password to be provided for the authentication process:
<application-policy name="SPNEGO"> <authentication> <login-module code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule" flag="required"> <module-option name="bindAuthentication">GSSAPI</module-option> <module-option name="jaasSecurityDomain">host</module-option> <module-option name="java.naming.provider.url">ldap://kerberos.jboss.org:389</module-option> <module-option name="baseCtxDN">cn=users,cn=accounts,dc=jboss,dc=org</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="recurseRoles">true</module-option> </login-module> </authentication> </application-policy>