A.2. Examples of Full LDAP Authentication
The following example configurations show the full LDAP authentication with AdvancedLdapLoginModule for Active Directory and FreeIPA.The configuration differ in the baseFilter attribute as this is the name identified by the SPNEGOLoginModule.
The options bindAuthentication, jaasSecurityDomain, and java.naming.provider.url configure how the login module connects to LDAP and how the authentication occurs.
The baseCtxDN option is the DN to start the search for the user and the baseFilter attribute in these examples searches for the user using the
sAMAccountName
attribute on Active Directory and uid
attribute on FreeIPA.
The memberOf attribute is read directly from the user, therefore there is no need to specify the rolesCtxDN or roleFilter property: the attribute defined for the roleAttributeID option is read directly from the user.
The roleAttributeIsDN option specifies that this value is a DN so the group object is retrieved and the roleNameAttributeID option specifies that the attribute
cn
is read from the group. The login module returns this role.
The recurseRoles is set to
true
so the DN from the located group is used to repeat the process so if a group is configured with the memberOf
attribute then this is recursively used to locate all the roles.
A.2.1. Full LDAP Authentication for Active Directory
The following is an extract of the dumped ldiff from the example Active Directory domain:
dn: CN=Darran Lofthouse,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Darran Lofthouse distinguishedName: CN=Darran Lofthouse,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com memberOf: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com name: Darran Lofthouse sAMAccountName: darranl userPrincipalName: darranl@vm104.gsslab.rdu.redhat.com dn: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com objectClass: top objectClass: group cn: Banker member: CN=Darran Lofthouse,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com distinguishedName: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com memberOf: CN=Trader,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com name: Banker sAMAccountName: Banker dn: CN=Trader,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com objectClass: top objectClass: group cn: Trader member: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com distinguishedName: CN=Trader,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com name: Trader sAMAccountName: Trader
The following configuration requires a username and password to be provided for the authentication process:
<application-policy name="SPNEGO"> <authentication> <login-module code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule" flag="required"> <module-option name="bindAuthentication">GSSAPI</module-option> <module-option name="jaasSecurityDomain">host</module-option> <module-option name="java.naming.provider.url">ldap://VM104:3268</module-option> <module-option name="baseCtxDN">CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="recurseRoles">true</module-option> </login-module> </authentication> </application-policy>