2.4.2. Setting up Role Mapping with an LDAP Server
The AdvancedLdapLoginModule allows you to obtain the roles of a user, who was previously authenticated against a KDC with the SPNEGOLoginModule. The AdvancedLdapLoginModule is based on the LdapExtLoginModule and follows GSSAPI.
Note
In this chapter we discuss the module in chained configuration with the SPNEGOLoginModule; however, you can use the module for both authentication and role look up from an LDAP server. For further details on such configuration, refer to Appendix A, Advanced LDAP Login Module: Full LDAP Authentication.
To make use of the AdvancedLdapLoginModule in the chained configuration with the SPNEGOLoginModule, you need to chain it with the SPNEGOLoginModule in the SPNEGO application security domain: set the second login module of SPNEGO authentication to
org.jboss.security.negotiation.AdvancedLdapLoginModule
(refer to Example 2.2, “Application Security Domain”).
To set up the role mapping to an LDAP server, you need to do the following:
- Define InitialLdapContext properties: these properties are used to obtain LDAP connection (refer to Section 2.4.2.1, “Defining Initial LDAP Context with GSSAPI”; for details on the Java API refer to http://download.oracle.com/javase/6/docs/api/javax/naming/ldap/InitialLdapContext.html).
- Define DN (Distinguished Name) properties: these properties are used to search for the authenticated user on the LDAP server (refer to Section 2.4.2.2, “Defining DN Search”).
- Define role search properties: these properties govern the role search on the LDAP server (Section 2.4.2.3, “Defining Role Search”).
The properties set on the login mode are passed into the InitialLdapContext constructor; that means you can make use of any of the options supported by the LdapCtxFactory.
2.4.2.1. Defining Initial LDAP Context with GSSAPI
To obtain the initial LDAP Context, define the following module properties for the AdvancedLdapLoginModule in the application security domain (Section 2.3, “Defining Application Security Domain”):
- bindAuthentication
- defines the authentication type (set the property value to
GSSAPI
to use GSSAPI-based authentication). - jaasSecurityDomain
- defines the security domain that is used to obtain the subject required for the connection (refer to Section 2.2, “Defining Server Security Domain” for information defining the required jaasSecurityDomain).