2.4.3. Examples of LDAP Configuration with the SPNEGO Module
The following configurations of the SPNEGO authentication uses the SPNEGOLoginModule and LDAP login module. This chained configuration is identical for FreeIPA and Active Directory with the exception of the
baseFilter value, which defines the name to search for in LDAP identified by the SPNEGOLoginModule (for the relevant ldiff dump refer to Section A.2.1, “Full LDAP Authentication for Active Directory” and Section A.2.2, “Full LDAP Authentication for Free IPA”).
Note that the
password-stacking property is set to useFirstPass on both login modules to allow the SPNEGOLoginModule to pass the name of the authenticated user to the AdvancedLdapLoginModule.
2.4.3.1. Chained Configuration on FreeIPA
The following configuration shows the AdvancedLdapLoginModule chained after the SPNEGOLoginModule for FreeIPA:
<application-policy name="SPNEGO_FREEIPA">
<authentication>
<login-module
code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module
code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="bindAuthentication">GSSAPI</module-option>
<module-option name="jaasSecurityDomain">host</module-option>
<module-option name="java.naming.provider.url">ldap://kerberos.jboss.org:389</module-option>
<module-option name="baseCtxDN">cn=users,cn=accounts,dc=jboss,dc=org</module-option>
<module-option name="baseFilter">(krbPrincipalName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="recurseRoles">true</module-option>
</login-module>
</authentication>
</application-policy>