A.2. Examples of Full LDAP Authentication

The following example configurations show the full LDAP authentication with AdvancedLdapLoginModule for Active Directory and FreeIPA.The configuration differ in the baseFilter attribute as this is the name identified by the SPNEGOLoginModule.
The options bindAuthentication, jaasSecurityDomain, and java.naming.provider.url configure how the login module connects to LDAP and how the authentication occurs.
The baseCtxDN option is the DN to start the search for the user and the baseFilter attribute in these examples searches for the user using the sAMAccountName attribute on Active Directory and uid attribute on FreeIPA.
The memberOf attribute is read directly from the user, therefore there is no need to specify the rolesCtxDN or roleFilter property: the attribute defined for the roleAttributeID option is read directly from the user.
The roleAttributeIsDN option specifies that this value is a DN so the group object is retrieved and the roleNameAttributeID option specifies that the attribute cn is read from the group. The login module returns this role.
The recurseRoles is set to true so the DN from the located group is used to repeat the process so if a group is configured with the memberOf attribute then this is recursively used to locate all the roles.

A.2.1. Full LDAP Authentication for Active Directory

The following is an extract of the dumped ldiff from the example Active Directory domain:
dn: CN=Darran Lofthouse,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Darran Lofthouse
distinguishedName: 
 CN=Darran Lofthouse,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
memberOf: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
name: Darran Lofthouse
sAMAccountName: darranl
userPrincipalName: darranl@vm104.gsslab.rdu.redhat.com

dn: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
objectClass: top
objectClass: group
cn: Banker
member: 
 CN=Darran Lofthouse,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
distinguishedName: 
 CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
memberOf: CN=Trader,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
name: Banker
sAMAccountName: Banker

dn: CN=Trader,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
objectClass: top
objectClass: group
cn: Trader
member: CN=Banker,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
distinguishedName: 
 CN=Trader,CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com
name: Trader
sAMAccountName: Trader
The following configuration requires a username and password to be provided for the authentication process:
<application-policy name="SPNEGO">
  <authentication>
    <login-module
      code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule"
      flag="required">
      
      <module-option name="bindAuthentication">GSSAPI</module-option>
      <module-option name="jaasSecurityDomain">host</module-option>
      <module-option name="java.naming.provider.url">ldap://VM104:3268</module-option>
        
      <module-option name="baseCtxDN">CN=Users,DC=vm104,DC=gsslab,DC=rdu,DC=redhat,DC=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>        
       
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
        
      <module-option name="recurseRoles">true</module-option>
    </login-module>        
  </authentication>
</application-policy>