2.4.2. Setting up Role Mapping with an LDAP Server

The AdvancedLdapLoginModule allows you to obtain the roles of a user, who was previously authenticated against a KDC with the SPNEGOLoginModule. The AdvancedLdapLoginModule is based on the LdapExtLoginModule and follows GSSAPI.

Note

In this chapter we discuss the module in chained configuration with the SPNEGOLoginModule; however, you can use the module for both authentication and role look up from an LDAP server. For further details on such configuration, refer to Appendix A, Advanced LDAP Login Module: Full LDAP Authentication.
To make use of the AdvancedLdapLoginModule in the chained configuration with the SPNEGOLoginModule, you need to chain it with the SPNEGOLoginModule in the SPNEGO application security domain: set the second login module of SPNEGO authentication to org.jboss.security.negotiation.AdvancedLdapLoginModule (refer to Example 2.2, “Application Security Domain”).
To set up the role mapping to an LDAP server, you need to do the following:
The properties set on the login mode are passed into the InitialLdapContext constructor; that means you can make use of any of the options supported by the LdapCtxFactory.

2.4.2.1. Defining Initial LDAP Context with GSSAPI

To obtain the initial LDAP Context, define the following module properties for the AdvancedLdapLoginModule in the application security domain (Section 2.3, “Defining Application Security Domain”):
bindAuthentication
defines the authentication type (set the property value to GSSAPI to use GSSAPI-based authentication).
jaasSecurityDomain
defines the security domain that is used to obtain the subject required for the connection (refer to Section 2.2, “Defining Server Security Domain” for information defining the required jaasSecurityDomain).