LDAP Authentication and Local Authorization

Solution Unverified - Updated -

Issue

We are in the process of integrating ILOG RES web app in JBOSS along with LDAP. For better understanding, I am including users.properties and roles.properties from default ILOG web app.

users.properties

admin=admin
deployer=deployer
monitor=monitor
user1=user1
config=config
rtsAdmin=rtsAdmin

roles.properties

admin=administrators,deployers,monitors
deployer=deployers,monitors
monitor=monitors
user1=user
config=configManager,user
rtsAdmin=rtsAdministrator,installer,user

web.xml security entries
-------------------------

...
        <!--  ================================================================= -->
     <!--  S E C U R I T Y - C O N S T R A I N T                             -->
     <!--  ================================================================= -->
     <security-constraint>
          <web-resource-collection>
               <web-resource-name>RES console</web-resource-name>
               <url-pattern>/repositoryService</url-pattern>
               <url-pattern>/protected/*</url-pattern>
               <url-pattern>/index.jsp</url-pattern>
               <url-pattern>*.jar</url-pattern>
               <url-pattern>*.txt</url-pattern>
          </web-resource-collection>
          <auth-constraint>
               <role-name>administrators</role-name>
               <role-name>deployers</role-name>
               <role-name>monitors</role-name>
          </auth-constraint>
     </security-constraint>
     <!--  ================================================================= -->
     <!--  L O G I N - C O N F I G                                           -->
     <!--  ================================================================= -->
     <login-config>
          <auth-method>FORM</auth-method>
          <realm-name>Default</realm-name>
          <form-login-config>
               <form-login-page>/login.jsf</form-login-page>
               <form-error-page>/loginError.jsf</form-error-page>
          </form-login-config>
     </login-config>
     <!--  ================================================================= -->
     <!--  S E C U R I T Y - R O L E                                         -->
     <!--  ================================================================= -->
     <security-role>
          <description>RES Administrator</description>
          <role-name>administrators</role-name>
     </security-role>
     <security-role>
          <description>RES Deployer</description>
          <role-name>deployers</role-name>
     </security-role>
     <security-role>
          <description>RES Monitor</description>
          <role-name>monitors</role-name>
     </security-role>
</web-app>

We are trying to use JBOSS LDAP authentication instead of default ILOG file based authentication.

Current LDAP settings:

<application-policy name="jldap">
        <authentication>
                <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                        <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                        <module-option name="java.naming.security.authentication">simple</module-option>
                        <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
                        <module-option name="bindDN">CN=sbind,OU=_Service Accounts,dc=domain,dc=com</module-option>
                        <module-option name="bindCredential">password1</module-option>
                        <module-option name="baseCtxDN">DC=domain,DC=com</module-option>
                        <module-option name="baseFilter">(sAMAccountName=admin)</module-option>
                        <module-option name="rolesCtxDN">DC=domain,DC=com</module-option>
                        <module-option name="roleFilter">(sAMAccountName=admin)</module-option>
                        <module-option name="roleAttributeIsDN">true</module-option>
                        <module-option name="roleAttributeID">memberOf</module-option>
                        <module-option name="roleNameAttributeID">cn</module-option>
                        <module-option name="roleRecursion">-1</module-option>
                        <module-option name="allowEmptyPasswords">false</module-option>
                        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
                        <module-option name="trace">true</module-option>
                        <module-option name="java.naming.referral">follow</module-option>
                        <module-option name="defaultRole">administrators</module-option>
                </login-module>
        </authentication>
</application-policy>

The above configuration allows everyone in under base dn to login with the default role of resAdministrators.

How to allow LDAP for authentication only and configure the roles correctly in login-config.xml? For example, user resMonitor should have only resMonitors role and not resAdministrators.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 4.x
    • 5.x
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.