I've encountered a problem regarding JBoss with authenticating users in two different Active Directory Domains. I want to configure JBoss to be able to authenticate user through LDAP depending on where is his account created (domain A or B). Here's a part of my configuration for domain A. How can I adapt it, so JBoss will firstly check if user is in domain A and if not - in domain B and authenticate him correctly once he finds him? Trust between domains is set correctly. Info regarding users - they are created in different OU. JBoss version is 6.4 running in domain mode. I have a second config for domain B which is working ok, i just have to somehow add it to current config so there will be no errors and issues when it comes to authenticating users.
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
I've managed to find the solution for this issue. All I had to do, is to create another login module within security domain and change the requirements to optional. It should look like this:
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="second_ldap_addres:port"/>
<module-option name="bindDN" value="second_ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="second_password_for_user"/>
<module-option name="baseCtxDN" value="dc=zzz,dc=www"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=zzz,dc=www"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
Related
I want to add the following to the standalone-full.xml through Wildfly/Jboss CLI.
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="MY_NAME" cache-type="default">
<authentication>
<login-module code="XXX" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="YYY" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
It is possible with the following commands:
/subsystem=security/security-domain=MY_NAME:add
/subsystem=security/security-domain=MY_NAME:write-attribute(name=cache-type, value=default)
/subsystem=security/security-domain=MY_NAME/authentication=classic:add(login-modules=[{code=XXX, flag=optional,module-options={password-stacking=useFirstPass}},{code=YYY, flag=required, module-options={password-stacking=useFirstPass}}]
NOTE: I already had <subsystem xmlns="urn:jboss:domain:security:2.0"> created, so anyone reading who doesn't have the mentioned subystem might want to run /subsystem=security:add
I have configured my application with Kerberos authentication for a specific user in jboss-eap and it's working fine. But wants to configure the same on the basis of the group i.e users in a specific group will able to authenticate.
Standalone.xml configuration for user:-
<security-domains>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="saurabhgupta#ECO.COM" value="User"/>
</mapping-module>
</mapping>
</security-domain>
My environment consists of:
linux server with JBoss EAP 6.2
client station with Windows 7 64bit + Chrome
Windows Server 2008 Active Directory (act as KDC)
Application War Location:- https://github.com/kwart/spnego-demo
Does anyone went all through this and solved it somehow?
Thank you in advance, Siddharth
You can pair the SPNEGO login-module with others so that you can assign users to roles. Below is an example of how to associate your users to LDAP roles via Standalone.xml:
<security-domain name="SPNEGO">
<authentication>
<login-module code="SPNEGOUsers" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="test"/>
<module-option name="bindCredential" value="test"/>
<module-option name="allowEmptyPassword" value="true"/>
<module-option name="java.naming.provider.url" value="ldap://test.jboss.redhat.com:389"/>
<module-option name="baseCtxDN" value="CN=Users,DC=jboss,DC=redhat,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
</login-module>
</authentication>
</security-domain>
So far, I am unable to find help for authenticating against multiple LDAP servers except where talking about failover.
We have an LDAP for internal users, and an LDAP for external users. Suddenly, our app needs to be available to both internal users and external users. How would I set this up?
Here is the current config for just internal users:
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://dvldap-1.example.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=someid,ou=People,ou=Intranet,o=example.com"/>
<module-option name="bindCredential" value="somecred"/>
<module-option name="baseCtxDN" value="ou=People,ou=Intranet,o=example.com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Groups,ou=Intranet,o=example.com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
If you need simple configuration
Just use what JAAS offers. Add the two configurations to login module chain and set the flag on the first of them to sufficient value (look at Configuration class for all the options and their description).
For optimal performance: The first configuration should be the one to which users authenticate more often.
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url"
value="ldap://internal-ldap.my-company.example"/>
<!-- add other options for the first LDAP server -->
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url"
value="ldap://external-ldap.my-company.example"/>
<!-- add other options for the second LDAP server -->
</login-module>
</authentication>
</security-domain>
If you need great performance
If you are able to determine (from the loginname for instance) which LDAP you should search in, then I would suggest to implement your own login module. It can delegate the processing to LdapExtLoginModule instances.
I have setup successfully two data sources using different encrypted password policies as follows:
Security policy 1
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user1"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1"/>
</login-module>
</authentication>
</security-domain>
Security policy 2
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user2"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_2"/>
</login-module>
</authentication>
</security-domain>
Datasource 1
<datasource jndi-name="java:/DATASOURCE_1" pool-name="DATASOURCE_1" enabled="true">
.
.
<security>
<security-domain>policy_1</security-domain>
</security>
</datasource>
Datasource 2
<datasource jndi-name="java:/DATASOURCE_2" pool-name="DATASOURCE_2" enabled="true">
.
.
<security>
<security-domain>policy_2</security-domain>
</security>
</datasource>
However, I would like to know if it's possible to use the same policy for both datasources? I haven't been able to find a way to include more than one pool_name in the managedConnectionFactoryName policy attribute:
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1 ??????, DATASOURCE_2 ?????"/>
Is the managedConnectionFactoryName attribute absolutely necessary? what could be a side effect if this attribute is not added?
Does this answer your question? https://access.redhat.com/solutions/304063
That means:
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS1,service=LocalTxCM</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS2,service=LocalTxCM</module-option>
It seems that Wildfly 8.2 prefers this syntax:
<module-option name="managedConnectionFactoryName" value="jboss.jca:name=DS1,service=LocalTxCM"/>
But, It still does not seem to honor the security-domain for more that one datasource.
Does anyone know the significance of
service=LocalTxCM
in the example above? Seems like this would be different for xa-datasouces.
Our network has a main Active Directory and a backup in case first one doesn't respond.
I want to configure the JBoss server to use the backup when this happens.
This is my current login-config.xml . I believe it is in this file where I have to do it..
<application-policy name="SiteCM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://ldapserv-01.local.sitecm.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">CN=Admin,OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="bindCredential">password2011</module-option>
<module-option name="baseCtxDN">OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
</authentication>
</application-policy>
Our other LDAP server is: ldapserv-02.local.sitecm.com:389
Also, there is a Global Catalog on port 2836, but I don't see that in the Jboss conf, so I'm guessing it's somewhere by default.
If you use the domains DNS entry, you get a round robin DNS of the various DC's in the domain. Then you have a single IP to bind too?
you can just do <module-option name="java.naming.provider.url">ldap://ldapserv-01.local.sitecm.com:389 ldap://ldapserv-02.local.sitecm.com:389</module-option>