So far, I am unable to find help for authenticating against multiple LDAP servers except where talking about failover.
We have an LDAP for internal users, and an LDAP for external users. Suddenly, our app needs to be available to both internal users and external users. How would I set this up?
Here is the current config for just internal users:
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://dvldap-1.example.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=someid,ou=People,ou=Intranet,o=example.com"/>
<module-option name="bindCredential" value="somecred"/>
<module-option name="baseCtxDN" value="ou=People,ou=Intranet,o=example.com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Groups,ou=Intranet,o=example.com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
If you need simple configuration
Just use what JAAS offers. Add the two configurations to login module chain and set the flag on the first of them to sufficient value (look at Configuration class for all the options and their description).
For optimal performance: The first configuration should be the one to which users authenticate more often.
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url"
value="ldap://internal-ldap.my-company.example"/>
<!-- add other options for the first LDAP server -->
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url"
value="ldap://external-ldap.my-company.example"/>
<!-- add other options for the second LDAP server -->
</login-module>
</authentication>
</security-domain>
If you need great performance
If you are able to determine (from the loginname for instance) which LDAP you should search in, then I would suggest to implement your own login module. It can delegate the processing to LdapExtLoginModule instances.
Related
I have configured my application with Kerberos authentication for a specific user in jboss-eap and it's working fine. But wants to configure the same on the basis of the group i.e users in a specific group will able to authenticate.
Standalone.xml configuration for user:-
<security-domains>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="saurabhgupta#ECO.COM" value="User"/>
</mapping-module>
</mapping>
</security-domain>
My environment consists of:
linux server with JBoss EAP 6.2
client station with Windows 7 64bit + Chrome
Windows Server 2008 Active Directory (act as KDC)
Application War Location:- https://github.com/kwart/spnego-demo
Does anyone went all through this and solved it somehow?
Thank you in advance, Siddharth
You can pair the SPNEGO login-module with others so that you can assign users to roles. Below is an example of how to associate your users to LDAP roles via Standalone.xml:
<security-domain name="SPNEGO">
<authentication>
<login-module code="SPNEGOUsers" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="test"/>
<module-option name="bindCredential" value="test"/>
<module-option name="allowEmptyPassword" value="true"/>
<module-option name="java.naming.provider.url" value="ldap://test.jboss.redhat.com:389"/>
<module-option name="baseCtxDN" value="CN=Users,DC=jboss,DC=redhat,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
</login-module>
</authentication>
</security-domain>
I've encountered a problem regarding JBoss with authenticating users in two different Active Directory Domains. I want to configure JBoss to be able to authenticate user through LDAP depending on where is his account created (domain A or B). Here's a part of my configuration for domain A. How can I adapt it, so JBoss will firstly check if user is in domain A and if not - in domain B and authenticate him correctly once he finds him? Trust between domains is set correctly. Info regarding users - they are created in different OU. JBoss version is 6.4 running in domain mode. I have a second config for domain B which is working ok, i just have to somehow add it to current config so there will be no errors and issues when it comes to authenticating users.
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
I've managed to find the solution for this issue. All I had to do, is to create another login module within security domain and change the requirements to optional. It should look like this:
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="second_ldap_addres:port"/>
<module-option name="bindDN" value="second_ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="second_password_for_user"/>
<module-option name="baseCtxDN" value="dc=zzz,dc=www"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=zzz,dc=www"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
What is the significance of the other security domain in JBoss. I am new to JBoss and read the documentation but cannot understand why it is used.
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
What would happen if I just remove these two modules? Given that my application has my own domain specific security domain defined.
You can have various security domains elements configured in JBoss. They can be referenced via jboss-web.xml files in different web projects if you want to have different security levels for different war's.
other is the default security domain. It can be removed (replaced with something more sophisticated), just be sure to remove its references also.
I'm trying to enable access to Guvnor through LDAP defined roles. I've managed to get JBoss to connect to my LDAP server and authenticate by user, but I have no idea how to do that by role instead. What I want is to allow, for example, all users with the Role "Guvnor Administrator" to log into the Guvnor page.
Can anyone help me with this? I've tried several configurations, including modifying the web.xml in guvnor.war, but the closest I could get to role-based authorization was through configuring user permissions in the Guvnor administration page.
My standalone.xml:
<security-domain name="drools-guvnor" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://myLDAPHost"/>
<module-option name="baseCtxDN" value="ou=Users,dc=proj,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Roles, dc=flow,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
beans.xml:
<security:IdentityImpl> <s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>drools-guvnor</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
<weld:scan>
<!-- Disable the seam-security by drools rules
<weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
<!-- TODO remove me when GUVNOR-1196 is fixed -->
<weld:exclude name="org.drools.guvnor.gwtutil.**"/>
<weld:exclude name="org.drools.guvnor.client.**"/>
</weld:scan>
Our network has a main Active Directory and a backup in case first one doesn't respond.
I want to configure the JBoss server to use the backup when this happens.
This is my current login-config.xml . I believe it is in this file where I have to do it..
<application-policy name="SiteCM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://ldapserv-01.local.sitecm.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">CN=Admin,OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="bindCredential">password2011</module-option>
<module-option name="baseCtxDN">OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
</authentication>
</application-policy>
Our other LDAP server is: ldapserv-02.local.sitecm.com:389
Also, there is a Global Catalog on port 2836, but I don't see that in the Jboss conf, so I'm guessing it's somewhere by default.
If you use the domains DNS entry, you get a round robin DNS of the various DC's in the domain. Then you have a single IP to bind too?
you can just do <module-option name="java.naming.provider.url">ldap://ldapserv-01.local.sitecm.com:389 ldap://ldapserv-02.local.sitecm.com:389</module-option>