LdapLoginModule - almost working

Hello,

I have been playing around with the LdapLoginModule and trying to secure my web app by authenticating users against LDAP. I was able to do it against a local LDAP server that I had set up, with the following configurations in my login-config.xml file within my JBOSS server:

<application-policy name="XXX"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://LetsSayMyLocalMachineName:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=example,dc=com</module-option> <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> </login-module> </authentication> </application-policy>

However, the problem arises when I try to configure this against an external ldap server with a slightly different directory structure. Here are my configurations for that:

<application-policy name="XXX"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://LetsSayTheRemoteServerName:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">sAMAccountName=</module-option> <module-option name="principalDNSuffix">,ou=Admin Users,ou=HQ,ou=Administration,dc=XXX,dc=XXX</module-option> <module-option name="rolesCtxDN">ou=Groups,dc=XXX,dc=XXX</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> </login-module> </authentication> </application-policy>


There is no uid attribute for users in this server and I need to authenticate by sAMAccountName. I'm thinking I'm misreading the LdapLoginModule specs on the JBOSS community and am very close to making this work - just not sure exactly where my mistake is, probably because I've been looking at this for too long and need a second pair of eyes.

Here's what the user I'm trying to test with looks like in my LDAP directory:

distinguishedName: CN=Fname Sname,OU=Admin Users,OU=HQ,OU=Administration,DC=XXX,DC=XXX

sAMAccountName: the_user_id_i_need_to_authenticate_against

memberOf: CN=SomeName,OU=Groups,DC=XXX,DC=XXX

Please let me know if you need any more information. Any help would be greatly appreciated. Thanks!

Deja vu: http://community.jboss.org/thread/157274

Peter Johnson wrote:Deja vu: http://community.jboss.org/thread/157274

Indeed.

In my defense though, I did post this here before I had your response over at the JBOSS community forum.