Reputation: 303
JBoss - connect and authenticate users in two domains
I've encountered a problem regarding JBoss with authenticating users in two different Active Directory Domains. I want to configure JBoss to be able to authenticate user through LDAP depending on where is his account created (domain A or B). Here's a part of my configuration for domain A. How can I adapt it, so JBoss will firstly check if user is in domain A and if not - in domain B and authenticate him correctly once he finds him? Trust between domains is set correctly. Info regarding users - they are created in different OU. JBoss version is 6.4 running in domain mode. I have a second config for domain B which is working ok, i just have to somehow add it to current config so there will be no errors and issues when it comes to authenticating users.
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
Upvotes: 0
Views: 469
Answers (1)
Reputation: 303
I've managed to find the solution for this issue. All I had to do, is to create another login module within security domain and change the requirements to optional. It should look like this:
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="second_ldap_addres:port"/>
<module-option name="bindDN" value="second_ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="second_password_for_user"/>
<module-option name="baseCtxDN" value="dc=zzz,dc=www"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=zzz,dc=www"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
Upvotes: 1
Related Questions
- Configure JBoss with multiple LDAP servers
- LDAP authentication with Java
- How to setup Active Directory for JBoss EAP 6.4.0.GA (AS 7.5.0)
- JBoss 7.1.0 Security Domain: Multiple LDAPs--sequential, not failover
- jboss integration with LDAP
- LDAP authentication with JBoss 7
- JBoss connection configuration for LDAP
- Single sign-on ActiveDirectory and Java EE
- Cross domain/realm authentication
- Sharing session across domain