This is an old revision of the document!
Table of Contents
Configuring LDAP for an application from the ground
I don't know if it is your case, but in mine, I have a BIG trouble when configuring a Jboss application to connect to LDAP (Active Directory). The documentation in the jboss website is not very detailed, and it appears as all the websites speak of well-know issues, so they don't detailed very much the steps need to be done to configure it.
In this page I will try to document every detail I did with a real-life application as an example: the JMX console.
From the ground
Version of Jboss: JBoss [The Oracle] 5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)
The community edition of JBoss is rare in terms of version: since one version to another, things can change, stop working, or God knows what other things can occurr. So I learned that the first step is to establish, withe in blank, the version of Jboss. Let's continue.
My application: JBOSS_HOME/server/default/deploy/jmx-console.war
From now on, when I speak of WEB-INF/jboss-web.xml, for instance, in fact I am speaking of JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml.
Step 0: have a walk on the LDAP side
Install in your computer, or in the server, or whatever you want, an LDAP browser. You can install JXplorer (free software) or, if the LDAP server is Active Directory, you can install the “Admin Pack” of Microsoft.
To connect to the LDAP server you probably will need help from the administrator.
Ok, locate a group in the LDAP server –or create a new one– where the users belonging to this group are allowed to use the application. In my case I've selected the group “Admin_Group”.
Using Jxplorer you should know if you need to provide an user and a password to connect to he LDAP server or not (annonymous access). Keep this information to use later.
Step 1: Locate the login-config.xml file
This file is in JBOSS_HOME/server/xxx/conf. We have to provide values for this xml code:
<application-policy name="ldapAuditmap"> <authentication> <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://PUT THE SERVER : AND THE PORT ldap://example:3265 </module-option> <!-- step one: first connect (bind) to the ldap server --> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">PUT A VALID USER TO CONNECT TO THE SERVER</module-option> <module-option name="bindCredential">PUT A VALID PASSWORD TO CONNECT TO THE SERVER</module-option> <!-- step two: second identify/validate the user --> <!-- Subrama del directorio activo desde la que comenzaremos la búsqueda --> <module-option name="baseCtxDN">PUT A VALUE HERE</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <!-- step three: role search options --> <!-- we will locate for MiddleseaUser --> <module-option name="rolesCtxDN">PUT THE VALUE HERE</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> </login-module> </authentication> </application-policy>
Step N: set a security domain
- Open WEB-INF/jboss-web.xml.
- Put the security-domain as is follows:
<security-domain>java:/jaas/ldapJMXConsole</security-domain>
