Differences

This shows you the differences between two versions of the page.

--- java:ldapconfigfromtheground [2010/10/20 10:53] – creado rlunaro
+++ java:ldapconfigfromtheground [2022/12/02 21:02] (current) – external edit 127.0.0.1
@@ Line 16: / Line 16: @@
-===== Step 1: set a security domain =====
+===== Step 0: have a walk on the LDAP side =====
+Install in your computer, or in the server, or whatever you want, an LDAP browser. You can install JXplorer (free software) or, if the LDAP server is Active Directory, you can install the "Admin Pack" of Microsoft.
+  * [[http://jxplorer.org/]]
+  * [[http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95]]
+To connect to the LDAP server you probably will need help from the administrator.
+Ok, locate a group in the LDAP server --or create a new one-- where the users belonging to this group are allowed to use the application. In my case I've selected the group "Admin_Group".
+Using Jxplorer you should know if you need to provide an user and a password to connect to he LDAP server or not (annonymous access). Keep this information to use later.
+===== Step 1: Locate the login-config.xml file =====
+This file is in JBOSS_HOME/server/xxx/conf. We have to provide values for this xml code:
+<code xml>
+<application-policy name="INVENT A NAME FOR THIS">
+	<authentication>
+		<login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
+			<module-option name="java.naming.factory.initial">
+			com.sun.jndi.ldap.LdapCtxFactory
+			</module-option>
+			<module-option name="java.naming.provider.url">
+				ldap://PUT THE SERVER : AND THE PORT
+                                ldap://example:3265
+			</module-option>
+			<!-- step one: first connect (bind) to the ldap server -->
+			<module-option name="java.naming.security.authentication">simple</module-option>
+			<module-option name="bindDN">PUT A VALID USER TO CONNECT TO THE SERVER</module-option>
+			<module-option name="bindCredential">PUT A VALID PASSWORD TO CONNECT TO THE SERVER</module-option>
+			<!-- step two: second identify/validate the user -->
+			<!-- Subrama del directorio activo desde la que comenzaremos la búsqueda -->
+			<module-option name="baseCtxDN">PUT A VALUE HERE</module-option>
+			<module-option name="baseFilter">(sAMAccountName={0})</module-option>
+			<!-- step three: role search options -->
+			<!-- we will locate for MiddleseaUser -->
+			<module-option name="rolesCtxDN">PUT THE VALUE HERE</module-option>
+			<module-option name="roleFilter">(member={1})</module-option>
+			<module-option name="roleAttributeIsDN">true</module-option>
+			<module-option name="roleNameAttributeID">name</module-option>
+		</login-module>
+	</authentication>
+</application-policy>
+</code>
+We will explain how to identify every one of the values needed to configure this XML snippet.
+**INVENT A NAME FOR THIS:** It's just a name, we will use later. I've chosen for this ldapJMXConsole.
+**PUT THE SERVER : AND THE PORT:** If you managed to connect to the LDAP server using Jxplore --I strongly recommend this even if you are using Active Directory in your installation--, this values are provided in the connection screen:
+{{:java:jxplorer2.jpg|}}
+===== Step N: set a security domain =====
+  - Open WEB-INF/jboss-web.xml.
+  - Put the security-domain as is follows:
+<code xml>
+<security-domain>java:/jaas/ldapJMXConsole</security-domain>
+</code>
+===== Step N+1: Thing's aren't going well =====
+Ok, let's face it: despite following the steps in this guide, thing's aren't working. The Active Directory Administrator isn't working very much (many times he/she is fighting in his/her own wars). And, what else???
+**Use the brute force to diagnose what is happening:** [[http://www.wireshark.org/|Wireshark]] is a packet sniffer: it allows you to see what's happening behind the scenes. The problem I had to face when configuring this stuff was that there were no errors when the thing fails: nothing. No message, no error is in the server log, nothing.
+But //alas!!!// with a packet sniffer you can see the traffic behind and the exact error message returnet.
+If nobody allows you to install a packet sniffer in the production server (a bad idea), you can try to make a testing deployment in your computer and try to find there the correct configuration of the LDAP.
-Open WEB-INF/jboss-web.xml.