Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)
Question
Is there a way to authenticate against an Active Directory Forest via any of the Ldap Login Modules or any other special one?
having the following config in standalone.xml:
<module-option name="java.naming.provider.url" value="ldap://ad.company.tld:389"/ >
<module-option name="baseCtxDN" value="OU=DE,OU=Users,OU=Accounts,OU=US,OU=Hosting,DC=ad00,DC=company,DC=tld"/ >
<module-option name="baseFilter" value="(CN={0})"/ >
<module-option name="rolesCtxDN" value="OU=Groups,OU=Accounts,OU=US,OU=Hosting,DC=ad00,DC=company,DC=tld"/ >
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="CN"/ >
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
on wildfly 8 I get a javax.naming.NameNotFoundException with a full stack trace pointing to LdapCtx.java:3112 wich look as follows:
case LdapClient.LDAP_REFERRAL:
e = new NamingException(message);
break;
Thus the Exception is due to a Referral Error and it looks like the LDAP module can't follow the referral control. Moreover, I found
at http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html the Note (at the bottom):
Windows Active Directory: Because Active Directory does not support the Manage Referral control, none of the examples in this lesson will work against Active Directory.
thus I guess there is no chance for LdapExtLoginModule to succeed If it relies on JNDI provided by Java.
1 answers
solution1
1 ACCPTED 2014-09-11 07:21:23
There were some issues with the referrals handling in the WildFly. They are already fixed in the codebase. Once the new version release in 9.x stream is released, it should work for you.
The JBoss EAP 6.3 and 6.2.4 have the issues fixed already .
The configuration which handles (ie follows) referrals can look like:
<security-domain name="ldap-authn" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url" value="ldap://test-ldap.jboss.example:389/"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="cn=Directory Manager"/>
<module-option name="bindCredential" value="****"/>
<module-option name="baseCtxDN" value="dc=example,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="dc=example,dc=com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="referralUserAttributeIDToCheck" value="uniqueMember"/>
</login-module>
</authentication>
</security-domain>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.