jboss integration with LDAP

Question

I have an application which currently uses JDBC to authenticate the users that login to the application. But now I want that it should be able to use LDAP to login into my application. My boss wants me to integrate LDAP with JBOSS in order to achieve it. I am new to LDAP and have no idea on what needs to be done. Can anybody suggest something ?

Answer 1

You can add a custom security domain in JBoss' standalone.xml. In this domain you can configure your LDAP settings. See this for some details. The LDAP settings depend on the LDAP you are using, so there are no general working settings.

Here would be an example:

<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
    <security-domain name="other" cache-type="default">
        <authentication>
            <login-module code="Disabled" flag="required"/>
        </authentication>
    </security-domain>
    <security-domain name="test_ldap_security_domain">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                <module-option name="java.naming.provider.url" value="ldap://10.10.10.10:389"/>
                <module-option name="bindDN" value="cn=abc,cn=Users,dc=mydomain,dc=com"/>
                <module-option name="bindCredential" value="Test@123"/>
                <module-option name="baseCtxDN" value="cn=Users,dc=mydomain,dc=com"/>
                <module-option name="baseFilter" value="(userPrincipalName={0})"/>
                <module-option name="rolesCtxDN" value="cn=Users,dc=mydomain,dc=com"/>
                <module-option name="roleFilter" value="(userPrincipalName={0})"/>
                <module-option name="roleAttributeID" value="memberOf"/>
                <module-option name="roleNameAttributeID" value="cn"/>
                <module-option name="roleAttributeIsDN" value="true"/>
                <module-option name="allowEmptyPasswords" value="false"/>
                <module-option name="Context.REFERRAL" value="follow"/>
                <module-option name="throwValidateError" value="true"/>
                <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                <module-option name="allowEmptyPasswords" value="true"/>
            </login-module>
            <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
                <module-option name="rolesProperties" value="/home/userone/jboss-as-7.0.1.Final/standalone/configuration/test-roles.properties"/>
                <module-option name="replaceRole" value="false"/>
            </login-module>
        </authentication>
    </security-domain>
</security-domains>
</subsystem>

Depending on the type of application, you need some config in your app to make the app use this domain.

If you have a web application (.war) you need a jboss-web.xml:

<jboss-web>
    <security-domain>java:/jaas/test_ldap_security_domain</security-domain>
</jboss-web>

You can now use standard JavaEE authentication/authorization mechanisms.Eg in the web.xml.