Regarding the previous post we will change the authentication/authorization realm to LDAP (actually AD).
Change the AD security domain as follows:
<security-domain name="AD" cache-type="default"> <authentication> <login-module code="LdapExtended" flag="required"> <module-option name="java.naming.provider.url" value="ldap://mydomain.local:389"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="bindDN" value="domain\user"/> <module-option name="bindCredential" value="password"/> <module-option name="baseCtxDN" value="OU=Organization,DC=dc1,DC=dc2"/> <module-option name="baseFilter" value="(&(objectClass=user)(sAMAccountName={0}))"/> <module-option name="rolesCtxDN" value="OU=Groups,OU=Organization,DC=dc1,DC=dc2"/> <module-option name="roleFilter" value="(&(objectClass=group)(member={1}))"/> <module-option name="roleAttributeID" value="cn"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleRecursion" value="0"/> <module-option name="defaultRole" value="authenticateduser"/> <module-option name="throwValidateError" value="true"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="referralUserAttributeIDToCheck" value="uniqueMember"/> </login-module> <login-module code="RoleMapping" flag="required"> <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/ad.properties"/> <module-option name="replaceRole" value="false"/> </login-module> </authentication> </security-domain>
ad.properties file specifies mappings between groups (the property name) and roles (comma separated values)
Please notice the almost not specified option defaultRole which adds an implicit role to authenticated users.
No comments :
Post a Comment