LDAP Integration

This article contains some configuration examples for using LDAP for authentication with ONEWEB 4.0. Try to configure this step.

setup LDAP connection

Basic information from a connection would be defined with the following attributes:

security-domain name: The attribute name for ONEWEB 4.0 fixed as "LDAPAuthLocal" reference from jboss-web.xml

url: The url of the LDAP server to connect to. Ex. "ldap://[Server IP Address]:[Port]"

bindDN: The distinguished name to use when establishing a connection to the server. When using a bindDN it usually comes with a password associated with it.

bindCredential: The password required for bindDN name specified to establish the connection to the server.

baseCtxDN: The starting point, where it will start searching.

baseFilter: A search filter used to locate the context of the user to authenticate. The input username/userDN as obtained from the login module callback will be substituted into the filter anywhere a {0} expression is seen. This substitution behavior comes from the standard DirContext.search(Name, String, Object[], SearchControls cons) method. A common example for the search filter is (uid={0})

rolesCtxDN: A search filter used to locate the roles associated with the authenticated user.

roleAttributeID: The name of the role attribute of the context which corresponds to the name of the role.

searchScope: Use default scope is SUBTREE_SCOPE.

For Wildfly configure "stanalone.xml" tag "<profile>" sub tag "<subsystem>" try to insert <security-domains>. See example below

<security-domain name="LDAPAuthLocal" cache-type="default">
        <authentication>
               <login-module code="Remoting" flag="optional">
                       <module-option name="password-stacking" value="useFirstPass"/>
               </login-module>
               <login-module code="LdapExtended" flag="required">
                       <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                       <module-option name="java.naming.provider.url" value="ldap://[IP Address]:[Port]"/>
                       <module-option name="java.naming.security.authentication" value="simple"/>
                       <module-option name="bindDN" value="CN=SystemAdmin,OU=People,dc=example,dc=com"/>
                       <module-option name="bindCredential" value="secret"/>
                       <module-option name="baseCtxDN" value="OU=Roles,dc=example,dc=com"/>
                       <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                       <module-option name="rolesCtxDN" value="OU=People,dc=example,dc=com"/>
                       <module-option name="roleFilter" value="(member={1})"/>
                       <module-option name="roleAttributeID" value="sAMAccountName"/>
                       <module-option name="roleAttributeIsDN" value="true"/>
                       <module-option name="roleRecursion" value="1"/>
                       <module-option name="defaultRole" value="AllUser"/>
                       <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                       <module-option name="allowEmptyPasswords" value="false"/>
                       <module-option name="throwValidateError" value="true"/>
               </login-module>
        </authentication>
</security-domain>

Note: some difference LDAP Server if use Apache Directory or OpenLdap change module option name "baseFilter" = "(uid={0})", "roleAttributeID" = "CN"

Specify the JBoss Security Domain In the jboss-web.xml file, specify the required security domain. see example below

<jboss-web>
    <security-domain>java:/jaas/LDAPAuthLocal</security-domain>
</jboss-web>

Last updated