Help

Built with Seam

You can find the full source code for this website in the Seam package in the directory /examples/wiki. It is licensed under the LGPL.

This scenario will help you configure LDAP authentication with XML Login Service. There is other way to do it in different module.

In components.xml change

<security:identity 
 security-rules="#{securityRules}"
 authenticate-method="#{authenticator.authenticate}" 
 remember-me="true" 
 jaas-config-name="openLDAPAuth"/>

openLDAPAuth is the name you will define in application-policy later.

In jboss-app.xml add

<module>               
   <service>openLDAP-login-service.xml</service>
</module>

after loader-repository tag.

Add new file openLDAP-login-service.xml to classpath

<?xml version="1.0" encoding="UTF-8"?>
<server>
    <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
           name="FWLogistics:service=DynamicLoginConfig">
        <attribute name="AuthConfig">openLDAP-login-config.xml</attribute>
        <depends optional-attribute-name="LoginConfigService">
            jboss.security:service=XMLLoginConfig
        </depends>
        <depends optional-attribute-name="SecurityManagerService">
            jboss.security:service=JaasSecurityManager
        </depends>
    </mbean>
</server>

Add openLDAP-login-config.xml to same place/classpath

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
          "-//JBoss//DTD JBOSS Security Config 3.0//EN"
          "http://www.jboss.org/j2ee/dtd/security_config.dtd">
<policy>
        <application-policy name="openLDAPAuth">
                <authentication>
                        <login-module
                                code="org.jboss.security.auth.spi.LdapExtLoginModule"
                                flag="required">
                                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                                <module-option name="java.naming.provider.url">ldap://ldap.host.com:389/</module-option>
                                <module-option name="java.naming.security.authentication">simple</module-option>
                                <module-option name="bindDN">cn=Rootuser,dc=domain</module-option>
                                <module-option name="bindCredential">passwd</module-option>
                                <module-option name="baseCtxDN">ou=People,dc=domain</module-option>
                                <module-option name="baseFilter">(uid={0})</module-option>

                                <module-option name="rolesCtxDN">ou=Roles,ou=apps,dc=domain</module-option>
                                <module-option name="roleFilter">(member={1})</module-option>
                                <module-option name="roleAttributeID">cn</module-option>
                        </login-module>
                </authentication>
        </application-policy>
</policy>

In LDAP, user must be defined with

objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson (optional)
objectClass: account (optional)
objectClass: posixAccount
objectClass: top

That's it! After username and password is authenticated against LDAP, roles will also be retrieved and added to Identity object in Seam.

good