I have the following requirements for my web application running on JBoss 4.2.1:
- Users should be authenticated against an LDAP directory - In LDAP, a user is registered in one of two locations, say ou=A or ou=B. So, the DN for a user might be uid=X,ou=A or uid=X,ou=B - I need to perform programmatic web authentication The solution I have come up with is to use two LdapLoginModules: one for each location. Both login-modules are set to 'sufficient'. | <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient"> | <!-- regular options omitted --> | <module-option name="principalDNPrefix">uid=</module-option> | <module-option name="principalDNSuffix">,ou=A</module-option> | </login-module> | <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient"> | <!-- regular options omitted --> | <module-option name="principalDNPrefix">uid=</module-option> | <module-option name="principalDNSuffix">,ou=B</module-option> | </login-module> | This works as expected: authentication succeeds if the can be authenticated against one of the two LDAP locations. To propagate the authentication info to the container, I use the ClientLoginModule as mentioned in the SecurityFAQ. This is added as the third loginmodule in my configuration: | <login-module code="org.jboss.security.ClientLoginModule" flag="required"> | <module-option name="restore-login-identity">true</module-option> | <module-option name="multi-threaded">true</module-option> | <module-option name="password-stacking">useFirstPass</module-option> | </login-module> | What I want is that authentication fails when both Ldap loginmodules fail. In reality, authentication succeeds in that case, because the ClientLoginModule always succeeds. Thus, I have the two 'sufficient' ldap loginmodules fail, and the 'required' clientloginmodule succeed, resulting in a successful login. Is there a way to enforce that (at least) one of the ldap loginmodules succeed, and that the clientloginmodule is still invoked for a successful login? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4151352#4151352 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4151352 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
