boxerboxes.ca
Contact Us
AD LDAP Authentication for JBoss

I was faced with the necessity of using LDAP to authenticate users to JBoss. The LDAP server was Microsoft Active Directory (AD). JBoss has a built in LDAP authenticator (LdapLoginModule.java), which is very configurable, but it wouldn't work in my case.

Active Directory is odd, in that you cannot browse the directory anonymously. Thus, for authentication, users must supply a username that will allow them to bind to the directory. For AD this is either their distinguished name (find one user that knows theirs), or their user principal name. In most cases the user principal name is something like username@some.domain. In my case there were no standards for the user principal names, giving me a class of users that couldn't reliably supply a username that can easily be massaged to be used by the standard JBoss LDAP authentication module. To solve this, I took an idea from the mod_auth_ldap module for the Apache HTTPD.

I have modified the standard JBoss LDAP authentication module to allow a 'browse user' to be specified. This allows authentication to proceed as follows:

  • Log into the directory as the browse user
  • Find a distinguished name with an attribute (e.g. sAMAccountName) matching the supplied username
  • Log into the directory using the discovered distinguished name and the supplied password
This lets users specify something they know, which in my case was their network login name.

I also changed the way the user roles are returned. I could not make schema changes, so I had to use the NT groups to allow or deny access. Thus, roles are an attribute of the user object in the directory. In my case, I use memberOf.

Version 2.0 is out. http://boxerboxes.ca/hacks/BrowseLdapLoginModule-v2.0.tar.gz. I have added dereferencing the role distinguished names. That should make your roles prettier to look at.

Version 1.0 is still here.

Let me know (gosh@boxerboxes.ca) if you find it useful, or if you have any suggestions for modifications.