Geek Answers Handbook

Configuring LDAP in wildfly, searching for roles

I have Kerberos configured with wildfly plus, I get groups from LDAP, and it works for certain configurations, but not for others.

Kerberos works as expected, and here is the configuration for LDAP:

<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
    <module-option name="java.naming.provider.url" value="ldap://ttttt.com:3268/"/>
    <module-option name="bindDN" value="user"/>
    <module-option name="bindCredential" value="passwd"/>
    <module-option name="baseCtxDN" value="DC=AD,DC=TTT,DC=com"/>
    <module-option name="baseFilter" value="(userPrincipalName={0})"/>
    <module-option name="rolesCtxDN" value="OU=Groups, DC=AD,DC=TTT,DC=com"/>
    <module-option name="roleFilter" value="(member={1})"/>
    <module-option name="roleAttributeID" value="memberOf"/>
    <module-option name="roleAttributeIsDN" value="true"/>
    <module-option name="roleNameAttributeID" value="cn"/>
    <module-option name="recurseRoles" value="true"/>
    <module-option name="password-stacking" value="useFirstPass"/>
    <module-option name="allowEmptyPassword" value="false"/>
    <module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>

I have a group configured called app_ttt_api. I added some members of this group.

So, my setup works when the member I added is the group itself, and you are a member of this group. If you add the user directly, this will not work. Also, if you add a group containing a group that contains the user, it also does not work.

So it group->group->userworks, but

group->user

and

group->group->group->user

not

, , , , .

: - , LDAP , .. , ? LDAP-?

Edit2: , - https://developer.jboss.org/thread/272926

Edit3:

AdvancedLdapLoginModule

: AdvancedLdapLoginModule

: 1.

526            results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);
rolesCtxDN=DC=AD,DC=TTT,DC=com roleFilter=(member={1}) filterArgs[0]=myuser@AD.TTT.COM filterArgs[1]=CN=myuser,CN=Managed Service Accounts,DC=AD,DC=MLP,DC=com

  1. ,

    532 getRole (searchContext, resultDN);

  2. getRole

    572 result = searchContext.getAttributes(dn, attrNames); 575 = result.get(roleAttributeID);

    attrNames - roleAttributeID - "memberOf" .

  3. , 575,

    585 loadRoleByRoleNameAttributeID (searchContext, roleDN); 586 recurseRolesSearch (searchContext, baseRoleDN);

585 586 .

3 - , - memberOf , , . , , , group- > group- > user, .

, ? - ? ,

   <module-option name="roleAttributeID" value="cn"/>
   <module-option name="roleAttributeIsDN" value="false"/>

, .

.

+6

:

More articles:


All Articles