Search code examples
javajbossldapjboss6.xpicketlink

Picketlink IDP 2.1.8 with LDAP for Jboss AS6.x

I am new to picket link. I have to built a proof of concept on Picketlink 2.1.8 for Jboss As6 My first goal is to set up an IDP with LDAP. I have found many configurations examples for standalone.xml which apply to Jboss as7 or EAP

<security-domain name="idp" cache-type="default">
<authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
        <module-option name="java.naming.security.authentication" value="simple"/>
        <module-option name="bindDN" value="cn=XXXXX"/>
        <module-option name="bindCredential" value="XXXXXX"/>
        <module-option name="baseCtxDN" value="ou=People,dc=XXXXX,dc=XXX"/>
        <module-option name="baseFilter" value="(uid={0})"/>
        <module-option name="rolesCtxDN" value="ou=groups,dc=XXXXX,dc=XXX"/>
        <module-option name="roleFilter" value="(uniqueMember={0})"/>
        <module-option name="roleNameAttributeID" value="cn"/>
        <module-option name="roleAttributeIsDN" value="true"/>
    </login-module>
</authentication>
<audit>
    <provider-module    code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
</audit>
</security-domain>)

How can I perform the same task for Jboss AS6 context? What will be the equivalent for standalone.xml in Jboss as6? also, will those parameters be the same in AS6 environment? Any idea or resource recommendation will be greatly appreciated. thank you

Solution

  • To configure JAAS login modules in JBoss AS 6:

    1. Open $JBOSS_HOME/server/$PROFILE/conf/login-config.xml.
    2. Add the following login module in login-config.xml under <policy>.
    <application-policy name="idp">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="principalDNPrefix">uid=</module-option>                    
            <module-option name="principalDNSuffix">,ou=People,dc=jboss,dc=org</module-option>
            <module-option name="rolesCtxDN">ou=Roles,dc=jboss,dc=org</module-option>
            <module-option name="uidAttributeID">member</module-option>
            <module-option name="matchOnUserDN">false</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
        </login-module>
    </authentication>
</application-policy>
<audit>
    <provider-module code="org.jboss.security.audit.providers.LogAuditProvider"/>
</audit>

    See also: LdapLoginModule

    EDIT:

    If you have enabled audit you need add:

    <audit>
    <provider-module code="org.jboss.security.audit.providers.LogAuditProvider"/>
</audit>

    Another option is disabled audit, this can be do at the root element of picketlink.xml ie. PicketLink, please add the attribute "EnableAudit" and set it to "false".

    see: PicketLinkAudit