AD248 - ch09s03

You can define a security domain backed by an LDAP server that stores the users and roles mapping for an application. Legacy security domains can access LDAP identity stores by using different LDAP login modules: the Ldap, LdapExtended, AdvancedLdap, and AdvancedAdLdap login modules. Refer to the references section to learn more about each of the LDAP login modules. Red Hat recommends the use of the LdapExtended login modules, even when the LDAP server is a Microsoft Active Directory.

These login modules integrate with an LDAP server and authenticates users against the data stored in the LDAP Directory Information Tree (DIT). Users and Roles are stored under Organizational Units (OU) in the LDAP tree with the username being used as the distinguished name (DN) to uniquely identify a user. The LDAP server configuration, and the DIT can be different between different LDAP server vendors. The detailed configuration for each LDAP server vendor is out of the scope of this course. Refer to the references section to learn more about LDAP.

In the elytron security subsystem there is no concept of login module, and the LDAP configuration is performed by using a ldap-realm realm type. Refer to the references section to learn how to configure an LDAP security realm by using the elytron subsystem.

How to Define a Legacy Security Domain

You can create an LDAP security domain by using the following management CLI command:

 [standalone@localhost:9990] /subsystem=security/security-domain= \
    ldap-domain:add(cache-type=default)

Then, add the authentication element of the security domain

[standalone@localhost:9990] /subsystem=security/security-domain\
=ldap-domain/authentication=classic:add

Finally, configure the LdapExtended login module:

[standalone@localhost:9990] /subsystem=security/security-domain=ldap-domain\
/authentication=classic:add(login-module=LdapExtended:add\
(code=LdapExtended, flag=required, module-options=\
[("java.naming.factory.initial"=>"com.sun.jndi.ldap.LdapCtxFactory"),\
("java.naming.provider.url"=>"ldap://ldap.server:389"),\
("java.naming.security.authentication"=>"simple"),\
("bindDN"=>"cn=bind-user,dc=example,dc=com"),("bindCredential"=>"bind-user-password"),\
("baseCtxDN"=>"ou=Users,dc=example,dc=com"),\
("baseFilter"=>"(uid={0})"),("rolesCtxDN"=>"ou=Roles,dc=example,dc=com"),\
("roleFilter"=>"(member={1})"), ("roleAttributeID"=>"uid")])

The corresponding XML definition of the LDAP legacy security domain displays as follows:

<security-domain name="ldap-domain" cache-type="default">
   <authentication>
      <login-module code="LdapExtended" flag="required">
         <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
         <module-option name="java.naming.provider.url" value="ldap://ldap.server:389"/>
         <module-option name="java.naming.security.authentication" value="simple"/>
         <module-option name="bindDN" value="cn=bind-user,dc=example,dc=com"/>
         <module-option name="bindCredential" value="bind-user-password"/>
         <module-option name="baseCtxDN" value="ou=Users,dc=example,dc=com"/>
         <module-option name="baseFilter" value="(uid={0})"/>
         <module-option name="rolesCtxDN" value="ou=Roles,dc=example,dc=com"/>
         <module-option name="roleFilter" value="(member={1})"/>
         <module-option name="roleAttributeID" value="uid"/>
      </login-module>
   </authentication>
</security-domain>

References

What is lightweight directory access protocol (LDAP) authentication?

For more information about performing searches against LDAP servers, refer to the Examples of Common ldapsearches in the Administration Guide in the Red Hat Directory Server 11 documentation at https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#Examples-of-common-ldapsearches

For more information about the LDAP login modules for the legacy security subsystem, refer to the Ldap Login Module and following sections in the Login Modules With External Identity Store chapter of the Login Module Reference guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/login_module_reference/index#ldap_login_module

For more information about configuring an elytron security domain that uses LDAP as identity store, refer to the Configure Authentication with an LDAP-Based Identity Store in the Elytron Subsystem chapter in the How to Configure Identity Management guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_identity_management/index#elytron_ldap_auth_app

Discuss Red Hat JBoss Enterprise Application Platform Administration I

Go to community

Welcome to the Red Hat JBoss Application Administration 1 (AD248) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat JBoss Application Administration I! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to AD248.Read more about Red Hat JBoss Application Administration I here.

270

Revision: ad248-7.4-18a9db2