0

I am new to picket link. I have to built a proof of concept on Picketlink 2.1.8 for Jboss As6 My first goal is to set up an IDP with LDAP. I have found many configurations examples for standalone.xml which apply to Jboss as7 or EAP

<security-domain name="idp" cache-type="default">
<authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
        <module-option name="java.naming.security.authentication" value="simple"/>
        <module-option name="bindDN" value="cn=XXXXX"/>
        <module-option name="bindCredential" value="XXXXXX"/>
        <module-option name="baseCtxDN" value="ou=People,dc=XXXXX,dc=XXX"/>
        <module-option name="baseFilter" value="(uid={0})"/>
        <module-option name="rolesCtxDN" value="ou=groups,dc=XXXXX,dc=XXX"/>
        <module-option name="roleFilter" value="(uniqueMember={0})"/>
        <module-option name="roleNameAttributeID" value="cn"/>
        <module-option name="roleAttributeIsDN" value="true"/>
    </login-module>
</authentication>
<audit>
    <provider-module    code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
</audit>
</security-domain>)

How can I perform the same task for Jboss AS6 context? What will be the equivalent for standalone.xml in Jboss as6? also, will those parameters be the same in AS6 environment? Any idea or resource recommendation will be greatly appreciated. thank you

Federico Sierra
  • 5,118
  • 2
  • 23
  • 36
ScicaJ
  • 3
  • 4

1 Answers1

0

To configure JAAS login modules in JBoss AS 6:

  1. Open $JBOSS_HOME/server/$PROFILE/conf/login-config.xml.
  2. Add the following login module in login-config.xml under <policy>.
<application-policy name="idp">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="principalDNPrefix">uid=</module-option>                    
            <module-option name="principalDNSuffix">,ou=People,dc=jboss,dc=org</module-option>
            <module-option name="rolesCtxDN">ou=Roles,dc=jboss,dc=org</module-option>
            <module-option name="uidAttributeID">member</module-option>
            <module-option name="matchOnUserDN">false</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
        </login-module>
    </authentication>
</application-policy>
<audit>
    <provider-module code="org.jboss.security.audit.providers.LogAuditProvider"/>
</audit>

See also: LdapLoginModule

EDIT:

If you have enabled audit you need add:

<audit>
    <provider-module code="org.jboss.security.audit.providers.LogAuditProvider"/>
</audit>

Another option is disabled audit, this can be do at the root element of picketlink.xml ie. PicketLink, please add the attribute "EnableAudit" and set it to "false".

see: PicketLinkAudit

Federico Sierra
  • 5,118
  • 2
  • 23
  • 36
  • Thank you, this is very helpful. (Happy new year) – ScicaJ Jan 05 '15 at 09:27
  • Hello, regarding the audit enabling part do you have any clue of how to configure it in Jboss as 6.x? In fact I am getting the message error :15:57:21,639 ERROR [org.apache.catalina.core.StandardContext] Erreur de démarrage du contexte [/idp] suite aux erreurs précédentes: java.lang.RuntimeException: PL00102: Processing Exception:Could not find a audit manager configuration. Location: java:jboss/jaas/idp/auditMgr at org.picketlink.identity.federation.DefaultPicketLinkLogger.samlIDPConfigurationError.... thank you – ScicaJ Jan 07 '15 at 17:11
  • @ScicaJ Check my edit, I recommend you read the documentation about configuration https://docs.jboss.org/author/display/PLINK/Identity+Provider+Configuration – Federico Sierra Jan 07 '15 at 19:20
  • @ScicaJ Great!, if you think that answer is correct don't forget mark this as correct. – Federico Sierra Jan 09 '15 at 14:11