how to specify the group to authenticate user in ldaploginmodule and jboss configuration

Tag: authentication , jboss , filter , ldap , group Author: z775653181 Date: 2013-04-10

I would like to authenticate the user only if he in a specific group.

To my test I have two users:

  • one user is in the FIRST GROUP
  • other is in de SECOND GROUP

I have an active directory :

CN=Users,DC=XXXX,DC=com
  ---usrA      
  ---usrB      
  ---group1      
  ---group2

usrA is in the group1, usrB is in the group2 and I authenticate the user via JBoss with LdapLoginModule in the standalone.xml.

standelone.xml:

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
  <module-option name="java.naming.provider.url" value="ldap://192.168.1.18"/>
  <module-option name="java.naming.allowEmptyPasswords" value="false"/>
  <module-option name="userfilter" value="(&amp;(objectCategory=person)(objectClass=user)(cn={USERNAME})((primaryGroupID=1109)))"/>                       
  <module-option name="principalDNSuffix" value="@XXXX.com"/>                           
  <module-option name="java.naming.security.authentication" value="simple"/>
</login-module>

When (primaryGroupID=1109) = group1.

The result is:

  • the usrA success login
  • the usrB success too

So the filter used does not work properly or is not used at all, and I have no error.

I tested the query of userfilter in active directory and it returns me well "usrA"

Someone has an idea of the problem? Anyone have another way to use a user according to his group?

Is the user filter actually "(&amp;(objectCategory=person)(objectClass=user)(cn={USERNAME})((primaryGroupID??=1109)))" ? Try this one: (&(objectCategory=person)(objectClass=user)(cn={USERNAME})(primaryGroupID=1109)??)
hy acdcjunior and thx to help me. but when i try without &amp; i have a parsing erreur betwen & and ( .. ...
14:34:00,583 ERROR [org.jboss.as.server] JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurat??ionPersister.java:141) [jboss-as-controller-7.1.1.Final.jar:7.1.1.Final] at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04] Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '(' (code 40) (expected a name start character) at [row,col {unknown-source}]: [259,71]
The exception seems not to be about the &, but a (. Try: value="&(objectCategory=person)(objectClass=user)(cn={USERNAME})(primaryGroupID??=1109)"