how to specify the group to authenticate user in ldaploginmodule and jboss configuration

Tag: authentication , jboss , filter , ldap , group Author: z775653181 Date: 2013-04-10

I would like to authenticate the user only if he in a specific group.

To my test I have two users:

  • one user is in the FIRST GROUP
  • other is in de SECOND GROUP

I have an active directory :


usrA is in the group1, usrB is in the group2 and I authenticate the user via JBoss with LdapLoginModule in the standalone.xml.


<login-module code="" flag="sufficient">
  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
  <module-option name="java.naming.provider.url" value="ldap://"/>
  <module-option name="java.naming.allowEmptyPasswords" value="false"/>
  <module-option name="userfilter" value="(&amp;(objectCategory=person)(objectClass=user)(cn={USERNAME})((primaryGroupID=1109)))"/>                       
  <module-option name="principalDNSuffix" value=""/>                           
  <module-option name="" value="simple"/>

When (primaryGroupID=1109) = group1.

The result is:

  • the usrA success login
  • the usrB success too

So the filter used does not work properly or is not used at all, and I have no error.

I tested the query of userfilter in active directory and it returns me well "usrA"

Someone has an idea of the problem? Anyone have another way to use a user according to his group?

Is the user filter actually "(&amp;(objectCategory=person)(objectClass=user)(cn={USERNAME})((primaryGroupID??=1109)))" ? Try this one: (&(objectCategory=person)(objectClass=user)(cn={USERNAME})(primaryGroupID=1109)??)
hy acdcjunior and thx to help me. but when i try without &amp; i have a parsing erreur betwen & and ( .. ...
14:34:00,583 ERROR [] JBAS015956: Caught exception during boot: JBAS014676: Failed to parse configuration at [jboss-as-controller-7.1.1.Final.jar:7.1.1.Final] at Source) [rt.jar:1.7.0_04] Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '(' (code 40) (expected a name start character) at [row,col {unknown-source}]: [259,71]
The exception seems not to be about the &, but a (. Try: value="&(objectCategory=person)(objectClass=user)(cn={USERNAME})(primaryGroupID??=1109)"