The following procedure provides a general list of steps to follow for configuring your application server so that users can log in using both shortname and distinguished name. You must first configure the Content Engine application server's authentication parameters, and then configure the Content Engine authorization parameters. Then, in some cases, you must also configure the Application Engine authentication parameters.
NOTE You can carry out this procedure before or after installing Content Engine and Application Engine. If you have already installed and configured Content Engine, then Configuration Manager has already configured your application server's authentication parameters for one authenticating attribute, for example, using shortname (cn).
The following procedures use the terms shortname and longname which typically map to the following specific LDAP attributes:
Directory Server |
typical
shortname equivalent |
typical longname equivalent |
Active Directory | sAMAccountName | userPrincipalName or DN |
Sun | uid | DN |
Novell | cn | DN |
IBM | cn | DN |
To configure for multiple authenticating attributes (shortname and distinguished name)
(&(|(shortname=%v)(longname=%v))(objectcategory=user))
user:shortname;user:longname
baseFilter
and roleFilter
:
- <application-policy name="ibm">
CAUTION When
using JBoss 4.0.5, if
- <authentication>
- <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
<module-option name="bindCredential">test1</module-option>
<module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="baseFilter">(longname={0})</module-option>
<module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="roleFilter">(longname={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
- <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
<module-option name="bindCredential">test1</module-option>
<module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="baseFilter">(shortname={0})</module-option>
<module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="roleFilter">(shortname={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
</authentication>
</application-policy>
CN=Users
is missing from the rolesCtxDN
tag, you will
not be able to log on to Enterprise Manager, which will throw an incorrect user
name/password exception.