The following procedure provides a general list of steps to follow for configuring your application server so that users can login using both shortname and distinguished name. You must first configure the Content Engine (CE) application server's authentication parameters, then CE's authorization parameters. Then - in some cases - you must also configure the Application Engine's (AE) authentication parameters.
NOTE You can carry out this procedure before or after installing CE and AE. If you have already installed and configured CE, then Configuration Manager has already configured your application server's authentication parameters for one authenticating attribute, for example, using shortname (cn).
The following procedures use the terms shortname and longname which typically map to the following specific LDAP attributes:
Directory Server |
typical
shortname equivalent |
typical longname equivalent |
Active Directory | sAMAccountName | userPrincipalName or DN |
Sun | uid | DN |
Novell | cn | DN |
IBM | cn | DN |
To configure for multiple authenticating attributes (shortname and distinguished name)
(&(|(shortname=%v)(longname=%v))(objectcategory=user))
user:shortname;user:longname
baseFilter
and roleFilter
:
- <application-policy name="ibm">
CAUTION When
using JBoss 4.0.5, if
- <authentication>
- <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
<module-option name="bindCredential">test1</module-option>
<module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="baseFilter">(longname={0})</module-option>
<module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="roleFilter">(longname={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
- <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
<module-option name="bindCredential">test1</module-option>
<module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="baseFilter">(shortname={0})</module-option>
<module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
<module-option name="roleFilter">(shortname={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
</authentication>
</application-policy>
CN=Users
is missing from the rolesCtxDN
tag, you will
not be able to log on to Enterprise Manager, which will throw an incorrect user
name/password exception.