The first step (on Windows) is:
jboss-cli.bat --file=ldapinit.cli
I searched for the following:
<login-module code="LdapExtended" flag="optional">
Then I added the following the lines:
<module-option name="java.naming.provider.url" value="ldap://ldap.acme.com/"/>
<module-option name="bindDN" value="cn=dpuser,OU=Users,OU=Acme Corp,DC=acme,DC=com"/>
<module-option name="bindCredential" value="Password-whatever"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=Acme Corp,DC=acme,DC=com"/>
<module-option name="baseCtxDN" value="OU=Users,OU=Acme Corp,DC=acme,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
There's something wrong with the rolesCtxDN, though, as this lets me control LDAP users, but not LDAP groups. That is, if I have a line:
"" "gregb" "@LDAP_USER" * "admin"
in the UserList file, I can log in with my credentials. But if I replace that with
"" "Administrators" "@LDAP_GROUP" * "admin"
(which is what I really wanted to do), then on login I get a message about "insufficient privileges". Good enough for now, but I'll have to revisit this.
Greg Baker is an independent consultant who happens to do a lot of work on HP DataProtector. He is the author of the only published books on HP Data Protector (http://www.ifost.org.au/books/#dp). He works with HP and HP partner companies to solve the hardest big-data problems (especially around backup). See more at IFOST's DataProtector pages at http://www.ifost.org.au/dataprotector