7 Replies Latest reply on Sep 20, 2001 1:56 AM by jpvasquez

    LdapLoginModule Source?

    jpvasquez

      Does anybody know where the source for LadpLoginModule included in JBoss 2.4 is? I'd like to take a look at how the groups are searched, but it wasn't in the $JBOSS_HOME/src/org/jboss/security/plugins/samples directory as I would have expected.

      Also, I'm getting an error that JAAS was looking for "option key" but found "null". I've basically lifted the ldaploginmodule config from the jboss docs, so I'm a little confused at that (I thought the soruce might help me there too :))

        • 1. Re: LdapLoginModule Source?
          nuanda

          JP,

          Yeah they didn't pack the source up with the 2.4 release (although the binaries are there obviously)...tho you can check out the JBoss CVS repository to view it. Try:

          http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/jbosssx/src/main/org/jboss/security/auth/spi/

          option-key I would imagine is referring to the option=value pairs in the auth.conf that you need to setup for your application's configuration block.

          eg:
          org.jboss.security.plugins.samples.LdapLoginModule required
          java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
          principalDNPrefix=uid=
          uidAttributeID=userid
          blah..blah...


          • 2. Re: LdapLoginModule Source?
            jpvasquez

            Thanks for the info--it was helpful to see that source, although I'm not very experienced with JAAS yet. I'm still getting this problem about the "expected 'option key'"

            Here's what my auth.conf looks like right now:

            ...default auth.conf above here...
             // the case for an unuathenticated web client or MDB. If you don't want to
             // allow such users to be authenticated remove the property.
             org.jboss.security.auth.spi.UsersRolesLoginModule required
             unauthenticatedIdentity="nobody";
            
            };
            
            testLdap {
             org.jboss.security.plugins.samples.LdapLoginModule required
             java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
             principalDNPrefix=mydnprefix
             principalDNSuffix=mydnsuffix
             uidAttributeName=uniquemember
             uidAttributeID=uid
             roleAttributeID=cn
             rolesCtxDN=rolesctxdnval
             java.naming.provider.url=ldap://ldaphost:ldapport/
             java.naming.security.authentication=simple
             ;
            };
            


            Here's what the error looks like:
            java.lang.SecurityException: Configuration Error: Line 222: expected 'option key', found 'null'
            RequestURI=/ldaptest/secure
            


            The weird thing is that the "Line number" starts at 37, and grows by exactly 37 each time I hit refresh (I'm trying to make this work via a browser with the server protecting a directory)

            If it's referring to line numbers in auth.conf, then line 37 is the line that sets up the java.naming.factory.initial value. (There's only 47 lines in the file, so the other line numbers are bogus)

            Any ideas on this?

            • 3. Re: LdapLoginModule Source?
              nuanda

              My configuration block is:

              ldap {
              // LDAP authentication
              au.xxx.yyy.security.LdapLoginModule required
              ldapSearchBase="ou=people,dc=xxx,dc=yyy,dc=au"
              java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
              java.naming.provider.url="ldap://ldaphost/"
              java.naming.security.authentication="simple"
              ;
              };



              Your problem is that you are not quoting your provider.url entry. The configuration parser is resolving the // in ldap://ldaphost as a comment. The good news is that your ';'s are in the right place, I misplaced one of mine and the error message was even more cryptic!

              Good luck,

              Dave

              • 4. Re: LdapLoginModule Source?
                jpvasquez

                :) Thanks -- that was exactly it.

                Well, I'm assuming that it all works well, but unfortunately, nothing is ever easy. Our company has set up our LDAP directory so that it is impossible to search it without a special account. (i.e, the user that binds to the directory to test the authentication can't search the groups branch to see what roles they are in).

                So, I have an "admin" dn and credential that I'll need to use when doing the search for matching roles. Authentication is working great -- role matching is what is failing now. After looking at the source, this doesn't look like it would be too difficult to do -- if I can check out the CVS module, I'll probably take a crack at it.

                Do other companies do this? Would it be worth merging these changes back into into the LdapLoginModule as optional attributes?

                Anyway, thanks for all the help so far!

                • 5. Re: LdapLoginModule Source?
                  nuanda

                  Nod, our LDAP schema is a little odd in that a user's id does not form part of their DN. So we just subclassed UsernamePasswordLoginModule for our custom LdapLoginModule, using the default JBoss example as a guide. Easy enough, not sure if it's worth contributing into the JBoss source tree since everyone's LDAP directory is going to have it's own peculiarities...



                  • 6. Re: LdapLoginModule Source?
                    jpvasquez

                    I just got this working. If anybody wants it, the patch is pretty simple. (Unfortunately, I can't get at cvs and diff tools tonight)

                    Add two new class level variables:

                     private static final String ADMIN_DN_OPT = "adminDN";
                     private static final String ADMIN_PWD_OPT = "adminPassword";
                    


                    In the if block where the query for the roles begins, add this:

                    ...
                     if( rolesCtxDN != null )
                     {
                     String adminDN = (String) options.get(ADMIN_DN_OPT);
                     //Start Here
                     if ( adminDN != null ) {
                     env.setProperty(Context.SECURITY_PRINCIPAL, adminDN);
                     String adminPwd = (String) options.get(ADMIN_PWD_OPT);
                     env.setProperty(Context.SECURITY_CREDENTIALS, adminPwd);
                     ctx = new InitialLdapContext(env, null);
                     }
                     //End Here
                    
                     String uidAttrName = (String) options.get(UID_ATTRIBUTE_ID_OPT);
                    ...
                    


                    Now in the configuration file, you just have to add two new name value pairs called adminDN and adminPassword.

                    (This update just rebinds with the LDAP server with the priveleged user's credentials before the search takes place)


                    • 7. Re: LdapLoginModule Source?
                      jpvasquez

                      woops...that didn't get the last little update that's in my real code....you should probably call ctx.close() somewhere before calling the new InitialContext for safety's sake...