5 Replies Latest reply on Mar 24, 2002 3:46 PM by mbutu

    Help setting up LDAPLoginModule

    mbutu

      Hi,


      I'm having troubles getting the LDAPLoginModule to work.

      I have an OpenLDAP tree looking like this:

      o=supermarket
      |
      |-ou=Groups
      | |
      | |-cn=Admin
      | |
      | |-cn=User
      |
      |-ou=People
      | |
      | |-uid=John

      My auth.conf looks like this:

      ldap {
      org.jboss.security.auth.spi.LdapLoginModule required
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.provider.url="ldap://localhost"
      java.naming.security.authentication="simple"
      rolesCtxDN="ou=Groups,o=supermarket"
      roleAttributeID="cn"
      // the attribute in e.g. cn=Admin,ou=Groups,o=supermarket
      // containing member dn's
      uidAttributeID="member"
      principalDNPrefix="uid="
      principalDNSuffix=",ou=People,o=supermarket"
      }

      web.xml looks like this:

      <auth-constraint>
      <role-name>Admin</role-name>
      <role-name>User</role-name>
      </auth-constraint>

      But I cannot login to my protected resource.

      I get HTTP Status 403 even when I log in with correct user/pass.

      Have I forgotten something?


      br,
      Chris

        • 1. Re: Help setting up LDAPLoginModule
          mbutu

          Forgot to tell you I use jboss-3.0.0beta with Tomcat4.0.2.

          And that I get this error when I login with an incorrect username/password:

          15:41:45,874 DEBUG [LdapLoginModule] Bad password for username=null
          15:41:49,138 ERROR [LdapLoginModule] Failed to validate password
          .
          .
          .
          15:41:49,138 DEBUG [LdapLoginModule] Bad password for username=SomeOne
          15:41:49,148 DEBUG [ldap] Login failure
          javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

          So I guess users are authenticated correctly since I
          don't get this error with a correct username & password.

          And why is there an extra: Bad password for username=null
          The stacktrace is from the same login where username=SomeOne.

          • 2. Re: Help setting up LDAPLoginModule
            mbutu

            I have the exact same problem with the DatabaseLoginModule.

            If I login with a correct username/password I get "HTTP Status 403".

            And if I login in with an invalid username/password I can see that the login fails from the console. And I get a
            javax.security.auth.login.FailedLoginException: No matching username found in Principals

            Which is what is supposed to happen.


            But why do I get this 403 error?
            What have I missed?

            • 3. Re: Help setting up LDAPLoginModule
              mbutu

              One more thing.

              The following error appears when I access the protected resource and even before I submitted the login information.

              17:50:03,970 DEBUG [LdapLoginModule] Bad password for username=null

              • 4. Re: Help setting up LDAPLoginModule
                mbutu

                I installed JBoss with Jetty. And Jetty at least told me that the user is not in role xx. Which was what I suspected.

                I fixed the DatabaseLoginModule by following these instructions.
                http://main.jboss.org/thread.jsp?forum=49&thread=1095

                But I still need help in figuring out why the LDAPLoginModule can't retrieve the roles.

                Can someone give me an example of their LDAP tree structure and auth.conf file?

                • 5. Re: Help setting up LDAPLoginModule
                  mbutu

                  This topic turned into a monologue but I'm glad to have solved the problem.

                  I just added matchOnUserDN=true to my auth.conf and it worked. It just took a while to find out that it was really the roles it could not find.

                  The member attribute in the Roles groups. Of course contains the full dn of the authenticated user.

                  :)