LdapLoginModule overrides the principal and credentials (BUG
claudio4j Nov 8, 2004 11:14 AMMy login-config.xml needs to access Ldap to do authentication, each user is located under the dn: ou=people,dc=claudius,dc=com and the roles is ou=groups,dc=claudius,dc=com, look the ldif
# user dn: uid=eliane,ou=People,dc=claudius,dc=com cn: Eliane Almada Miranda givenName: Eliane objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Miranda title: Java Guru uid: eliane userPassword:: ZWxpYW5l # group dn: cn=JBossAdmin,ou=Groups,dc=claudius,dc=com description: Usuarios admin (INTRANET) objectClass: top objectClass: groupofuniquenames uniqueMember: uid=eliane,ou=People, dc=claudius,dc=com uniqueMember: uid=rafael,ou=People, dc=claudius,dc=com cn: JBossAdmin
login-config.xml
<application-policy name="ldap_local"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://localhost:389</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="java.naming.security.principal">cn=Directory Manager,dc=claudius,dc=com</module-option> <module-option name="java.naming.security.credentials">admin123</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=claudius,dc=com</module-option> <module-option name="uidAttributeID">uniqueMember</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="rolesCtxDN">ou=Groups,dc=claudius,dc=com</module-option> </login-module> </authentication> </application-policy>
Trying to login into my app, I get permission denied Below is the ldap log
Nov 5 22:21:21 demolidor slapd[2587]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:32881 (IP=0.0.0.0:389) Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128 Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 RESULT tag=97 err=49 text= Nov 5 22:21:21 demolidor slapd[2587]: conn=0 fd=10 closed Nov 5 22:21:26 demolidor slapd[2587]: conn=1 fd=10 ACCEPT from IP=127.0.0.1:32882 (IP=0.0.0.0:389) Nov 5 22:21:26 demolidor slapd[2587]: conn=1 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128 Nov 5 22:21:26 demolidor slapd[2587]: conn=1 op=0 RESULT tag=97 err=49 text= Nov 5 22:21:26 demolidor slapd[2587]: conn=1 fd=10 closed
Persons under "ou=people" don't has permission to login into the ldap, so a service user needs to be used (analog to the database user for datasources). Then "cn=Directory Manager" comes to help. As you can see, the login-config.xml is properly configured. But the ldap log yet shows the same behavior as described above:
Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128 Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 RESULT tag=97 err=49 text=
Then looking into LdapLoginModule, the Context.PRINCIPAL and Context.CREDENTIALS are being overriden, as described below:
255: env.setProperty(Context.SECURITY_PRINCIPAL, userDN); 256: env.put(Context.SECURITY_CREDENTIALS, credential);
Just comment the lines above, compiled and updated the $JBOSS_HOME/server/default/lib/jbosssx.jar, and everything worked fine. The user entered into the system, and ldap log shows:
Nov 5 22:22:00 demolidor slapd[2587]: conn=2 fd=10 ACCEPT from IP=127.0.0.1:32883 (IP=0.0.0.0:389) Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 BIND dn="cn=Directory Manager,dc=claudius,dc=com" method=128 Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 BIND dn="cn=Directory Manager,dc=claudius,dc=com" mech=simple ssf=0 Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 RESULT tag=97 err=0 text= Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=1 SRCH base="ou=Groups,dc=claudius,dc=com" scope=2 filter="(&(uniqueMember=uid=eliane,ou=people,dc=claudius,dc=com))" Nov 5 22:22:01 demolidor slapd[2587]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Nov 5 22:22:01 demolidor slapd[2587]: conn=2 op=2 UNBIND Nov 5 22:22:01 demolidor slapd[2587]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text= Nov 5 22:22:01 demolidor slapd[2587]: conn=2 fd=10 closed
Is this the expected behavior ? Is this a bug ? At LdapLoginModule, there is 2 Maps instances: "env" and "options", they are redundant. Another question: At my web.xml or application.xml is declared the roles of my app, how can I map the role names to the real groups of ldap ? I already read the chap 8, "Security Guide", but I didn't find a clear way to do that.
Thanks
Claudio Miranda