1 Reply Latest reply on Jul 18, 2005 5:30 PM by patrickdalla

    can't configure JBoss to work with several OUs on Active Dir

    tolstiy

      I'm trying to configure JBoss AS(3.2.3) to work with windows 2003 active directory.

      I'm having difficulties configuring a "rolesCtxDN" parameter.

      Here is my scenario. I have a large Active directory with >10000 users. These users are divided into several Organization Units.

      I managed to configure that the users from any one (but the only one) OU can access the application.

      Here is my configuration:



      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

      <module-option name="roleNameAttributeID">name</module-option>

      <module-option name="principalDNSuffix">@igorsrv.com</module-option>

      <module-option name="principalDNPrefix"></module-option>

      <module-option name="java.naming.security.authentication">simple</module-option>

      <module-option name="java.naming.provider.url">ldap://192.168.1.11:</module-option>

      <module-option name="roleAttributeID">memberOf</module-option>

      <module-option name="uidAttributeID">sAMAccountName</module-option>

      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

      <module-option name="roleAttributeIsDN">true</module-option>

      <module-option name="userRolesCtxDNAttributeName"></module-option>

      <module-option name="rolesCtxDN">ou=United States,dc=igorsrv,dc=com</module-option>

      <module-option name="matchOnUserDN">false</module-option>

      </login-module>

      Using this configuration only users of "United States" OU can assess fully the portal application.

      If I change the marked configuration string as following :

      <module-option name="rolesCtxDN">ou=United States, ou=ProActivity Portal,dc=igorsrv,dc=com</module-option>

      Then no user can access the portal application.

      The reason for this that I can't get user's Roles in this case

      This is a part of the log file:

      2005-06-16 10:46:30,015 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Failed to locate roles

      javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

      'OU=ProActivity Portal,DC=igorsrv,DC=com'

      remaining name 'ou=United States,ou=ProActivity Portal,dc=igorsrv,dc=com'

      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)

      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)

      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)

      at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)

      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)

      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1726)

      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:344)

      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:293)

      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:277)

      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:220)

      at org.jboss.security.auth.spi.LdapLoginModule.createLdapInitContext(LdapLoginModule.java:310)

      at org.jboss.security.auth.spi.LdapLoginModule.validatePassword(LdapLoginModule.java:206)

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:151)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:324)

      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

      at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:487)

      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:442)

      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)

      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)

      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:281)

      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:198)

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:556)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)

      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)

      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)

      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)

      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)

      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)

      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211)

      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805)

      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696)

      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)

      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)

      at java.lang.Thread.run(Thread.java:534)

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'vasya' authenticated, loginOk=true

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=false

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=false

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.plugins.JaasSecurityManager.pa-web] updateCache, subject=Subject:

      Principal: vasya

      Principal: Roles(members)



      As a result of it my user doesn't have roles and he cant login into portal application.

      i need the ability that any user from any OU could access my application.