can't configure JBoss to work with several OUs on Active Dir
tolstiy Jun 20, 2005 9:03 AMI'm trying to configure JBoss AS(3.2.3) to work with windows 2003 active directory.
I'm having difficulties configuring a "rolesCtxDN" parameter.
Here is my scenario. I have a large Active directory with >10000 users. These users are divided into several Organization Units.
I managed to configure that the users from any one (but the only one) OU can access the application.
Here is my configuration:
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="principalDNSuffix">@igorsrv.com</module-option>
<module-option name="principalDNPrefix"></module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.provider.url">ldap://192.168.1.11:</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="userRolesCtxDNAttributeName"></module-option>
<module-option name="rolesCtxDN">ou=United States,dc=igorsrv,dc=com</module-option>
<module-option name="matchOnUserDN">false</module-option>
</login-module>
Using this configuration only users of "United States" OU can assess fully the portal application.
If I change the marked configuration string as following :
<module-option name="rolesCtxDN">ou=United States, ou=ProActivity Portal,dc=igorsrv,dc=com</module-option>
Then no user can access the portal application.
The reason for this that I can't get user's Roles in this case
This is a part of the log file:
2005-06-16 10:46:30,015 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Failed to locate roles
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=ProActivity Portal,DC=igorsrv,DC=com'
remaining name 'ou=United States,ou=ProActivity Portal,dc=igorsrv,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1726)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:344)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:293)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:277)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:220)
at org.jboss.security.auth.spi.LdapLoginModule.createLdapInitContext(LdapLoginModule.java:310)
at org.jboss.security.auth.spi.LdapLoginModule.validatePassword(LdapLoginModule.java:206)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:151)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:487)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:442)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:281)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:198)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:556)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
at java.lang.Thread.run(Thread.java:534)
2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'vasya' authenticated, loginOk=true
2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=false
2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=false
2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
2005-06-16 10:46:30,031 TRACE [org.jboss.security.plugins.JaasSecurityManager.pa-web] updateCache, subject=Subject:
Principal: vasya
Principal: Roles(members)
As a result of it my user doesn't have roles and he cant login into portal application.
i need the ability that any user from any OU could access my application.