Cannot authenticate against OpenLDAP
paolo.tacconi Sep 22, 2005 4:57 AMIn our company we are planning to switch to a jBoss 4.0.3 based application server array, but we need to authenticate the users against our OpenLDAP service. I've been trying in many ways but I can't seem to get the right configuration.
Our ldap structure is:
dc=comune,dc=grosseto,dc=it |_ | ou=people | |_ | |_uid=user1 | |_uid=user2 | uid=user3 |_ ou=groups |_ |_ cn=admin |_ cn=manager |_ cn=dipendenti ...
The user's group is specified as a group property:
dn cn=admin,ou=groups,dc=comune,dc=grosseto,dc=it cn admin objectClass groupOfUniqueNames uniqueMember uid=user2,ou=people,dc=comune,dc=grosseto,dc=it uniqueMember uid=user3,ou=people,dc=comune,dc=grosseto,dc=it
Our webapp has this jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>java:/jaas/comunegr</security-domain> </jboss-web>
while web.xml includes this constraint:
<security-constraint> <web-resource-collection> <web-resource-name>certificati</web-resource-name> <url-pattern>/browse/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>utenti</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>comunegr</realm-name> <form-login-config> <form-login-page>/login/login.jsp</form-login-page> <form-error-page>/login/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>utenti</role-name> </security-role>
Finally, I added these lines to the jBoss' login-config.xml:
<application-policy name = "comunegr"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://ldap01.comune.grosseto.it:389/ </module-option> <module-option name="java.naming.security.authentication"> simple </module-option> <module-option name="java.naming.security.protocol"> * </module-option> <module-option name="bindDN"> cn=admin,dc=comune,dc=grosseto,dc=it </module-option> <module-option name="bindCredential"> [password] </module-option> <module-option name="baseCtxDN"> ou=people,dc=comune,dc=grosseto,dc=it </module-option> <module-option name="baseFilter"> (uid={0}) </module-option> <module-option name="rolesCtxDN"> ou=groups,dc=comune,dc=grosseto,dc=it </module-option> <module-option name="roleFilter"> (uniqueMember={0}) </module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> </login-module> </authentication> </application-policy>
(I also tried to connect with LdapLoginModule (and jBoss 4.0.2) which has slightly different options, but still I could not authenticate)
As I call the webapp from the browser I get this error:
java.lang.NullPointerException
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:966)
at org.apache.jsp.index_jsp._jspService(org.apache.jsp.index_jsp:53)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:157)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
AFTER this error I get the login page anyway, but no user can be authenticated:
HTTP Status 403 - Access to the requested resource has been denied
Can someone help me?