0 Replies Latest reply on Sep 22, 2005 4:57 AM by paolo.tacconi

    Cannot authenticate against OpenLDAP

    paolo.tacconi

      In our company we are planning to switch to a jBoss 4.0.3 based application server array, but we need to authenticate the users against our OpenLDAP service. I've been trying in many ways but I can't seem to get the right configuration.

      Our ldap structure is:

      dc=comune,dc=grosseto,dc=it
      |_
      | ou=people
      | |_
      | |_uid=user1
      | |_uid=user2
      | uid=user3
      |_
       ou=groups
       |_
       |_ cn=admin
       |_ cn=manager
       |_ cn=dipendenti
       ...


      The user's group is specified as a group property:
      dn cn=admin,ou=groups,dc=comune,dc=grosseto,dc=it
      cn admin
      objectClass groupOfUniqueNames
      uniqueMember uid=user2,ou=people,dc=comune,dc=grosseto,dc=it
      uniqueMember uid=user3,ou=people,dc=comune,dc=grosseto,dc=it


      Our webapp has this jboss-web.xml:
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
       <security-domain>java:/jaas/comunegr</security-domain>
      </jboss-web>


      while web.xml includes this constraint:
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>certificati</web-resource-name>
       <url-pattern>/browse/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>utenti</role-name>
       </auth-constraint>
      </security-constraint>
      <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>comunegr</realm-name>
       <form-login-config>
       <form-login-page>/login/login.jsp</form-login-page>
       <form-error-page>/login/error.jsp</form-error-page>
       </form-login-config>
      </login-config>
      <security-role>
       <role-name>utenti</role-name>
      </security-role>


      Finally, I added these lines to the jBoss' login-config.xml:
      <application-policy name = "comunegr">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
       <module-option name="java.naming.factory.initial">
       com.sun.jndi.ldap.LdapCtxFactory
       </module-option>
       <module-option name="java.naming.provider.url">
       ldap://ldap01.comune.grosseto.it:389/
       </module-option>
       <module-option name="java.naming.security.authentication">
       simple
       </module-option>
       <module-option name="java.naming.security.protocol">
       *
       </module-option>
       <module-option name="bindDN">
       cn=admin,dc=comune,dc=grosseto,dc=it
       </module-option>
       <module-option name="bindCredential">
       [password]
       </module-option>
       <module-option name="baseCtxDN">
       ou=people,dc=comune,dc=grosseto,dc=it
       </module-option>
       <module-option name="baseFilter">
       (uid={0})
       </module-option>
       <module-option name="rolesCtxDN">
       ou=groups,dc=comune,dc=grosseto,dc=it
       </module-option>
       <module-option name="roleFilter">
       (uniqueMember={0})
       </module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       </login-module>
       </authentication>
      </application-policy>


      (I also tried to connect with LdapLoginModule (and jBoss 4.0.2) which has slightly different options, but still I could not authenticate)

      As I call the webapp from the browser I get this error:
      java.lang.NullPointerException
      at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:966)
      at org.apache.jsp.index_jsp._jspService(org.apache.jsp.index_jsp:53)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
      at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:157)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
      at java.lang.Thread.run(Thread.java:595)


      AFTER this error I get the login page anyway, but no user can be authenticated:
      HTTP Status 403 - Access to the requested resource has been denied


      Can someone help me?