1 2 Previous Next 15 Replies Latest reply on Oct 6, 2009 3:47 AM by bharani.82

    Active Directory and LdapExtLoginModule?

    neelixx

      By the way, kudos to the creator of LdapExtLoginModule! I think it was Scott Stark?? Love the double-searching! Makes my life so much easier in a complex Active Directory environment.

      Okay, on to my issue. Has anyone (other than me) used LdapExtLoginModule for Active Directory? I have everything working, but as usual, Microsoft does things their way, making it difficult to build a true LDAP-compliant application.

      For those that have successfully used it in an AD environment, have you gotten around the primary group issue?

      Microsoft leaves out the DN of the memberOf attribute for the groups that are set as the "Primary Group". For general users, this would be the "Domain Users" group. For others, maybe it's a "Domain Admins" group, or some other group.

      It has taken me days of troubleshooting to figure out why my users that are "Domain Users" were not showing up in my Roles search, until I ran an LDIF export, and found the issue.

      Here is what Microsoft has to say about it. Their reason for it was because there is a limitation of 5000 users in a group. But not sure how to get around it, without doing some hacking in the LdapExtLoginModule code.

      http://support.microsoft.com/kb/275523/en-us

      Anyone come across this issue? If so, how did you get around it?

      Thanks!!

      --Aaron

        • 1. Re: Active Directory and LdapExtLoginModule?
          neelixx

          Boy, you guys just thought of everything, huh?

          Looking through the LdapExtLoginModule code (to place a hack), I found the defaultRole option. Unfortunately, this option wasn't covered in the Wiki.

          Okay, so that fixes my main problem of my thousands of users who have the default primary group of "Domain User"

          As for the rest, I'll just fix it in Active Directory by adding my own groups, rather than using the primary groups, and hacking into LdapExtLoginModule (or creating a new login module).

          For those who want to use the defaultRole option, just add it to your configuration:

          <module-option name="defaultRole">myDefaultRole</module-option>
          


          You can then use "myDefaultRole" as a defined role in your app. Of course, I've only tested in JUnit. I'll place it in my production-code soon.

          ActiveDirectory and LdapExtLoginModule is great!

          • 2. Re: Active Directory and LdapExtLoginModule?
            sreeni.gali

            Hi ,

            I am trying to use the ActiveDirectory with "LdapExtLoginModule" for authentication and authorization ..It's not working at all and tried with several options.

            Pls see the my configuration files.

            login-config.xml
            ------------------
            <application-policy name="JawJaasDbRealm">

            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://151.111.195.26:389/</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="java.naming.security.principal">LDAPBrowse@ad.dot.state.mn.us</module-option>
            <module-option name="java.naming.security.credentials">ldapbrowse</module-option>
            <!-- bGRhcGJyb3dzZQ== -->
            <module-option name="bindDN">LDAPBrowse@ad.dot.state.mn.us</module-option>
            <module-option name="bindCredential">ldapbrowse</module-option>
            <module-option name="baseCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="rolesCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
            <module-option name="roleFilter">(sAMAccountName={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
            <module-option name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
            <module-option name="roleRecursion">-1</module-option>
            <module-option name="searchScope">SUBTREE_SCOPE</module-option>
            </login-module>

            </application-policy>
            ------------------------------
            web-security.xml
            ---------------

            <security-constraint>

            <web-resource-collection>
            <web-resource-name>
            JAW Application protected Admin pages and actions.
            </web-resource-name>
            Require users to authenticate.
            <url-pattern>/admin/*</url-pattern>
            </web-resource-collection>

            <auth-constraint>

            Allow Manager role to access Admin pages and actions.

            <role-name>OFCVO_RGCIP_Inventory</role-name>
            <!-- <role-name>MnDOT Chg Access</role-name>
            <role-name>Public WitiUserTest</role-name>
            -->
            </auth-constraint>

            </security-constraint>

            <!-- <security-role>
            JAW Managers
            <role-name>MnDOT Chg Access</role-name>
            </security-role>

            <security-role>
            JAW Guest User (unsecured)
            <role-name>Public WitiUserTest</role-name>
            </security-role>
            -->
            <security-role>
            JAW Guest User (unsecured)
            <role-name>OFCVO_RGCIP_Inventory</role-name>
            </security-role>

            <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>JawJaasDbRealm</realm-name>
            <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
            </form-login-config>
            </login-config>
            --------------------------------
            jboss-web.xml file
            ----------------
            <jboss-web>

            <security-domain>java:/jaas/JawJaasDbRealm</security-domain>

            <!-- Resource Environment References -->
            <!--
            For additional resouce-env-ref tags add a merge file called jbossweb-resource-env-ref.xml
            -->

            <!-- Resource references -->
            <!--
            For additional resouce-ref tags add a merge file called jbossweb-resource-ref.xml
            -->

            <resource-ref>
            <res-ref-name>jms/CreditCheckQueue</res-ref-name>
            <jndi-name>queue/CreditCheckQueue</jndi-name>
            </resource-ref>
            <resource-ref>
            <res-ref-name>jms/MyXAQueueConnectionFactory</res-ref-name>
            <jndi-name>java:/JmsXA</jndi-name>
            </resource-ref>

            <!-- EJB References -->
            <!--
            For additional ejb-ref tags add a merge file called jbossweb-ejb-ref.xml
            -->

            <!-- EJB Local References -->

            <!--
            For additional ejb-local-ref tags add a merge file called jbossweb-ejb-local-ref.xml
            -->
            <ejb-local-ref>
            <ejb-ref-name>ejb/InventoryFacadeLocal</ejb-ref-name>
            <local-jndi-name>InventoryFacadeLocal</local-jndi-name>
            </ejb-local-ref>
            </jboss-web>
            ---------



            It's just throwing the error page and asking to try once again.

            i don't see much information in the log apart from the below one.

            ---------------------
            2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@1fd245f
            2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManager.JawJaasDbRealm] CachePolicy set to: org.jboss.util.TimedCachePolicy@5f00f9
            2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@5f00f9
            2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added JawJaasDbRealm, org.jboss.security.plugins.SecurityDomainContext@138ef1d to map



            --------------

            Please it's very urgent and please help me out what's missing ...

            Thanks Advance.

            bye
            Sreeni Gali

            • 3. Re: Active Directory and LdapExtLoginModule?
              neelixx

              Here are my config files. Keep in mind, that this configuration, uses the user's UPN name (user@company.com), as I had multiple domains to authenticate to.

              I do not use EJB Security in this configuration.

              Hope this helps! Good Luck!

              login-config.xml
              -------------

              <?xml version='1.0'?>

              <!DOCTYPE policy PUBLIC

              "-//JBoss//DTD JBOSS Security Config 3.0//EN"

              "http://www.jboss.org/j2ee/dtd/security_config.dtd">

              <!--

              Due to the limitations of Active Directory's Group membership, the Members attribute from

              an LDAP query is not populated with the Primary Group. But, sicompany3 every user is, by default,

              a member of the Domain User's group, every user who can authenticate correctly receives a

              default role of "AuthUser". This is my way to determine a network user without checking

              for the group "Domain User".



              http://support.microsoft.com/?kbid=275523

              -->



              <application-policy name="dci-ad">



              <!--

              company3 authentication. Login module is set to sufficient, which means this login module

              is not required to succeed (sicompany3 the user could be company1 or company2).

              -->

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"

              flag="sufficient">

              <module-option name="java.naming.provider.url">ldap://company3.com:389</module-option>

              <module-option name="java.naming.security.authentication">simple</module-option>

              <module-option name="bindDN">cn=user,cn=Users,dc=company3,dc=com</module-option>

              <module-option name="bindCredential">password</module-option>

              <module-option name="baseCtxDN">cn=Users,dc=company3,dc=com</module-option>

              <module-option name="baseFilter">(userPrincipalName={0})</module-option>

              <module-option name="rolesCtxDN">cn=Users,dc=company3,dc=com</module-option>

              <module-option name="roleFilter">(member={1})</module-option>

              <module-option name="roleAttributeID">memberOf</module-option>

              <module-option name="roleAttributeIsDN">true</module-option>

              <module-option name="roleNameAttributeID">name</module-option>

              <module-option name="roleRecursion">0</module-option>

              <module-option name="defaultRole">AuthUser</module-option>

              </login-module>

              <!--

              company1 Authentication. Login module set to sufficient, as this is not required

              to succeed (sicompany3 the user could be company3 or company2

              -->

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">

              <module-option name="java.naming.provider.url">ldap://company1.com:389</module-option>

              <module-option name="java.naming.security.authentication">simple</module-option>

              <module-option name="bindDN">cn=user,cn=Users,dc=company1,dc=com</module-option>

              <module-option name="bindCredential">password</module-option>

              <module-option name="baseCtxDN">cn=Users,dc=company1,dc=com</module-option>

              <module-option name="baseFilter">(userPrincipalName={0})</module-option>

              <module-option name="rolesCtxDN">cn=Users,dc=company1,dc=com</module-option>

              <module-option name="roleFilter">(member={1})</module-option>

              <module-option name="roleAttributeID">memberOf</module-option>

              <module-option name="roleAttributeIsDN">true</module-option>

              <module-option name="roleNameAttributeID">name</module-option>

              <module-option name="roleRecursion">0</module-option>

              <module-option name="defaultRole">AuthUser</module-option>

              </login-module>

              <!--

              company2 authentication. Login module is set to sufficient, which means this login module

              is not required to succeed (sicompany3 the user could be company1 or company3).

              -->

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">

              <module-option name="java.naming.provider.url">ldap://company2.com:389</module-option>

              <module-option name="java.naming.security.authentication">simple</module-option>

              <module-option name="bindDN">cn=user,cn=Users,dc=company2,dc=com</module-option>

              <module-option name="bindCredential">password</module-option>

              <module-option name="baseCtxDN">cn=Users,dc=company2,dc=com</module-option>

              <module-option name="baseFilter">(userPrincipalName={0})</module-option>

              <module-option name="rolesCtxDN">cn=Users,dc=company2,dc=com</module-option>

              <module-option name="roleFilter">(member={1})</module-option>

              <module-option name="roleAttributeID">memberOf</module-option>

              <module-option name="roleAttributeIsDN">true</module-option>

              <module-option name="roleNameAttributeID">name</module-option>

              <module-option name="roleRecursion">0</module-option>

              <module-option name="defaultRole">AuthUser</module-option>

              </login-module>



              </application-policy>




              web.xml
              --------------

              <login-config>
              <auth-method>FORM</auth-method>
              <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/bad-login.jsp</form-error-page>
              </form-login-config>
              </login-config>

              <security-constraint>
              <web-resource-collection>
              <web-resource-name>Main Application</web-resource-name>
              accessible by authorized users
              <url-pattern>/main/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>

              These are the roles who have access

              <role-name>AuthUser</role-name>
              </auth-constraint>
              </security-constraint>

              <security-role>
              Active Directory Authenticated User
              <role-name>AuthUser</role-name>
              </security-role>

              </web-app>

              jboss-web.xml
              -----------------

              <jboss-web>
              <security-domain>java:/jaas/dci-ad</security-domain>
              </jboss-web>

              • 4. Re: Active Directory and LdapExtLoginModule?
                ksiva_rajesh

                Hi,

                I have a J2EE WebApp which expects the user to have a specific role for authorization (Authentication and Authorization will be against Active Directory).

                Environment details given below:
                App Server : JBoss-4.0.5.GA
                Directory Services : Microsoft Active Directory.

                Steps - 1:
                Created a Group in Active Directory exactly with the same name required by WebaApp, assuming that JAAS will populate the group name(s) into role(s) after successful authentication.

                Step - 2:
                Assigned all the users to the group apart from their pre-assigned groups in Active Directory (AD).

                Step - 3:

                Below are the various config XMLs in JBoss.

                <!-- ------------------------- login-config.xml - START --------------------------------------------- -->

                <?xml version='1.0'?>
                <!DOCTYPE policy PUBLIC
                "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                "http://www.jboss.org/j2ee/dtd/security_config.dtd">


                <!-- Used by clients within the application server VM such as
                mbeans and servlets that access EJBs.
                -->
                <!-- Attempt with LdapExtLoginModule -->
                <application-policy name="HMActiveDirecotry">

                <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                <!--
                Some AD configurations may require searching against
                the Global Catalog on port 3268 instead of the usual
                port 389. This is most likely when the AD forest
                includes multiple domains.
                -->
                <module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option>
                <module-option name="bindCredential">password</module-option>
                <module-option name="baseCtxDN">DC=company,DC=com</module-option>
                <module-option name="baseFilter">(userPrincipalName={0})</module-option>
                <module-option name="rolesCtxDN">DC=company,DC=com</module-option>
                <module-option name="roleFilter">(member={1})</module-option>
                <module-option name="roleAttributeID">memberOf</module-option>
                <module-option name="roleAttributeIsDN">true</module-option>
                <module-option name="roleNameAttributeID">name</module-option>
                <module-option name="roleRecursion">-1</module-option>
                <module-option name="searchScope">SUBTREE_SCOPE</module-option>
                <module-option name="defaultRole">AuthUserRole</module-option>
                </login-module>

                </application-policy>

                <!-- Attempt 2 from Wiki as it is from example and few more additions -->
                <application-policy name="HMActiveDirecotry">

                <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                <module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
                <module-option name="matchOnUserDN">false</module-option>
                <module-option name="principalDNSuffix">@ldaphost.company.com</module-option>
                <module-option name="uidAttributeID">sAMAccountName</module-option>
                <module-option name="roleAttributeID">memberOf</module-option>
                <module-option name="roleAttributeIsDN">true</module-option>
                <module-option name="roleNameAttributeID">name</module-option>
                <module-option name="allowEmptyPasswords">false</module-option>
                <module-option name="searchScope">SUBTREE_SCOPE</module-option>
                <module-option name="searchTimeLimit">5000</module-option>
                <module-option name="defaultRole">AuthUserRole</module-option>
                <!-- module-option name="additionalRole">AuthUserRole</module-option -->
                </login-module>

                </application-policy>


                <!-- ------------------------- login-config.xml - END --------------------------------------------- -->

                <!-- ------------------------- web.xml - START --------------------------------------------- -->

                <?xml version="1.0" encoding="UTF-8"?>
                <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

                <web-app>
                <display-name>LDAP-Test</display-name>

                <welcome-file-list>
                <welcome-file>index.jsp</welcome-file>
                </welcome-file-list>


                <servlet-name>ldapTest</servlet-name>
                <display-name>LDAPTest</display-name>
                <jsp-file>/ldaptest.jsp</jsp-file>


                <servlet-mapping>
                <servlet-name>ldapTest</servlet-name>
                <url-pattern>/ldapTest</url-pattern>
                </servlet-mapping>

                <security-constraint>
                <web-resource-collection>
                <web-resource-name>LDAPTestJSP</web-resource-name>
                <url-pattern>/ldaptest</url-pattern>
                <url-pattern>/ldaptest.jsp</url-pattern>
                <url-pattern>/ldapTest</url-pattern>
                <http-method>POST</http-method>
                <http-method>GET</http-method>
                </web-resource-collection>
                <auth-constraint>
                <role-name>AuthUserRole</role-name>
                </auth-constraint>
                </security-constraint>

                <!-- login-config>
                <auth-method>BASIC</auth-method>
                </login-config -->

                <login-config>
                <auth-method>FORM</auth-method>
                <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/login_error.jsp</form-error-page>
                </form-login-config>
                </login-config>

                <security-role>
                <role-name>AuthUserRole</role-name>
                </security-role>
                </web-app>

                <!-- ------------------------- web.xml - END --------------------------------------------- -->


                <!-- ------------------------- jboss-web.xml - START ------------------------------------- -->

                <jboss-web>
                <security-domain>java:/jaas/test</security-domain>
                </jboss-web>

                <!-- ------------------------- jboss-web.xml - END -------------------------------------- -->

                Actual Result:

                The J2EE WebApp is not authorizing the user to view the ldapTest Servlet (JSP) after successful authentication.

                I have tried with both LdapExtLoginModule & LdapLoginModule and could not get thru.

                Is there any specific way of defining groups in Active Directory so that they will be populated into roles by JAAS after successful authentication? Please respond ASAP.

                Can anyone help me please? This is very urgent.

                • 5. Re: Active Directory and LdapExtLoginModule?
                  neelixx

                  What is the role you are trying to obtain? Did you create a security-group that the user is a part of, and trying to authorize based on group?

                  --Aaron

                  • 6. Re: Active Directory and LdapExtLoginModule?
                    neelixx

                    Well, I'm assuming you have a security group called AuthUserRole, and have placed the user you are authenticating into that security group. I'm also assuming you are using LdapExtLoginModule, and that the security group is located in the search path defined by:

                     <module-option name="rolesCtxDN">DC=company,DC=com</module-option>
                    


                    Also, make sure that you are recursively searching for those folders, if the security group is not located in your root context. i.e.:
                     <module-option name="roleRecursion">0</module-option>
                    


                    Also, do not try to authorize based on the user's primary group, as Microsoft won't respond with that attribute (see my post above).

                    Good Luck!

                    • 7. Re: Active Directory and LdapExtLoginModule?
                      ksiva_rajesh

                      Hi,

                      Thanks a lot for the quick response.

                      I have created a Security Group in AD with name "AuthUserRole" and assigned few users, whom I want to authenticate.


                      distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com


                      Yes, I'm using LdapExtLoginModule. The Configuration for the same is as given below:

                      login-config.xml
                      ----------------
                      <?xml version='1.0'?>
                      <!DOCTYPE policy PUBLIC
                       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
                      <policy>
                      
                       <application-policy name="HMActiveDirecotry">
                       <authentication>
                       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                       <module-option name="java.naming.provider.url">ldap://company.com:389/</module-option>
                       <module-option name="java.naming.security.authentication">simple</module-option>
                       <module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option>
                       <module-option name="bindCredential">password</module-option>
                       <module-option name="baseCtxDN">cn=Users,DC=company,DC=com</module-option>
                       <module-option name="baseFilter">(userPrincipalName={0})</module-option>
                       <module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
                       <module-option name="roleFilter">(member={1})</module-option>
                       <module-option name="roleAttributeID">memberOf</module-option>
                       <module-option name="roleAttributeIsDN">true</module-option>
                       <module-option name="roleNameAttributeID">name</module-option>
                       <module-option name="roleRecursion">0</module-option>
                       <module-option name="defaultRole">AuthUserRole</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      </policy>
                      


                      The error I have received:

                      Error on Console of JBoss from DEBUG level on Security Manager using log4j.xml:
                      ------------------------------------------------------------------------------

                      11:13:56,999 DEBUG [AuthenticatorBase] Security checking request POST /ldaptest/j_security_check
                      11:13:56,999 DEBUG [FormAuthenticator] Authenticating username 'xxxxxx'
                      <B>11:13:57,046 DEBUG [LdapExtLoginModule] Bad password for username=App.eapp</B>
                      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comme
                      nt: AcceptSecurityContext error, data 525, vece ]
                      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
                      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
                      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
                      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
                      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
                      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
                      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
                      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
                      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
                      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
                      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
                      at javax.naming.InitialContext.init(InitialContext.java:223)
                      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
                      at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginMo
                      dule.java:524)
                      at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.j
                      ava:334)
                      at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:2
                      29)
                      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule
                      .java:210)
                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                      at java.lang.reflect.Method.invoke(Method.java:585)
                      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                      at java.security.AccessController.doPrivileged(Native Method)
                      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)

                      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)

                      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
                      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.ja
                      va:491)
                      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:2
                      57)
                      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
                      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                      at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)

                      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
                      at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Htt
                      p11BaseProtocol.java:664)
                      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                      at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                      at java.lang.Thread.run(Thread.java:595)
                      11:13:57,452 DEBUG [ApplicationDispatcher] servletPath=/login_error.jsp, pathInfo=null, queryString=
                      null, name=null
                      11:13:57,468 DEBUG [ApplicationDispatcher] Path Based Forward
                      11:13:57,468 DEBUG [ApplicationDispatcher] Disabling the response for futher output
                      11:13:57,468 DEBUG [AuthenticatorBase] Failed authenticate() test ??/ldaptest/j_security_check

                      I'm really not sure, why the LdapExtLoginModule is reporting it as "Bad password for username=App.eapp".

                      But When I use some LDAP Utility to validate the AuthUserGroup and the user name, it is working fine. The result given by LDAP Search Utility is as follows:


                      LDAP Utility Inputs Parameters:

                      Host : company.com
                      Port : 389
                      Base DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
                      Filter :(&(objectClass=*)(CN=*))
                      Scope : Subtree


                      Result displayed by the LDAP Search utility:

                      Enumerating attributes for DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
                      objectClass = top
                      objectClass = group
                      cn = AuthUserRole
                      member = CN=App.eapp,OU=IC - Applications and Computers,DC=company,DC=com
                      member = CN=xxxxxxxxxx,OU=IC - Applications and Computers,DC=company,DC=com
                      member = CN=xxxxxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
                      member = CN=xxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
                      member = CN=xxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
                      distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
                      instanceType = 4
                      whenCreated = xxxxxxx
                      whenChanged = xxxxxxxx
                      uSNCreated = xxxxxxxx
                      uSNChanged = xxxxxxx
                      name = AuthUserRole
                      objectGUID = xxxxxxxx
                      objectSid = xxxxxxxx
                      sAMAccountName = AuthUserRole
                      sAMAccountType = xxxxxxxxx
                      groupType = xxxxxxxxx
                      objectCategory = CN=Group,CN=Schema,CN=Configuration,DC=company,DC=com

                      LDAP search completed


                      Please go thru the configuration and other details I have mentioned and suggest me, where I have gone wrong. I'm fairly new to LDAP and Active Directory.

                      Please reply me ASAP.

                      • 8. Re: Active Directory and LdapExtLoginModule?
                        neelixx

                        First and foremost, you need to work on authentication before working on authorization.

                        If you aren't authenticating, authorization won't do you any good.

                        Best suggestion I have, is to enable debugging on security in JBoss. Then, look at the logs to find out what's going on when you authenticate. It's too tough to tell why it's failing, since I don't know your AD Environment. You may want to get with your AD Engineers/Administrators.

                        You can also test LdapExtLoginModule by using the JUnit test published on the Wiki. That's how I tweaked my configuration for AD. I kept making changes to the config until my test passed. Then, I had a working config to put in my app.

                        I'd give you the link in the JBoss AS Wiki on how to set logging levels for JAAS and Security, as well as the JUnit test, but the wiki is down right now.

                        • 9. Re: Active Directory and LdapExtLoginModule?
                          ksiva_rajesh

                          Hi Neelixx,

                          The LdapExtLoginModule is awesome. Thanks a lot for your timely and valuable help.

                          Finally our LdapExtLoginModule started working fine. Below is our configuration. Hope this would help someone else, who is searching for similar information.

                          This configuration information completely depends on the way Active Directory or any Directory Services has been setup with Users, Groups/ roles etc.

                          <!-- Attempt 1 with LdapExtLoginModule -->
                           <application-policy name="HMActiveDirecotry">
                           <authentication>
                           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                           <module-option name="java.naming.provider.url">ldap://<ldap host ip address>:389/</module-option>
                           <module-option name="java.naming.security.authentication">simple</module-option>
                           <module-option name="bindDN">CN=<>User Name who is having privileges for searching thru the directory service,OU=<Groups>,DC=company,DC=<domain classification></module-option>
                           <module-option name="bindCredential"><Password></module-option>
                           <module-option name="baseCtxDN">OU=<Top level group>,dc=company,dc=<domain classification></module-option>
                           <module-option name="baseFilter">(CN={0})</module-option>
                           <module-option name="rolesCtxDN">OU=<Top level group>,dc=company,dc=<domain classification></module-option>
                           <module-option name="roleFilter">(member={1})</module-option>
                           <module-option name="roleAttributeID">CN</module-option>
                           <module-option name="roleRecursion">-1</module-option>
                           </login-module>
                           </authentication>
                          </application-policy>
                          


                          Here I've mention the HTML just to let every one know what are the parameters I have configures to connect with AD.

                          • 10. Re: Active Directory and LdapExtLoginModule?
                            ksiva_rajesh

                            Hi,

                            We have another problem this time.

                            When a user is logged into my web application, he will be authenticated against ADI using LdapExtLoginModule and he is allowed to access the application after successful authentication and authorization.

                            But for us, the server is authentication and authorizing a user and then invoking UserRolesLoginModule which is searching for user.prooperties files and failing the user to login properly.

                            I have checked with jboss-web.xml, this file doesn't have relevent application-policy for UserRolesLoginModule.

                            We are not sure why this is happening.

                            Anyone, please help.

                            • 11. Re: Active Directory and LdapExtLoginModule?
                              a_lai82

                              Can I ask has anyone managed to encrypt the bindCredential within the login-config.xml

                              It seems like a serious security issue having plain text passwords.

                              Is this really the only way to allow users to login using the "sAMAccountName" rather than the DN which uses the CN value. It would seem like a common thing to do, and potentially a hassle should the admin password be compromised the settings have to be changed and the server reset.

                              Any input would be grateful.

                              Andy

                              • 12. Re: Active Directory and LdapExtLoginModule?
                                jc7442

                                I think that you can use the SRPLoginModule with your LDAPLoginModule

                                http://www.ubookcase.com/book/Sams/JBoss.4.0.The.Official.Guide/0672326485/ch08lev1sec5.html

                                I have not tried yet to use it.

                                If you try, i'm interesting in the result :-)

                                • 13. Re: Active Directory and LdapExtLoginModule?
                                  a_lai82

                                  I found an article

                                  http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3932448#3932448

                                  Posted by "cmiles123" who details the steps required to Encrypt the bindCredentials.

                                  Many thanks to "cmiles123" for the post.

                                  • 14. Re: Active Directory and LdapExtLoginModule?

                                    sdfsdf

                                    1 2 Previous Next