-
1. Re: Active Directory and LdapExtLoginModule?
neelixx Dec 21, 2005 10:54 PM (in response to neelixx)Boy, you guys just thought of everything, huh?
Looking through the LdapExtLoginModule code (to place a hack), I found the defaultRole option. Unfortunately, this option wasn't covered in the Wiki.
Okay, so that fixes my main problem of my thousands of users who have the default primary group of "Domain User"
As for the rest, I'll just fix it in Active Directory by adding my own groups, rather than using the primary groups, and hacking into LdapExtLoginModule (or creating a new login module).
For those who want to use the defaultRole option, just add it to your configuration:<module-option name="defaultRole">myDefaultRole</module-option>
You can then use "myDefaultRole" as a defined role in your app. Of course, I've only tested in JUnit. I'll place it in my production-code soon.
ActiveDirectory and LdapExtLoginModule is great! -
2. Re: Active Directory and LdapExtLoginModule?
sreeni.gali Aug 22, 2006 10:59 AM (in response to neelixx)Hi ,
I am trying to use the ActiveDirectory with "LdapExtLoginModule" for authentication and authorization ..It's not working at all and tried with several options.
Pls see the my configuration files.
login-config.xml
------------------
<application-policy name="JawJaasDbRealm">
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://151.111.195.26:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">LDAPBrowse@ad.dot.state.mn.us</module-option>
<module-option name="java.naming.security.credentials">ldapbrowse</module-option>
<!-- bGRhcGJyb3dzZQ== -->
<module-option name="bindDN">LDAPBrowse@ad.dot.state.mn.us</module-option>
<module-option name="bindCredential">ldapbrowse</module-option>
<module-option name="baseCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</application-policy>
------------------------------
web-security.xml
---------------
<security-constraint>
<web-resource-collection>
<web-resource-name>
JAW Application protected Admin pages and actions.
</web-resource-name>
Require users to authenticate.
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
Allow Manager role to access Admin pages and actions.
<role-name>OFCVO_RGCIP_Inventory</role-name>
<!-- <role-name>MnDOT Chg Access</role-name>
<role-name>Public WitiUserTest</role-name>
-->
</auth-constraint>
</security-constraint>
<!-- <security-role>
JAW Managers
<role-name>MnDOT Chg Access</role-name>
</security-role>
<security-role>
JAW Guest User (unsecured)
<role-name>Public WitiUserTest</role-name>
</security-role>
-->
<security-role>
JAW Guest User (unsecured)
<role-name>OFCVO_RGCIP_Inventory</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JawJaasDbRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
--------------------------------
jboss-web.xml file
----------------
<jboss-web>
<security-domain>java:/jaas/JawJaasDbRealm</security-domain>
<!-- Resource Environment References -->
<!--
For additional resouce-env-ref tags add a merge file called jbossweb-resource-env-ref.xml
-->
<!-- Resource references -->
<!--
For additional resouce-ref tags add a merge file called jbossweb-resource-ref.xml
-->
<resource-ref>
<res-ref-name>jms/CreditCheckQueue</res-ref-name>
<jndi-name>queue/CreditCheckQueue</jndi-name>
</resource-ref>
<resource-ref>
<res-ref-name>jms/MyXAQueueConnectionFactory</res-ref-name>
<jndi-name>java:/JmsXA</jndi-name>
</resource-ref>
<!-- EJB References -->
<!--
For additional ejb-ref tags add a merge file called jbossweb-ejb-ref.xml
-->
<!-- EJB Local References -->
<!--
For additional ejb-local-ref tags add a merge file called jbossweb-ejb-local-ref.xml
-->
<ejb-local-ref>
<ejb-ref-name>ejb/InventoryFacadeLocal</ejb-ref-name>
<local-jndi-name>InventoryFacadeLocal</local-jndi-name>
</ejb-local-ref>
</jboss-web>
---------
It's just throwing the error page and asking to try once again.
i don't see much information in the log apart from the below one.
---------------------
2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@1fd245f
2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManager.JawJaasDbRealm] CachePolicy set to: org.jboss.util.TimedCachePolicy@5f00f9
2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@5f00f9
2006-08-22 09:53:00,096 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added JawJaasDbRealm, org.jboss.security.plugins.SecurityDomainContext@138ef1d to map
--------------
Please it's very urgent and please help me out what's missing ...
Thanks Advance.
bye
Sreeni Gali -
3. Re: Active Directory and LdapExtLoginModule?
neelixx Aug 23, 2006 11:26 AM (in response to neelixx)Here are my config files. Keep in mind, that this configuration, uses the user's UPN name (user@company.com), as I had multiple domains to authenticate to.
I do not use EJB Security in this configuration.
Hope this helps! Good Luck!
login-config.xml
-------------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<!--
Due to the limitations of Active Directory's Group membership, the Members attribute from
an LDAP query is not populated with the Primary Group. But, sicompany3 every user is, by default,
a member of the Domain User's group, every user who can authenticate correctly receives a
default role of "AuthUser". This is my way to determine a network user without checking
for the group "Domain User".
http://support.microsoft.com/?kbid=275523
-->
<application-policy name="dci-ad">
<!--
company3 authentication. Login module is set to sufficient, which means this login module
is not required to succeed (sicompany3 the user could be company1 or company2).
-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="sufficient">
<module-option name="java.naming.provider.url">ldap://company3.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,dc=company3,dc=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=Users,dc=company3,dc=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=company3,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="defaultRole">AuthUser</module-option>
</login-module>
<!--
company1 Authentication. Login module set to sufficient, as this is not required
to succeed (sicompany3 the user could be company3 or company2
-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://company1.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,dc=company1,dc=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=Users,dc=company1,dc=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=company1,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="defaultRole">AuthUser</module-option>
</login-module>
<!--
company2 authentication. Login module is set to sufficient, which means this login module
is not required to succeed (sicompany3 the user could be company1 or company3).
-->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://company2.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,dc=company2,dc=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=Users,dc=company2,dc=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">cn=Users,dc=company2,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="defaultRole">AuthUser</module-option>
</login-module>
</application-policy>
web.xml
--------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/bad-login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Main Application</web-resource-name>
accessible by authorized users
<url-pattern>/main/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
These are the roles who have access
<role-name>AuthUser</role-name>
</auth-constraint>
</security-constraint>
<security-role>
Active Directory Authenticated User
<role-name>AuthUser</role-name>
</security-role>
</web-app>
jboss-web.xml
-----------------
<jboss-web>
<security-domain>java:/jaas/dci-ad</security-domain>
</jboss-web> -
4. Re: Active Directory and LdapExtLoginModule?
ksiva_rajesh Mar 7, 2007 3:48 PM (in response to neelixx)Hi,
I have a J2EE WebApp which expects the user to have a specific role for authorization (Authentication and Authorization will be against Active Directory).
Environment details given below:
App Server : JBoss-4.0.5.GA
Directory Services : Microsoft Active Directory.
Steps - 1:
Created a Group in Active Directory exactly with the same name required by WebaApp, assuming that JAAS will populate the group name(s) into role(s) after successful authentication.
Step - 2:
Assigned all the users to the group apart from their pre-assigned groups in Active Directory (AD).
Step - 3:
Below are the various config XMLs in JBoss.
<!-- ------------------------- login-config.xml - START --------------------------------------------- -->
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<!-- Attempt with LdapExtLoginModule -->
<application-policy name="HMActiveDirecotry">
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<!--
Some AD configurations may require searching against
the Global Catalog on port 3268 instead of the usual
port 389. This is most likely when the AD forest
includes multiple domains.
-->
<module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">DC=company,DC=com</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="rolesCtxDN">DC=company,DC=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="defaultRole">AuthUserRole</module-option>
</login-module>
</application-policy>
<!-- Attempt 2 from Wiki as it is from example and few more additions -->
<application-policy name="HMActiveDirecotry">
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="principalDNSuffix">@ldaphost.company.com</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="defaultRole">AuthUserRole</module-option>
<!-- module-option name="additionalRole">AuthUserRole</module-option -->
</login-module>
</application-policy>
<!-- ------------------------- login-config.xml - END --------------------------------------------- -->
<!-- ------------------------- web.xml - START --------------------------------------------- -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>LDAP-Test</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<servlet-name>ldapTest</servlet-name>
<display-name>LDAPTest</display-name>
<jsp-file>/ldaptest.jsp</jsp-file>
<servlet-mapping>
<servlet-name>ldapTest</servlet-name>
<url-pattern>/ldapTest</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>LDAPTestJSP</web-resource-name>
<url-pattern>/ldaptest</url-pattern>
<url-pattern>/ldaptest.jsp</url-pattern>
<url-pattern>/ldapTest</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>AuthUserRole</role-name>
</auth-constraint>
</security-constraint>
<!-- login-config>
<auth-method>BASIC</auth-method>
</login-config -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>AuthUserRole</role-name>
</security-role>
</web-app>
<!-- ------------------------- web.xml - END --------------------------------------------- -->
<!-- ------------------------- jboss-web.xml - START ------------------------------------- -->
<jboss-web>
<security-domain>java:/jaas/test</security-domain>
</jboss-web>
<!-- ------------------------- jboss-web.xml - END -------------------------------------- -->
Actual Result:
The J2EE WebApp is not authorizing the user to view the ldapTest Servlet (JSP) after successful authentication.
I have tried with both LdapExtLoginModule & LdapLoginModule and could not get thru.
Is there any specific way of defining groups in Active Directory so that they will be populated into roles by JAAS after successful authentication? Please respond ASAP.
Can anyone help me please? This is very urgent. -
5. Re: Active Directory and LdapExtLoginModule?
neelixx Mar 7, 2007 8:54 PM (in response to neelixx)What is the role you are trying to obtain? Did you create a security-group that the user is a part of, and trying to authorize based on group?
--Aaron -
6. Re: Active Directory and LdapExtLoginModule?
neelixx Mar 7, 2007 11:11 PM (in response to neelixx)Well, I'm assuming you have a security group called AuthUserRole, and have placed the user you are authenticating into that security group. I'm also assuming you are using LdapExtLoginModule, and that the security group is located in the search path defined by:
<module-option name="rolesCtxDN">DC=company,DC=com</module-option>
Also, make sure that you are recursively searching for those folders, if the security group is not located in your root context. i.e.:<module-option name="roleRecursion">0</module-option>
Also, do not try to authorize based on the user's primary group, as Microsoft won't respond with that attribute (see my post above).
Good Luck! -
7. Re: Active Directory and LdapExtLoginModule?
ksiva_rajesh Mar 8, 2007 12:52 PM (in response to neelixx)Hi,
Thanks a lot for the quick response.
I have created a Security Group in AD with name "AuthUserRole" and assigned few users, whom I want to authenticate.
distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
Yes, I'm using LdapExtLoginModule. The Configuration for the same is as given below:login-config.xml ---------------- <?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <application-policy name="HMActiveDirecotry"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.provider.url">ldap://company.com:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option> <module-option name="bindCredential">password</module-option> <module-option name="baseCtxDN">cn=Users,DC=company,DC=com</module-option> <module-option name="baseFilter">(userPrincipalName={0})</module-option> <module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">name</module-option> <module-option name="roleRecursion">0</module-option> <module-option name="defaultRole">AuthUserRole</module-option> </login-module> </authentication> </application-policy> </policy>
The error I have received:
Error on Console of JBoss from DEBUG level on Security Manager using log4j.xml:
------------------------------------------------------------------------------
11:13:56,999 DEBUG [AuthenticatorBase] Security checking request POST /ldaptest/j_security_check
11:13:56,999 DEBUG [FormAuthenticator] Authenticating username 'xxxxxx'
<B>11:13:57,046 DEBUG [LdapExtLoginModule] Bad password for username=App.eapp</B>
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comme
nt: AcceptSecurityContext error, data 525, vece ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginMo
dule.java:524)
at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.j
ava:334)
at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:2
29)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule
.java:210)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.ja
va:491)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:2
57)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Htt
p11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
11:13:57,452 DEBUG [ApplicationDispatcher] servletPath=/login_error.jsp, pathInfo=null, queryString=
null, name=null
11:13:57,468 DEBUG [ApplicationDispatcher] Path Based Forward
11:13:57,468 DEBUG [ApplicationDispatcher] Disabling the response for futher output
11:13:57,468 DEBUG [AuthenticatorBase] Failed authenticate() test ??/ldaptest/j_security_check
I'm really not sure, why the LdapExtLoginModule is reporting it as "Bad password for username=App.eapp".
But When I use some LDAP Utility to validate the AuthUserGroup and the user name, it is working fine. The result given by LDAP Search Utility is as follows:
LDAP Utility Inputs Parameters:
Host : company.com
Port : 389
Base DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
Filter :(&(objectClass=*)(CN=*))
Scope : Subtree
Result displayed by the LDAP Search utility:
Enumerating attributes for DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
objectClass = top
objectClass = group
cn = AuthUserRole
member = CN=App.eapp,OU=IC - Applications and Computers,DC=company,DC=com
member = CN=xxxxxxxxxx,OU=IC - Applications and Computers,DC=company,DC=com
member = CN=xxxxxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
member = CN=xxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
member = CN=xxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
instanceType = 4
whenCreated = xxxxxxx
whenChanged = xxxxxxxx
uSNCreated = xxxxxxxx
uSNChanged = xxxxxxx
name = AuthUserRole
objectGUID = xxxxxxxx
objectSid = xxxxxxxx
sAMAccountName = AuthUserRole
sAMAccountType = xxxxxxxxx
groupType = xxxxxxxxx
objectCategory = CN=Group,CN=Schema,CN=Configuration,DC=company,DC=com
LDAP search completed
Please go thru the configuration and other details I have mentioned and suggest me, where I have gone wrong. I'm fairly new to LDAP and Active Directory.
Please reply me ASAP. -
8. Re: Active Directory and LdapExtLoginModule?
neelixx Mar 9, 2007 1:01 AM (in response to neelixx)First and foremost, you need to work on authentication before working on authorization.
If you aren't authenticating, authorization won't do you any good.
Best suggestion I have, is to enable debugging on security in JBoss. Then, look at the logs to find out what's going on when you authenticate. It's too tough to tell why it's failing, since I don't know your AD Environment. You may want to get with your AD Engineers/Administrators.
You can also test LdapExtLoginModule by using the JUnit test published on the Wiki. That's how I tweaked my configuration for AD. I kept making changes to the config until my test passed. Then, I had a working config to put in my app.
I'd give you the link in the JBoss AS Wiki on how to set logging levels for JAAS and Security, as well as the JUnit test, but the wiki is down right now. -
9. Re: Active Directory and LdapExtLoginModule?
ksiva_rajesh Mar 13, 2007 4:02 PM (in response to neelixx)Hi Neelixx,
The LdapExtLoginModule is awesome. Thanks a lot for your timely and valuable help.
Finally our LdapExtLoginModule started working fine. Below is our configuration. Hope this would help someone else, who is searching for similar information.
This configuration information completely depends on the way Active Directory or any Directory Services has been setup with Users, Groups/ roles etc.<!-- Attempt 1 with LdapExtLoginModule --> <application-policy name="HMActiveDirecotry"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.provider.url">ldap://<ldap host ip address>:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">CN=<>User Name who is having privileges for searching thru the directory service,OU=<Groups>,DC=company,DC=<domain classification></module-option> <module-option name="bindCredential"><Password></module-option> <module-option name="baseCtxDN">OU=<Top level group>,dc=company,dc=<domain classification></module-option> <module-option name="baseFilter">(CN={0})</module-option> <module-option name="rolesCtxDN">OU=<Top level group>,dc=company,dc=<domain classification></module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">CN</module-option> <module-option name="roleRecursion">-1</module-option> </login-module> </authentication> </application-policy>
Here I've mention the HTML just to let every one know what are the parameters I have configures to connect with AD. -
10. Re: Active Directory and LdapExtLoginModule?
ksiva_rajesh Mar 15, 2007 5:40 PM (in response to neelixx)Hi,
We have another problem this time.
When a user is logged into my web application, he will be authenticated against ADI using LdapExtLoginModule and he is allowed to access the application after successful authentication and authorization.
But for us, the server is authentication and authorizing a user and then invoking UserRolesLoginModule which is searching for user.prooperties files and failing the user to login properly.
I have checked with jboss-web.xml, this file doesn't have relevent application-policy for UserRolesLoginModule.
We are not sure why this is happening.
Anyone, please help. -
11. Re: Active Directory and LdapExtLoginModule?
a_lai82 Aug 21, 2007 6:30 AM (in response to neelixx)Can I ask has anyone managed to encrypt the bindCredential within the login-config.xml
It seems like a serious security issue having plain text passwords.
Is this really the only way to allow users to login using the "sAMAccountName" rather than the DN which uses the CN value. It would seem like a common thing to do, and potentially a hassle should the admin password be compromised the settings have to be changed and the server reset.
Any input would be grateful.
Andy -
12. Re: Active Directory and LdapExtLoginModule?
jc7442 Aug 21, 2007 9:58 AM (in response to neelixx)I think that you can use the SRPLoginModule with your LDAPLoginModule
http://www.ubookcase.com/book/Sams/JBoss.4.0.The.Official.Guide/0672326485/ch08lev1sec5.html
I have not tried yet to use it.
If you try, i'm interesting in the result :-) -
13. Re: Active Directory and LdapExtLoginModule?
a_lai82 Aug 21, 2007 11:22 AM (in response to neelixx)I found an article
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3932448#3932448
Posted by "cmiles123" who details the steps required to Encrypt the bindCredentials.
Many thanks to "cmiles123" for the post. -
14. Re: Active Directory and LdapExtLoginModule?
bharani.82 Oct 6, 2009 3:45 AM (in response to neelixx)sdfsdf