3 Replies Latest reply on Sep 7, 2006 1:43 PM by rknechtel

    Not able to authenticate against ActiveDirectory using LDAPL

    sreeni.gali

      Hi Team,

      We have tring hard to secure the webapplication using LDAPLogin module against Active Directory but we are not successfull . Please have a look into the following configuration files and suggest me the solution. Thanks Advance.

      Step1: in "login-config.xml" the entry as below
      -------------------------
      <application-policy name="kwormSecurity">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://151.111.195.26:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="java.naming.security.principal">ldapbrowse</module-option>
      <module-option name="java.naming.security.credentials">ldapbrowse</module-option>
      <module-option name="bindDN">@dot.state.mn.us</module-option>
      <!--<module-option name="bindCredential">ldapbrowse</module-option> -->
      <module-option name="baseCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
      <module-option name="baseFilter">(&(sAMAccountName={0})(objectClass=user))</module-option>
      <module-option name="roleFilter">(&(member={0})(objectClass=group))</module-option>
      <module-option name="rolesCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleRecursion">-1</module-option>
      <!-- <module-option name="searchScope">ONELEVEL_SCOPE</module-option> -->
      </login-module>

      </application-policy>

      --------------------------
      Step2: in "jboss.xml" file the entry as below

      ------------------
      <jboss-web>
      <context-root>ara</context-root>
      <security-domain>java:/jaas/kwormSecurity</security-domain>
      </jboss-web>

      ------------------

      We are getting the following error. Please suggest me the solution .

      error:
      --------------

      2006-08-08 16:08:04,390 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Failed to validate password
      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 ]
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
      at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:290)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
      at javax.naming.InitialContext.init(InitialContext.java:219)
      at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:133)
      at org.jboss.security.auth.spi.LdapLoginModule.createLdapInitContext(LdapLoginModule.java:258)
      at org.jboss.security.auth.spi.LdapLoginModule.validatePassword(LdapLoginModule.java:208)
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:163)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:483)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:425)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:251)
      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:391)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
      at java.lang.Thread.run(Thread.java:534)
      2006-08-08 16:08:04,390 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=gali1sre

      ----------------


      Thanks,
      Sreeni Gali
      sreeni.gali@gmail.com

        • 1. Re: Not able to authenticate against ActiveDirectory using L
          j2ee_junkie

          I am no LDAP expert, but it looks like the LDAPLM is not providing correct credentials when connecting to AD. Thus authentication of user is not even attempted because connection to server is not authenticated.

          cgriffith

          • 2. Re: Not able to authenticate against ActiveDirectory using L
            sreeni.gali

            Hi ,

            Thanks for your reply.


            The credentials are correct and it works for tomcat authentication against ActiveDirectory. I wonder why it's not working same credentials with jboss.

            thanks,
            Sreeni

            • 3. Re: Not able to authenticate against ActiveDirectory using L
              rknechtel

              I'm having similar issues trying to connect to Active Directory using LDAP with JBoss.
              The username is valid in AD I can login to a windows box that authenticates against the AD server.

              jboss-web.xml

              <?xml version="1.0" encoding="UTF-8"?>
              <jboss-web>
              <security-domain flushOnSessionInvalidation="false">java:/jaas/MyApp-ldap</security-domain>
              <context-root>/MyApp</context-root>
              </jboss-web>


              web.xml

              <security-constraint>
              <display-name>Restrict SEAM pages</display-name>
              <web-resource-collection>
              <web-resource-name>SEAM</web-resource-name>
              <url-pattern>*.seam</url-pattern>
              </web-resource-collection>
              <auth-constraint>
              <role-name>system</role-name>
              <role-name>purch-buyer</role-name>
              <role-name>purch-iss</role-name>
              <role-name>purch-dataentry</role-name>
              <role-name>purch-tech</role-name>
              <role-name>accounting</role-name>
              <role-name>asd</role-name>
              <role-name>ccc_ops</role-name>
              <role-name>warehouse</role-name>
              <role-name>liquidation</role-name>
              </auth-constraint>
              </security-constraint><?xml version="1.0" encoding="UTF-8"?>
              <jboss-web>
              <security-domain flushOnSessionInvalidation="false">java:/jaas/MyApp-ldap</security-domain>
              <context-root>/MyApp</context-root>
              </jboss-web>

              <security-role>
              <role-name>system</role-name>
              </security-role>
              <security-role>
              <role-name>purch-buyer</role-name>
              </security-role>
              <security-role>
              <role-name>purch-iss</role-name>
              </security-role>
              <security-role>
              <role-name>purch-dataentry</role-name>
              </security-role>
              <security-role>
              <role-name>purch-tech</role-name>
              </security-role>
              <security-role>
              <role-name>accounting</role-name>
              </security-role>
              <security-role>
              <role-name>asd</role-name>
              </security-role>
              <security-role>
              <role-name>ccc_ops</role-name>
              </security-role>
              <security-role>
              <role-name>warehouse</role-name>
              </security-role>
              <security-role>
              <role-name>liquidation</role-name>
              </security-role>

              <login-config>
              <auth-method>FORM</auth-method>
              <realm-name>MyApp-ldap</realm-name>
              <form-login-config>
              <form-login-page>/login.html</form-login-page>
              <form-error-page>/loginError.html</form-error-page>
              </form-login-config>
              </login-config>

              login-config.xml


              <application-policy name="MyApp-ldap">

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
              <!--
              Some AD configurations may require searching against
              the Global Catalog on port 3268 instead of the usual
              port 389. This is most likely when the AD forest
              includes multiple domains.
              -->
              <module-option name="java.naming.provider.url">ldap://server:389</module-option>
              <module-option name="bindDN">administrator</module-option>
              <module-option name="bindCredential">[PASSWORD]</module-option>
              <module-option name="baseCtxDN">cn=users,dc=domain1.domain2,dc=local</module-option>
              <module-option name="baseFilter">(sAMAccountName={0})</module-option>

              <module-option name="rolesCtxDN">cn=users,dc=domain1.domain2,dc=local</module-option>
              <module-option name="roleFilter">(sAMAccountName={0})</module-option>
              <module-option name="roleAttributeID">memberOf</module-option>
              <module-option name="roleAttributeIsDN">true</module-option>
              <module-option name="roleNameAttributeID">cn</module-option>

              <module-option name="roleRecursion">-1</module-option>
              <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
              </login-module>

              </application-policy>




              ERROR when Logging in:
              2006-09-07 08:41:15,051 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyApp-ldap] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1669e7f
              2006-09-07 08:41:15,051 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@2fc45d
              2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyApp-ldap] CachePolicy set to: org.jboss.util.TimedCachePolicy@4ec21
              2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@4ec21
              2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added MyApp-ldap, org.jboss.security.plugins.SecurityDomainContext@12a9eda to map
              2006-09-07 08:41:15,136 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=johndoe
              javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
              at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
              at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
              at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)
              at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
              at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
              at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
              at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
              at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
              at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
              at javax.naming.InitialContext.init(InitialContext.java:223)
              at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
              at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:487)
              at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:331)
              at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:229)
              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:585)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
              at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
              at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
              at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
              at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
              at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
              at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
              at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
              at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
              at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
              at java.lang.Thread.run(Thread.java:595)


              Anyone have any ideas or run into this error? If so how did you fix it?

              Thanks,