1 Reply Latest reply on Sep 16, 2008 11:02 AM by javauser007

    LDAP with Domino -- No roles found/Access Denied

    tjpfister
    tjpfister Sep 10, 2008 5:24 PM

      I'm having an issue integrating JBOSS's security in my application. When logging into my application, the LDAP server is correctly verifying the user name and password, but it cannot find the roles on the LDAP server. Since it cannot find the roles, the user is redirected to a 403 error page: "Access to the requested resource has been denied".

      I'm running this on JBOSS 4.2.0.GA

      My login-config.xml security policy:

      <application-policy name="mySecurityPolicy">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
 flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://myserver.host.com:389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="principalDNPrefix">cn=</module-option>
 <!-- for principalDNSuffix no entry is needed for domino (e.g. o=MYDOMIAN) -->
 <module-option name="principalDNSuffix"></module-option>
 <module-option name="rolesCtxDN"></module-option>
 <module-option name="uidAttributeID">member</module-option>
 <module-option name="matchOnUserDN">true</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">false</module-option>
 <module-option name="searchTimeLimit">5000</module-option>
 <!-- searchScope ONELEVEL_SCOPE is neccesary for Domino -->
 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 <!-- Principal und Credentials for ldap lookups -->
 <module-option name="java.naming.security.principal">cn=admin</module-option>
 <module-option name="java.naming.security.credentials">admin</module-option>

 </login-module>
 </authentication>
 </application-policy>


      My jboss-web.xml: 
      <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
 <security-domain>java:/jaas/mySecurityPolicy</security-domain>

</jboss-web>


      The security section of my web.xml: 

      <security-constraint>
 <web-resource-collection>
 <web-resource-name>General</web-resource-name>
 <url-pattern>/app/*</url-pattern>
 <http-method>PUT</http-method>
 <http-method>DELETE</http-method>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>Change Requester</role-name>
 <role-name>Request Approver</role-name>
 </auth-constraint>
 </security-constraint>

 <security-role>
 <role-name>Change Requester</role-name>
 </security-role>
 <security-role>
 <role-name>Request Approver</role-name>
 </security-role>


      The groups are at the root of my Domino LDAP server. The Groups are named exactly the same as my role-names from my web.xml file "Change Requester" and "Request Approver". I have verified the users I am attempting to login with are a member of at least one these groups.

      I have enabled trace output for security in my jboss-log4j.xml file: 
      <category name="org.jboss.security">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
</category>
<category name="org.jboss.web.tomcat.security">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
</category>
<category name="org.apache.catalina">
 <priority value="DEBUG"/>
</category>



      and receive the following output when logging in:


      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '0C5834DF07062C7C651A26A7CD01AD48'
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'tpfister' with type 'FORM'
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[tpfister()]
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.realm.RealmBase] Username tpfister does NOT have role Change Requester
      2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: Change Requester
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.realm.RealmBase] Username tpfister does NOT have role Request Approver
      2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: Request Approver
      2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking for all roles mode: authOnly
      2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test


      I have this same application installed on WebSphere running against the same Domino LDAP server just fine. I'm trying to push for our development group's standard application server to be switched from WebSphere to JBOSS, but if I cannot get security working, it would be an obvious deal-breaker.

      Does anyone have any ideas what is causing this? If not, are there any additional debugging methods I could use?




      • 2136 Views
      • Tags:
        • 1. Re: LDAP with Domino -- No roles found/Access Denied
          javauser007 Sep 16, 2008 11:02 AM (in response to tjpfister)

          Hi i'm facing the Problem with configuring the ldap in jboss portal. plz see the following my problem.

          I'm using jboss portal 2.6.5 and open ldap.
          I have created an .ldif file according to my company requirements and it works fine with other applications except Jboss portal.

          My problem is, in my .ldif file i mentioned "my-user" for holding username and "my-pwd" for holding password.
          and in my ldap_identity-config.xml file i mentioned accordingly as givebellow.


          uidAttributeID
          my-user


          passwordAttributeID
          my-pwd


          But while i'm trying to access i'm not getting any error on console and simply the page is redirected to some other error page which shows "The user doesn't exist or the password is incorrect " .and in log file i'm getting the message like "Bad password for the user XXXXX" (even if i entered correct user name and password), but if i use "userPassword" name for holding the password in .ldif file it works fine.

          if i use "userPassword" name and even if i disabling the following code in ldap_identity-config.xml it works fine.


          passwordAttributeID
          userPassword


          But i should mention uidAttributeID like below


          uidAttributeID
          my-user


          and after doing some R&D on this, finally i came to know that the jboss is not at all reading the following snipet.


          passwordAttributeID
          my-pwd


          but my requirement is i should use "my-pwd" attribute id for holding the password.

          How to do that..? any help is appriciated.......

            • Actions