1 Reply Latest reply on Jul 2, 2009 12:07 PM by dufferdo25

    JBOSS Negotiate using AdvancedLdapLoginModule throws bind er

    dufferdo25

      Not sure if the mailing list is active so I am posting here as well.
      Sorry.

      Hello all,
      I am using Negotiate and have successfully gotten all three auth tests to work using the jboss-negotiate-toolkit after some trials.

      Now I am attempting to search the Active Directory rather than the user-roles.properties file.
      I am using chained configuration from the docs.

      Here is a snip from the login-config.xml file:

       <application-policy name="host">
       <authentication>
       <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
       <module-option name="storeKey">true</module-option>
       <module-option name="useKeyTab">true</module-option>
       <module-option name="principal">host/jportal@MYCO.COM</module-option>
       <module-option name="keyTab">/home/admin/jportal.keytab</module-option>
       <module-option name="doNotPrompt">true</module-option>
       <module-option name="debug">true</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
      
      <application-policy name="SPNEGO">
       <authentication>
       <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="serverSecurityDomain">host</module-option>
       </login-module>
       <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="bindAuthentication">GSSAPI</module-option>
       <module-option name="jaasSecurityDomain">host</module-option>
       <module-option name="java.naming.provider.url">ldap://dc:389</module-option>
       <module-option name="baseCtxDN">CN=Users,DC=dc,DC=myco,DC=com</module-option>
       <module-option name="baseFilter">(userPrincipalName={0})</module-option>
       <module-option name="roleAttributeID">memberOf</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="recurseRoles">true</module-option>
       </login-module>
       </authentication>
      </application-policy>
      

      Do I need the first application policy (host)?

      My error is as follows:
      /error
      ...skipping
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Unknown Source)
      Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operatio
      n a successful bind must be completed on the connection., data 0, vece]; remaining name 'OU=Users,DC=MYCO,DC=COM'
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
       at javax.naming.directory.InitialDirContext.search(Unknown Source)
       at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:505)
       ... 34 more
      

      Any ideas what may be wrong?

      Thanks!

        • 1. Re: JBOSS Negotiate using AdvancedLdapLoginModule throws bin
          dufferdo25

          OK I solved the bind issue by setting a value in adsiedit dcHeuristics 0000002 which allows anonymous access to read or list AD. I would have thought that the UPN would be reading the AD and not an anonymous conn.

          I now have a new error:

          2009-07-02 15:56:29,763 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] (http-0.0.0.0-8080-1) Obtained LdapContext
          2009-07-02 15:56:29,768 INFO [STDOUT] (http-0.0.0.0-8080-1) [Krb5LoginModule]: Entering logout
          2009-07-02 15:56:29,768 INFO [STDOUT] (http-0.0.0.0-8080-1) [Krb5LoginModule]: logged out Subject
          2009-07-02 15:56:29,768 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8080-1) abort
          2009-07-02 15:56:29,768 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] (http-0.0.0.0-8080-1) abort
          2009-07-02 15:56:29,768 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8080-1) Login failure
          javax.security.auth.login.LoginException: Unable to find user DN
           at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:528)
           at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:343)
           at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:734)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.Subject.doAs(Unknown Source)
           at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:279)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
           at java.lang.reflect.Method.invoke(Unknown Source)
           at javax.security.auth.login.LoginContext.invoke(Unknown Source)
           at javax.security.auth.login.LoginContext.access$000(Unknown Source)
           at javax.security.auth.login.LoginContext$4.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
           at javax.security.auth.login.LoginContext.login(Unknown Source)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
           at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
           at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
           at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Unknown Source)
          Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, b
          est match of:
           'DC=base,DC=myco,DC=com'
          ]; remaining name 'OU=Clients,DC=base,DC=myco,DC=com'
           at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
           at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
           at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
           at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
           at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
           at javax.naming.directory.InitialDirContext.search(Unknown Source)
           at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:505)
           ... 34 more
          


          In the logs I see that I get an Identity
          TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] (http-0.0.0.0-8080-1) Identity - test01@BASE.MYCO.COM
          


          I am using the nested config:
          <application-policy name="SPNEGO">
           <authentication>
           <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
           <module-option name="password-stacking">useFirstPass</module-option>
           <module-option name="serverSecurityDomain">host</module-option>
           </login-module>
          
           <login-module code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule" flag="required">
           <module-option name="password-stacking">useFirstPass</module-option>
           <module-option name="bindAuthentication">GSSAPI</module-option>
           <module-option name="jaasSecurityDomain">host</module-option>
           <module-option name="java.naming.provider.url">ldap://dc.base.myco.com:389</module-option>
           <module-option name="baseCtxDN">CN=Clients,DC=base,DC=myco,DC=com</module-option>
           <module-option name="baseFilter">(userPrincipalName={0})</module-option>
           <module-option name="roleAttributeID">memberOf</module-option>
           <module-option name="roleAttributeIsDN">true</module-option>
           <module-option name="roleNameAttributeID">cn</module-option>
           <module-option name="recurseRoles">true</module-option>
           </login-module>
           </authentication>
          </application-policy>
          


          Anybody see anything wrong? I tried CN=Clients and CN=Users I also left out the CN to do a full search of the entire domain. Still no luck.
          Thanks!