-
1. Re: LdapLoginModule talking to microsoft adam
rbartig Oct 22, 2007 2:54 PM (in response to rbartig)I'm closer in getting microsoft adam and jboss talking. When I give it a bad login it throws an exception and writes the following message to the server.log file. But when I give it a correct login it keeps prompting me for a username/password. Anyone else have this issue with adam, active directory, or any other ldap servers? Why can't microsoft adam (which I heard is a 90% ldap compliant server) and jboss play nice?
2007-10-22 14:50:30,086 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=butt
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, va28
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">CN=</module-option>
<module-option name="principalDNSuffix">,OU=users,O=my.org</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">CN=</module-option>
<module-option name="rolesCtxDN">OU=groups,O=my.org</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module> -
2. Re: LdapLoginModule talking to microsoft adam
rbartig Oct 25, 2007 4:45 PM (in response to rbartig)I finally figured it out and thought I'd post what I found in case someone else has the same issue. Turned on the trace in jboss and read through the LdapLoginModule source code. The user I was trying to log in with wasn't in the Administrators or Readers role. Doesn't even matter if they're in the Users role. Think I'm going to use LdapExtLoginModule instead. Not sure if this is a parameter that can be turned off because I couldn't find any detailed documentation on adam.
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">CN=</module-option>
<module-option name="principalDNSuffix">,O=my.org</module-option>
<module-option name="rolesCtxDN">O=my.org</module-option>
<module-option name="roleAttributeID">CN</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="matchOnUserDN">true</module-option>