9 Replies Latest reply on Nov 21, 2006 12:50 PM by olivwalt

    LDAP and Active Directory

    creative77
    creative77 Oct 2, 2006 9:26 AM

      I have been trying to setup LDAP in JBoss Portal, I have the user authenticating but, I don't know how to get the correct role to get logged in.

      I get a "HTTP Status 403 - Access to the requested resource has been denied"
      which I believe is due to the group/role not be resolved correctly.

      I am using the LdapExtLoginModule below is the trace from the log file after trying to get logged in.

      Any help would be appreciated...

      ###################################################

      08:12:41,235 DEBUG [CoyoteAdapter] Requested cookie session id is 5A3FCFF056D82C70B3E68866F9CE0384
      08:12:41,235 DEBUG [AuthenticatorBase] Security checking request POST /portal/j_security_check
      08:12:41,235 DEBUG [FormAuthenticator] Authenticating username 'dsj0920'
      08:12:41,235 DEBUG [FormAuthenticator] Authentication of 'XXX0920' was successful
      08:12:41,235 DEBUG [FormAuthenticator] Redirecting to original '/portal'
      08:12:41,235 DEBUG [AuthenticatorBase] Failed authenticate() test ??/portal/j_security_check
      08:12:41,235 DEBUG [CoyoteAdapter] Requested cookie session id is 5A3FCFF056D82C70B3E68866F9CE0384
      08:12:41,235 DEBUG [AuthenticatorBase] Security checking request GET /portal
      08:12:41,235 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET / --> true
      08:12:41,235 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET / --> false
      08:12:41,235 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET / --> false
      08:12:41,235 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET / --> true
      08:12:41,235 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET / --> false
      08:12:41,235 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET / --> false
      08:12:41,235 DEBUG [AuthenticatorBase] Calling hasUserDataPermission()
      08:12:41,235 DEBUG [RealmBase] User data constraint has no restrictions
      08:12:41,235 DEBUG [AuthenticatorBase] Calling authenticate()
      08:12:41,235 DEBUG [FormAuthenticator] Restore request from session '5A3FCFF056D82C70B3E68866F9CE0384'
      08:12:41,235 DEBUG [AuthenticatorBase] Authenticated 'XXX0920' with type 'FORM'
      08:12:41,235 DEBUG [FormAuthenticator] Proceed to restored request
      08:12:41,235 DEBUG [AuthenticatorBase] Calling accessControl()
      08:12:41,235 DEBUG [RealmBase] Username XXX0920 does NOT have role Authenticated
      08:12:41,235 DEBUG [AuthenticatorBase] Failed accessControl() test

      Here is what the RoleDN output is:

      ################################################


      08:15:51,032 DEBUG [AuthenticatorBase] Security checking request GET /portal
      08:15:51,032 DEBUG [AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[dsj0920(CN=AccessIT,CN=Users,DC=adomain,DC=com,CN=Admin,OU=Security Groups,OU=Adomain Users,DC=adomain,DC=com,CN=Citrix Users,OU=Farm,OU=Citrix,DC=adomain,DC=com,CN=GG AP All Associates,OU=Security Groups,OU=AdomainUsers,DC=adomain,DC=com,CN=GG AP All Information Systems,OU=Security Groups,OU=Adomain Users,DC=adomain,DC=com,CN=GG AP Portal Admins,OU=Security Groups,OU=Adomain Users,DC=adomain,DC=com,CN=GG AP Portal Module Administrators,OU=Security Groups,OU=Adomain Users,DC=adomain,DC=com,CN=GG FA Associate Portal Development,CN=Users,DC=adomain,DC=com,CN=GG FA HROL Credentialing File Access,CN=Users,DC=adomain,DC=com,CN=Help Desk,CN=Users,DC=adomain,DC=com,CN=INFOSYS,CN=Users,DC=adomain,DC=com,CN=IS - Apps Team,CN=Users,DC=adomain,DC=com,CN=MRI NIMC,CN=Users,DC=adomain,DC=com,CN=Telecom,CN=Users,DC=adomain,DC=com,CN=\#Associate Portal Steering Committee,CN=Distribution Lists,CN=Users,DC=adomain,DC=com,CN=\#Change Management,CN=Distribution Lists,CN=Users,DC=adomain,DC=com,CN=\#Company-Wide,CN=Distribution Lists,CN=Users,DC=adomain,DC=com,CN=\#Core Upgrade Applications Team,CN=Distribution Lists,CN=Users,DC=adomain,DC=com,CN=\#IS-Application Team,CN=Distribution Lists,CN=Users,DC=adomain,DC=com,CN=\#IS-CHS31,CN=Distribution Lists,CN=Users,DC=adomain,DC=com,)]

      • 6059 Views
      • Tags:
        • 1. Re: LDAP and Active Directory
          bdaw
          bdaw Oct 2, 2006 10:12 AM (in response to creative77)

          User need to belong to the role "Authenticated" because portal servlet is secured with it.

            • Actions
          • 2. Re: LDAP and Active Directory
            creative77
            creative77 Oct 2, 2006 10:31 AM (in response to creative77)

            Added the group and same result.

              • Actions
            • 3. Re: LDAP and Active Directory
              den74
              den74 Oct 2, 2006 11:00 AM (in response to creative77)

              i had a similar problem with my personal validation application and have resolved adding the group Authenticated to my Principal user (coming from application) and inserting in login-config.xml the following row

              <module-option name="additionalRole">Authenticated</module-option>

                • Actions
              • 4. Re: LDAP and Active Directory
                creative77
                creative77 Oct 2, 2006 11:36 AM (in response to creative77)

                I am thinking this is a role context search problem. I have used the out of the box Login configuration. However, my implementation has the groups in another sub tree.

                I have set the roleCtxDN to that location:

                <module-option name="rolesCtxDN">ou=Security Groups,ou=Adomain Users,dc=adomain,dc=com</module-option>

                I am wondering how the the following is resolved then:

                <module-option name="roleFilter">(sAMAccountName={0})</module-option>

                The users (sAMAccountName) would not reside in this sub tree, I believe I need to filter some other way.

                  • Actions
                • 5. Re: LDAP and Active Directory
                  creative77
                  creative77 Oct 2, 2006 12:35 PM (in response to creative77)

                  Wiki sez that the "rolesCtxDN" is the path to the users account and not the path to the actual group/role.

                  When I set this the servlet crashes with a account not found exception. However, when I change the path to the group path. It authenticates the user but can't find the user group/role.

                  I am confused.

                  As I have said the user accounts and groups are in different subtrees.

                  #################################################

                  This crashes the login servlet with account not found. Account are in the following container.


                  <module-option name="rolesCtxDN">ou=Adomain Users,ou=Adomain Resources,dc=adomain,dc=com</module-option>





                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                  <!--
                  Some AD configurations may require searching against
                  the Global Catalog on port 3268 instead of the usual
                  port 389. This is most likely when the AD forest
                  includes multiple domains.
                  -->
                  <module-option name="java.naming.provider.url">ldap://adserver.adomain.com:389</module-option>
                  <module-option name="bindDN">DomainUser</module-option>
                  <module-option name="bindCredential">DomainPassword</module-option>
                  <module-option name="baseCtxDN">dc=adomain,dc=com</module-option>
                  <module-option name="baseFilter">(sAMAccountName={0})</module-option>

                  <module-option name="rolesCtxDN">ou=Adomain Users,ou=Adomain Resources,dc=adomain,dc=com</module-option>
                  <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                  <module-option name="roleAttributeID">memberOf</module-option>
                  <module-option name="roleAttributeIsDN">true</module-option>
                  <module-option name="roleNameAttributeID">cn</module-option>

                  <module-option name="roleRecursion">-1</module-option>

                  <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                  </login-module>

                    • Actions
                  • 6. Re: LDAP and Active Directory
                    gregsting
                    gregsting Oct 4, 2006 5:28 AM (in response to creative77)

                    Sorry for the little change of subject but I try to do the same thing as you.. Could you help me by explaining wich steps you went trough to this day? did you solve your problem?

                      • Actions
                    • 7. Re: LDAP and Active Directory
                      creative77
                      creative77 Oct 6, 2006 3:37 PM (in response to creative77)

                      I still have not resolved this, I am currently pouring over the code for the LDAPModule. I hope to see something there that may keep this from working.

                      Basically, with this config. I get the principle authencationed and the user is authenticated but for some reason the module is not finding the default role "Authenticated" for the users. I have created the group in Active Directory and added myself to it. Still no luck, so when I get time I plan to look into how the "memberOf" attribute is handled.

                        • Actions
                      • 8. Re: LDAP and Active Directory
                        olivwalt Nov 21, 2006 12:21 PM (in response to creative77)

                        Hello creative77,

                        did already get it to work? I have the same problem in my setup (http://jboss.org/index.html?module=bb&op=viewtopic&p=3987622).

                        I tried to adjust the security constraint in portal-server.war web.xml

                        <security-role-ref>
 <role-name>Authenticated</role-name>
 <role-link>Authenticated</role-link>
</security-role-ref>


                        But did not help.

                        Regards Oliver

                          • Actions
                        • 9. Re: LDAP and Active Directory
                          olivwalt Nov 21, 2006 12:50 PM (in response to creative77)

                          Hello creative77,

                          another question, how did debug FormAuthenticator, AuthenticatorBase and RealmBase?

                          Regards Oliver

                            • Actions