3 Replies Latest reply on Sep 25, 2007 12:07 PM by saigon_man

LDAP Connection error

saigon_man Sep 22, 2007 9:05 PM

Hi,
I am trying to set up an LDAP connection to the ApacheDS. However I got an error when trying to connect to the server. Here are my setup

in jboss-service.xml

change the name of identity-config.xml to ldap_identity-config.xml (as said in the document, chapter 16)

in ldap_identity-config.xml: change the following codes

<datasource>
 <name>LDAP</name>
 <config>
 <option>
 <name>host</name>
 <value>localhost</value>
 </option>
 <option>
 <name>port</name>
 <value>10389</value>
 </option>
 <option>
 <name>adminDN</name>
 <value>uid=admin,ou=system</value>
 </option>
 <option>
 <name>adminPassword</name>
 <value>secret</value>
 </option>
 <!--<option>
 <name>protocol</name>
 <value>ssl</value>
 </option>-->
 <option>
 <name>externalContextJndiName</name>
 <value>external/ldap/jboss</value>
 </option>
 </config>
 </datasource>
 </datasources>

in login-config.xml: change the following codes (as said in the wiki: http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication)

<application-policy name="portal">
 <authentication>

 <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
 configure portal identity modules for this-->
 <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:10389</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="baseCtxDN">ou=People,o=portal</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>
 <module-option name="rolesCtxDN">ou=Groups,o=portal</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeID">member</module-option>
 <module-option name="roleRecursion">-1</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="searchTimeLimit">5000</module-option>
 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
 </login-module>
</authentication>

I am using the ldif file: portal-sample-local.ldif provided in jboss source

I am able to connect to the server using jxplorer application with the same admin user name and password (as stated in the ldap_identity-config.xml)
However, from within jboss server, when I try to login using the username/password: admin/admin, I recieved errors

ERROR [IdentityLoginModule] Error when validating password
org.jboss.portal.common.transaction.NestedException: javax.security.auth.login.LoginException: org.jboss.portal.identity.IdentityException: Unable to connect to
LDAP: Name: null, Host: localhost, Port: 10389, Context factory: com.sun.jndi.ldap.LdapCtxFactory, Admin user: uid=admin,ou=system, Admin password: ***, Authen
tication: simple, Protocol: null

I am using Jboss portal 2.6.1
What am I missing here? Or is there any step should I follow?
Your help is greatly appreciated

Thanks,
SGM

1. Re: LDAP Connection error

sbozdag Sep 24, 2007 4:39 AM (in response to saigon_man)

I used to have almost the same problem.

I am 100% sure that I did not change the configuration file jboss-service.xml. I only followed the instructions given on page http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication . And it worked! You should exactly notice that there is no such a configuration step for jboss-service.xml or ldap_identity-config.xml on that wiki. I have tried so many times before in the same way you did. However they did not work.

Anyway, just follow the steps on the wiki and don't forget to check out the troubleshooting listing below the page(only three lines)

I am also using version 2.6.1GA. I tried it against a openldap server.

And the last notice, don't forget to add a role name 'Authenticated'(or whatever name you want, But be aware of synch that name with your login-config file) to your ldap server. And make your user a member of it.

Also, reading chapters about authentication/authorization will help you so much as well as they helped me.

hope this helps,
Actions
2. Re: LDAP Connection error

bdaw Sep 24, 2007 5:40 AM (in response to saigon_man)
You have

<option> <name>externalContextJndiName</name> <value>external/ldap/jboss</value> </option>

uncommented. Using this all other LDAP connection options are ignored. Did you read the docs?

http://docs.jboss.com/jbportal/v2.6/referenceGuide/html/ldap.html#d0e6811

If you configure all modules in ldap_identity-config.xml you don't need to change login-config.xml to authenticate.
Actions

3. Re: LDAP Connection error

saigon_man Sep 25, 2007 12:07 PM (in response to saigon_man)

Hi,
Thanks for all responds.

First, I tried the suggestions from sbozdag. When I tried to log in, jboss displayed message: "your account is disabled" with admin/admin. If I tried to login with jduke1/theduke, jboss gave me the message: "this account doesn't not exist ...."

Here is my configuration:

1. I am using ApacheDS(Apache directory server) and using JXplorer to log in. ApacheDS doesn't allow anonymous login. So I used the option username+password
username: uid=admin,ou=system
password: secret

2. Because ApacheDS doen't allow anonymous login, I then change the configuration in login-config.xml a little bit and added two lines

<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="java.naming.factory.initial">
 com.sun.jndi.ldap.LdapCtxFactory
 </module-option>
 <module-option name="java.naming.provider.url">
 ldap://localhost:10389/
 </module-option>
 <module-option name="java.naming.security.authentication">
 simple
 </module-option>
 <module-option name="binDN">uid=admin,ou=system</module-option>
 <module-option name="bindCredential">secret</module-option>
 <module-option name="baseCtxDN">ou=People,o=portal</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>
 <module-option name="rolesCtxDN">ou=Groups,o=portal</module-option>
 <module-option name="roleFilter">(member={0})</module-option>
 <module-option name="roleAttributeID">member</module-option>
 <module-option name="roleRecursion">-1</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="searchTimeLimit">5000</module-option>
 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
 </login-module>

I also added the "Authenticated" and associated all users to this role in the server.
I think once I hit the login button, this configuration doesn't get called at all since jboss is not able to find the jduke1 username in the server.
I don't know if the changes (in red color) I made in this configuration are correct or is there anything i am missing here?

I am using the portal-sample-local.ldif provided in jboss source
Your help on this is greatly appreciated

Thanks,

SGM

Go to original post