LdapExtLoginModule with AD appears to log in, but then says "bad password"
kevinternes Apr 7, 2010 8:19 PMIn JBoss AS 5.1.0.GA, I seem to have LdapExtLoginModule configured correctly. The logs show it identifying my groups but then if finally says "bad password".
Here is the relevant login-config.xml application-policy. You may notice that our users are not under cn=Users. I do not know why aur Active Directory is set up this way.
{code:xml}
<application-policy name="AppAuthorizedUsers">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://amn-sygcdc:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">CN=Portal Admin,OU=Users,OU=IS,OU=...</module-option>
<module-option name="bindCredential">...</module-option>
<module-option name="baseCtxDN">dc=syg,dc=sygin,dc=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">dc=syg,dc=sygin,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">CN</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
{code}
And the snip from the web app's web.xml:
{code:xml}
<security-constraint>
<web-resource-collection>
<web-resource-name>AppAuthorizedUsers</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>APP-Confluence-Users</role-name>
</auth-constraint>
<user-data-constraint>
<description>NONE</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users authorized to use this application</description>
<role-name>APP-Confluence-Users</role-name>
</security-role>
{code}
And now what I see in the log when I try to login:
{noformat}
2010-04-07 18:57:00,934 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-0.0.0.0-8080-1) Requested cookie session id is 5BEF3D0AF6D63D5442476F28E265B7
C6
2010-04-07 18:57:00,934 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}
2010-04-07 18:57:00,934 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-0.0.0.0-8080-1) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:p
rincipalToRoleSetMap{}
2010-04-07 18:57:00,934 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-0.0.0.0-8080-1) Security checking request POST /CogMapp/j_security_che
ck
2010-04-07 18:57:00,935 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-0.0.0.0-8080-1) Authenticating username 'kternes'
2010-04-07 18:57:00,935 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-1) Begin authenticate, username=kternes
2010-04-07 18:57:00,935 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) Begin isValid, principal:kterne
s, cache info: null
2010-04-07 18:57:00,936 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) defaultLogin, principal=kternes
2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) Begin getAppConfigurationEntry(AppAuthorizedUsers), size=
12
2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End getAppConfigurationEntry(AppAuthorizedUsers), authInf
o=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(sAMAccountName={0})
name=java.naming.security.authentication, value=simple
name=allowEmptyPasswords, value=false
name=roleFilter, value=(member={1})
name=bindCredential, value=****
name=bindDN, value=CN=Portal Admin...
name=java.naming.provider.url, value=ldap://am-sygcdc:389
name=rolesCtxDN, value=dc=syg,dc=sygin,dc=com
name=roleRecursion, value=0
name=roleAttributeIsDN, value=false
name=baseCtxDN, value=dc=syg,dc=sygin,dc=com
name=roleAttributeID, value=CN
2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) initialize
2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Security domain: AppAuthorizedUsers
2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) login
2010-04-07 18:57:01,392 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx SQL+
2010-04-07 18:57:01,447 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx JDev
2010-04-07 18:57:01,505 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Information Services
2010-04-07 18:57:01,559 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx Toad Std
2010-04-07 18:57:01,616 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Amr HelpDesk
2010-04-07 18:57:01,675 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Oracle Developer
2010-04-07 18:57:01,732 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Oracle Users - US
2010-04-07 18:57:01,840 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Oracle IS Team, US
2010-04-07 18:57:01,895 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role IS Development Team
2010-04-07 18:57:01,949 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx MSVSS
2010-04-07 18:57:02,003 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role VSS Admins
2010-04-07 18:57:02,065 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Network Team (R)
2010-04-07 18:57:02,119 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Server Team (R)
2010-04-07 18:57:02,174 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Development Team (M)
2010-04-07 18:57:02,228 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Support Team (M)
2010-04-07 18:57:02,282 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Oracle Support (M)
2010-04-07 18:57:02,337 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Home Office Workers U.S
2010-04-07 18:57:02,391 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role IS Franklin
2010-04-07 18:57:02,448 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role AMR Ctx Syg IS
2010-04-07 18:57:02,502 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role OWA Users
2010-04-07 18:57:02,556 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx Gen App
2010-04-07 18:57:02,611 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx MSOff Std
2010-04-07 18:57:02,665 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Syg VPN Users
2010-04-07 18:57:02,719 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role APP-Confluence-Users
2010-04-07 18:57:02,774 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role APP-Confluence-Admins
2010-04-07 18:57:02,828 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role GEN-SSS-Standards
2010-04-07 18:57:02,828 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Bad password for username=kternes
2010-04-07 18:57:02,830 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) abort
2010-04-07 18:57:02,830 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
2010-04-07 18:57:02,830 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) End isValid, false
2010-04-07 18:57:02,830 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-1) User: kternes is NOT authenticated
2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-1) End authenticate, principal=null
2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,834 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
2010-04-07 18:57:02,836 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/CogMapp].[default]] (http-0.0.0.0-8080-1) Disabling the respons
e for futher output
2010-04-07 18:57:02,836 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-0.0.0.0-8080-1) Failed authenticate() test ??/CogMapp/j_security_chec
k
2010-04-07 18:57:02,836 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
2010-04-07 18:57:02,836 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
{noformat}
According to the LdapExtLoginModule docs, it is not supposed to query for the associated user roles unless the authentication is successful.
Can anyone suggest a fix?