1 Reply Latest reply on Apr 20, 2010 5:10 PM by kevinternes

    LdapExtLoginModule with AD appears to log in, but then says "bad password"

    kevinternes

      In JBoss AS 5.1.0.GA, I seem to have LdapExtLoginModule configured correctly.  The logs show it identifying my groups but then if finally says "bad password".

       

      Here is the relevant login-config.xml application-policy.  You may notice that our users are not under cn=Users.  I do not know why aur Active Directory is set up this way.

       

       

      {code:xml}

      <application-policy name="AppAuthorizedUsers">
          <authentication>

       

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                <module-option name="java.naming.provider.url">ldap://amn-sygcdc:389</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="bindDN">CN=Portal Admin,OU=Users,OU=IS,OU=...</module-option>
                <module-option name="bindCredential">...</module-option>

       

                <module-option name="baseCtxDN">dc=syg,dc=sygin,dc=com</module-option>
                <module-option name="baseFilter">(sAMAccountName={0})</module-option>

       

                <module-option name="rolesCtxDN">dc=syg,dc=sygin,dc=com</module-option>

       

                <module-option name="roleFilter">(member={1})</module-option>
                <module-option name="roleAttributeID">CN</module-option>
                <module-option name="roleAttributeIsDN">false</module-option>
                <module-option name="roleRecursion">0</module-option>

       

                <module-option name="allowEmptyPasswords">false</module-option>
              </login-module>

       

          </authentication>
        </application-policy>

      {code}

       

      And the snip from the web app's web.xml:

       

      {code:xml}

      <security-constraint>
        <web-resource-collection>
         <web-resource-name>AppAuthorizedUsers</web-resource-name>
         <url-pattern>/*</url-pattern>
         <http-method>POST</http-method>
         <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
         <role-name>APP-Confluence-Users</role-name>
        </auth-constraint>
        <user-data-constraint>
          <description>NONE</description>
          <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
      </security-constraint>

      <login-config>
         <auth-method>FORM</auth-method>
         <form-login-config>
           <form-login-page>/login.html</form-login-page>
           <form-error-page>/login-error.html</form-error-page>
         </form-login-config>
      </login-config>
       
      <security-role>
        <description>Users authorized to use this application</description>
        <role-name>APP-Confluence-Users</role-name>
      </security-role>

      {code}

       

      And now what I see in the log when I try to login:

       

      {noformat}

      2010-04-07 18:57:00,934 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-0.0.0.0-8080-1)  Requested cookie session id is 5BEF3D0AF6D63D5442476F28E265B7
      C6
      2010-04-07 18:57:00,934 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}
      2010-04-07 18:57:00,934 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-0.0.0.0-8080-1) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:p
      rincipalToRoleSetMap{}
      2010-04-07 18:57:00,934 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-0.0.0.0-8080-1) Security checking request POST /CogMapp/j_security_che
      ck
      2010-04-07 18:57:00,935 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-0.0.0.0-8080-1) Authenticating username 'kternes'
      2010-04-07 18:57:00,935 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-1) Begin authenticate, username=kternes
      2010-04-07 18:57:00,935 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) Begin isValid, principal:kterne
      s, cache info: null
      2010-04-07 18:57:00,936 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) defaultLogin, principal=kternes
      2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) Begin getAppConfigurationEntry(AppAuthorizedUsers), size=
      12
      2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End getAppConfigurationEntry(AppAuthorizedUsers), authInf
      o=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=baseFilter, value=(sAMAccountName={0})
      name=java.naming.security.authentication, value=simple
      name=allowEmptyPasswords, value=false
      name=roleFilter, value=(member={1})
      name=bindCredential, value=****
      name=bindDN, value=CN=Portal Admin...
      name=java.naming.provider.url, value=ldap://am-sygcdc:389
      name=rolesCtxDN, value=dc=syg,dc=sygin,dc=com
      name=roleRecursion, value=0
      name=roleAttributeIsDN, value=false
      name=baseCtxDN, value=dc=syg,dc=sygin,dc=com
      name=roleAttributeID, value=CN

       

      2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) initialize
      2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Security domain: AppAuthorizedUsers
      2010-04-07 18:57:00,936 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) login

      2010-04-07 18:57:01,392 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx SQL+
      2010-04-07 18:57:01,447 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx JDev
      2010-04-07 18:57:01,505 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Information Services
      2010-04-07 18:57:01,559 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx Toad Std
      2010-04-07 18:57:01,616 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Amr HelpDesk
      2010-04-07 18:57:01,675 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Oracle Developer
      2010-04-07 18:57:01,732 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Oracle Users - US
      2010-04-07 18:57:01,840 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Oracle IS Team, US
      2010-04-07 18:57:01,895 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role IS Development Team
      2010-04-07 18:57:01,949 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx MSVSS
      2010-04-07 18:57:02,003 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role VSS Admins
      2010-04-07 18:57:02,065 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Network Team (R)
      2010-04-07 18:57:02,119 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Server Team (R)
      2010-04-07 18:57:02,174 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Development Team (M)
      2010-04-07 18:57:02,228 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Support Team (M)
      2010-04-07 18:57:02,282 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Data-IS-Oracle Support (M)
      2010-04-07 18:57:02,337 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Home Office Workers U.S
      2010-04-07 18:57:02,391 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role IS Franklin
      2010-04-07 18:57:02,448 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role AMR Ctx Syg IS
      2010-04-07 18:57:02,502 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role OWA Users
      2010-04-07 18:57:02,556 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx Gen App
      2010-04-07 18:57:02,611 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role FRK Ctx MSOff Std
      2010-04-07 18:57:02,665 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role Syg VPN Users
      2010-04-07 18:57:02,719 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role APP-Confluence-Users
      2010-04-07 18:57:02,774 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role APP-Confluence-Admins
      2010-04-07 18:57:02,828 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Assign user to role GEN-SSS-Standards
      2010-04-07 18:57:02,828 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) Bad password for username=kternes
      2010-04-07 18:57:02,830 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) abort
      2010-04-07 18:57:02,830 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) Login failure
      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:597)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
              at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
              at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
              at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
              at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
              at java.lang.Thread.run(Thread.java:619)
      2010-04-07 18:57:02,830 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.AppAuthorizedUsers] (http-0.0.0.0-8080-1) End isValid, false
      2010-04-07 18:57:02,830 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-1) User: kternes is NOT authenticated
      2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-8080-1) End authenticate, principal=null
      2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,831 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,834 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-0.0.0.0-8080-1) default, runAs: null
      2010-04-07 18:57:02,836 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/CogMapp].[default]] (http-0.0.0.0-8080-1)  Disabling the respons
      e for futher output
      2010-04-07 18:57:02,836 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-0.0.0.0-8080-1)  Failed authenticate() test ??/CogMapp/j_security_chec
      k
      2010-04-07 18:57:02,836 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
      2010-04-07 18:57:02,836 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null

      {noformat}

       

       

      According to the LdapExtLoginModule docs, it is not supposed to query for the associated user roles unless the authentication is successful.

       

      Can anyone suggest a fix?