JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem
sellis1 Apr 12, 2010 12:07 PMI have a JBoss 5.1.0 GA instance where I'm trying to use an encrypted password with a JaasSecurityDomain and I'm getting an incorrect password error message. If I remove the jaasSecurityDomain module-option from my login-config.xml and I specify a plaintext password, the login process works fine. I have the same setup in JBoss 4.0.5 with a JaasSecurityDomain working without any problems. Is there anything different required with JBoss 5.1.0 to use an encrypted binding password? I've already verified that server.password exists and is the same file that I was using in Jboss 4.0.5. Thanks.
login-config.xml:
<application-policy name="MyRealm">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://virtualad:389</module-option>
<module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=MyDomain</module-option>
<module-option name="bindDN">psu@sandbox.local</module-option>
<module-option name="bindCredential">2NUTSBGQTEkjW5g6.0CjGz</module-option>
<module-option name="baseCtxDN">ou=Accounts,dc=sandbox,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">ou=Accounts,dc=sandbox,dc=local</module-option>
<module-option name="roleFilter"><![CDATA[(&(objectclass=group)(member={1}))]]></module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule"
flag="optional">
<module-option name="rolesProperties">roleMappings.properties</module-option>
<module-option name="replaceRole">false</module-option>
</login-module>
</authentication>
</application-policy>
jboss-service.xml:
<!-- My JaasSecurityDomain -->
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=MyDomain">
<constructor>
<arg type="java.lang.String" value="MyDomain"></arg>
</constructor>
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">abcdefgh</attribute>
<attribute name="IterationCount">13</attribute>
</mbean>
security.log:
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=roleNameAttributeID, value=cn
name=roleFilter, value=(&(objectclass=group)(member={1}))
name=baseFilter, value=(sAMAccountName={0})
name=allowEmptyPasswords, value=false
name=bindCredential, value=****
name=bindDN, value=psu@sandbox.local
name=java.naming.provider.url, value=ldap://virtualad:389
name=roleAttributeID, value=cn
name=baseCtxDN, value=ou=Accounts,dc=sandbox,dc=local
name=roleAttributeIsDN, value=true
name=rolesCtxDN, value=ou=Accounts,dc=sandbox,dc=local
name=jaasSecurityDomain, value=jboss.security:service=JaasSecurityDomain,domain=MyDomain
[1]
LoginModule Class: org.jboss.security.auth.spi.RoleMappingLoginModule
ControlFlag: LoginModuleControlFlag: optional
Options:
name=rolesProperties, value=roleMappings.properties
name=replaceRole, value=false
2010-04-12 10:37:38,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] initialize
2010-04-12 10:37:38,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] Security domain: MyRealm
2010-04-12 10:37:38,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] login
2010-04-12 10:37:38,040 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=psu
2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] initialize
2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] Security domain: MyRealm
2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] login
2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] abort
2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] abort
2010-04-12 10:37:38,040 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.MyRealm] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)