Hi Peter
yes I've set the logging for "org.jboss.security.auth" now also, and get the same information which I've already gotten in advance when setting the log ALL security output to a new console appender as given on the website http://www.techienuggets.com/Comments?tx=69337 at the bottom.
The trace output I'll give at the end of this post. It seems that either Jboss can't perform a ldapserach (whereas this is possible with Java code) or Jboss can't retrieve the correct password from the ldap server.
In order to be sure that also the configured certificates are read, I first switched on the handshaking debugging by
adding
JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"
in run.conf
And second, explicitly determined the location of truststore which in my case is /etc/java-6-sun/security/cacerts because I added the generated ssl certificate with keytool to this file, by adding also the line
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/java-6-sun/security/cacerts"
in the file run.conf
Because I've not change the default trustStorePassword, I've not added the line
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit
But, if I did, it didn't change the behaviour of not working, i.e. the authentifcation via LdapExtloginModule does not work.
The ssl handshaking at least with the LdapLoginModule seems to work, because in the later case the authentification via ldap works.
I'm not sure, if the problem with the LdapExtLoginModule might be a bug in the used Jboss version, which is jboss-5.1.0.GA/
And below now follows the TRACE of org.jboss.security.auth". But I can't see any real hint, besides it says bad password for <username>:
2010-11-24 16:33:44,527 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}
2010-11-24 16:33:44,529 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
2010-11-24 16:33:44,529 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
2010-11-24 16:33:44,594 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8443-1) Setting threadlocal:{}
2010-11-24 16:33:44,622 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8443-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2010-11-24 16:33:44,708 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8443-1) Setting threadlocal:null
2010-11-24 16:33:44,708 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8443-1) Setting threadlocal:null
2010-11-24 16:33:55,959 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8443-1) Setting threadlocal:{}
2010-11-24 16:33:55,970 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jbossmq] (http-0.0.0.0-8443-1) Begin isValid, principal:shenz, cache info: null
2010-11-24 16:33:55,972 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jbossmq] (http-0.0.0.0-8443-1) defaultLogin, principal=shenz
2010-11-24 16:33:55,976 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8443-1) Begin getAppConfigurationEntry(jbossmq), size=12
2010-11-24 16:33:55,984 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8443-1) End getAppConfigurationEntry(jbossmq), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(uid={0})
name=java.naming.security.authentication, value=simple
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=allowEmptyPasswords, value=false
name=bindCredential, value=****
name=bindDN, value=uid=uid=queryAccount,ou=<department>,ou=users,dc=company,dc=de
name=java.naming.provider.url, value=ldap://<ldapServer>:636/
name=searchTimeLimit, value=5000
name=java.naming.security.protocol, value=ssl
name=baseCtxDN, value=ou=users,dc=company,dc=de
name=debug, value=true
name=searchScope, value=SUBTREE_SCOPE
2010-11-24 16:33:55,996 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8443-1) initialize
2010-11-24 16:33:55,997 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8443-1) Security domain: jbossmq
2010-11-24 16:33:55,997 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8443-1) login
2010-11-24 16:33:56,168 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8443-1) Bad password for username=<username>
2010-11-24 16:33:56,168 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8443-1) abort
2010-11-24 16:33:56,168 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jbossmq] (http-0.0.0.0-8443-1) Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:662)
2010-11-24 16:33:56,171 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jbossmq] (http-0.0.0.0-8443-1) End isValid, false
2010-11-24 16:33:56,172 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8443-1) Setting threadlocal:null
2010-11-24 16:33:56,172 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8443-1) Setting threadlocal:null
Any more clue?
Thanks and best wishes,
Stefan