8 Replies Latest reply on Nov 1, 2011 11:01 AM by jlanik

    LDAP login

    jlanik

      Hi,

       

      I want to create a simple demo aplication which would execute an LDAP based login. However whatever I do, the user is not logged after providing the correct password.

       

      The application (eclipse maven project) is added. The deployment is done by 'mvn package' and copying the .war file to deployments folder in AS7 instalation.

       

      The security domain configuration in standalone.xml follows:

       

      <security-domain name="ldap-login-module">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                  <module-option name="baseFilter" value="(uid={0})"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="roleFilter" value="(member={1})"/>

                                  <module-option name="bindCredential" value="secret"/>

                                  <module-option name="bindDN" value="uid=admin,ou=system"/>

                                  <module-option name="java.naming.provider.url" value="ldap://localhost:10389/"/>

                                  <module-option name="rolesCtxDN" value="ou=groups,ou=system"/>

                                  <module-option name="baseCtxDN" value="ou=users,ou=system"/>

                                  <module-option name="debug" value="true"/>

                                  <module-option name="roleAttributeID" value="cn"/>

                              </login-module>

                          </authentication>

      </security-domain>

       

      The LDAP server (ApacheDS) runs on localhost:10389 and contains following objects:

       

      dn: ou=groups,ou=system

      objectClass: organizationalUnit

      objectClass: top

      ou: groups

       

      dn: cn=Administrators,ou=groups,ou=system

      objectClass: groupOfUniqueNames

      objectClass: top

      cn: Administrators

      uniqueMember: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system

       

      dn: cn=gooduser,ou=groups,ou=system

      objectClass: groupOfNames

      objectClass: top

      cn: gooduser

      member: uid=anil,ou=users,ou=system

       

      dn: cn=superuser,ou=groups,ou=system

      objectClass: groupOfNames

      objectClass: top

      cn: superuser

      member: uid=marcus,ou=users,ou=system

       

      dn: ou=users,ou=system

      objectClass: organizationalUnit

      objectClass: top

      ou: users

       

      dn: uid=anil,ou=users,ou=system

      objectClass: organizationalPerson

      objectClass: person

      objectClass: inetOrgPerson

      objectClass: top

      cn: anil

      sn: anil

      uid: anil

       

      dn: uid=marcus,ou=users,ou=system

      objectClass: organizationalPerson

      objectClass: person

      objectClass: inetOrgPerson

      objectClass: top

      cn: marcus

      sn: marcus

      uid: marcus

        • 1. Re: LDAP login
          jlanik

          So, I'd like to ask if there is a problem in my configuration or should I report it as a bug.

          • 2. Re: LDAP login
            jaikiran

            Have you tried enabling TRACE level logs of security and seeing what's going on?

            • 3. Re: LDAP login
              jlanik

              I did, but nothing useful in log:

               

              10:18:42,492 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying JDBC-compliant driver class org.h2.Driver (version 1.2)

              10:18:42,562 INFO  [org.jboss.as.clustering.infinispan.subsystem] (Controller Boot Thread) Activating Infinispan subsystem.

              10:18:42,792 INFO  [org.jboss.as.naming] (Controller Boot Thread) JBAS011800: Activating Naming Subsystem

              10:18:42,831 INFO  [org.jboss.as.naming] (MSC service thread 1-1) JBAS011802: Starting Naming Service

              10:18:42,887 INFO  [org.jboss.as.osgi] (Controller Boot Thread) JBAS011910: Activating OSGi Subsystem

              10:18:42,942 INFO  [org.jboss.as.security] (Controller Boot Thread) Activating Security Subsystem

              10:18:42,962 INFO  [org.jboss.remoting] (MSC service thread 1-5) JBoss Remoting version 3.2.0.Beta2

              10:18:43,052 INFO  [org.xnio] (MSC service thread 1-5) XNIO Version 3.0.0.Beta3

              10:18:43,071 INFO  [org.xnio.nio] (MSC service thread 1-5) XNIO NIO Implementation Version 3.0.0.Beta3

              10:18:43,417 INFO  [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-7) The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/Software/jdk1.6.0_24/jre/lib/i386/server:/opt/Software/jdk1.6.0_24/jre/lib/i386:/opt/Software/jdk1.6.0_24/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib

              10:18:43,420 INFO  [org.jboss.as.jmx.JMXConnectorService] (MSC service thread 1-8) Starting remote JMX connector

              10:18:43,424 INFO  [org.jboss.as.ee] (Controller Boot Thread) Activating EE subsystem

              10:18:43,431 INFO  [org.jboss.as.remoting] (MSC service thread 1-5) Listening on /127.0.0.1:9999

              10:18:43,752 INFO  [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-7) Starting Coyote HTTP/1.1 on http--127.0.0.1-8080

              10:18:43,808 INFO  [org.jboss.as.connector] (MSC service thread 1-7) Starting JCA Subsystem (JBoss IronJacamar 1.0.3.Final)

              10:18:43,903 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) Bound data source [java:jboss/datasources/ExampleDS]

              10:18:44,746 INFO  [org.jboss.as.deployment] (MSC service thread 1-2) Started FileSystemDeploymentService for directory /opt/AS7/instances/jboss-as-7.0.2.Final/standalone/deployments

              10:18:44,774 INFO  [org.jboss.as] (Controller Boot Thread) JBoss AS 7.0.2.Final "Arc" started in 8786ms - Started 96 of 151 services (55 services are passive or on-demand)

              10:18:44,787 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) Starting deployment of "ldap-login-demo.war"

              10:18:45,278 INFO  [org.jboss.as.jpa] (MSC service thread 1-1) added javax.persistence.api dependency to ldap-login-demo.war

              10:18:45,299 INFO  [org.jboss.weld] (MSC service thread 1-1) Processing CDI deployment: ldap-login-demo.war

              10:18:45,733 INFO  [org.jboss.weld] (MSC service thread 1-8) Starting Services for CDI deployment: ldap-login-demo.war

              10:18:45,769 INFO  [org.jboss.weld.Version] (MSC service thread 1-8) WELD-000900 1.1.2 (Final)

              10:18:45,813 INFO  [org.jboss.weld] (MSC service thread 1-7) Starting weld service

              10:18:46,092 INFO  [org.jboss.seam.solder.Version] (MSC service thread 1-7) Seam Solder null (build id: null)

              10:18:46,426 INFO  [org.jboss.seam.solder.core.CoreExtension] (MSC service thread 1-7) Preventing class org.jboss.seam.solder.core.VersionLoggerUtil from being installed as bean due to @Veto annotation

              10:18:46,656 INFO  [org.jboss.seam.solder.core.CoreExtension] (MSC service thread 1-7) Preventing class org.jboss.seam.solder.resourceLoader.ResourceProvider from being installed as bean due to @Veto annotation

              10:18:47,482 INFO  [org.jboss.web] (MSC service thread 1-5) registering web context: /ldap-login-demo

              10:18:47,525 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "ldap-login-demo.war"

              10:20:06,731 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

                  at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252) [picketbox-4.0.1.jar:4.0.1]

                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]

                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]

                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24]

                  at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24]

                  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [:1.6.0_24]

                  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_24]

                  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_24]

                  at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]

                  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_24]

                  at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [:1.6.0_24]

                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-infinispan-4.0.1.jar:4.0.1]

                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.1.jar:4.0.1]

                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154) [picketbox-infinispan-4.0.1.jar:4.0.1]

                  at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:127) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

                  at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:372) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

                  at java.lang.Thread.run(Thread.java:662) [:1.6.0_24]

               

              10:20:14,124 INFO  [org.jboss.as.osgi] (MSC service thread 1-3) JBAS011921: Stopping OSGi Framework

              • 4. Re: LDAP login
                jlanik

                I'm adding standalone.xml to provide more info about configuration.

                • 5. Re: LDAP login
                  simas_ch

                  You have not enabled TRACE as jaikiran proposed.

                   

                  You have to add a logger for org.jboss.security with level TRACE.

                  Then you can see what happens with LDAP.

                  • 6. Re: LDAP login
                    jlanik

                    Sorry. I uploaded wrong file in the last comment. It should be ok now.

                     

                    This is how logging fore org.jboss.security is done in my config file:

                    <profile>

                     

                         <subsystem xmlns="urn:jboss:domain:logging:1.1">

                         ...

                    <logger category="org.jboss.security">

                     

                    <level name="TRACE"/>

                    </logger>

                    ...

                     

                     

                    Is there something wrong aboud that? The full config file is now attached to my previous comment.

                    • 7. Re: LDAP login
                      jaikiran

                      There's a bit more to do, especially changing the log level of the FILE appender http://community.jboss.org/message/617658#617658

                      • 8. Re: LDAP login
                        jlanik

                        Thanks a lot.