6 Replies Latest reply on Oct 17, 2012 9:25 AM by greco

    LDAP/AD authentication failing for users with comma in CN.

    greco

      I'm currently connecting to an Active Directory for user authentication.  When I authenticate against a user with a simple CN, no spaces or commas, the authentication is successful and the groups are retrieved accordingly. If I attempt to connect to a user that has a comma or a space in their CN I get the following error:

       

       

      09:16:35,544 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252) [picketbox-4.0.1.jar:4.0.1]

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.7.0]

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [:1.7.0]

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [:1.7.0]

          at java.lang.reflect.Method.invoke(Method.java:601) [:1.7.0]

          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [:1.7.0]

          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [:1.7.0]

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [:1.7.0]

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [:1.7.0]

          at java.security.AccessController.doPrivileged(Native Method) [:1.7.0]

          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [:1.7.0]

          at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [:1.7.0]

          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-infinispan-4.0.1.jar:4.0.1]

          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.1.jar:4.0.1]

          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154) [picketbox-infinispan-4.0.1.jar:4.0.1]

          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:127) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

          at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:372) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

          at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:49) [jboss-as-jpa-7.0.2.Final.jar:7.0.2.Final]

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at java.lang.Thread.run(Thread.java:722) [:1.7.0]

       

       

      This same issue was also present on Glassfish (platform I am coming from) re:http://java.net/jira/browse/GLASSFISH-4769.

       

      Has anyone else encountered this issue before and if so what was the solution? Is there a fix planned for this? We are using the JBOSS AS 7.0.2 certified web profile version.

       

      Thanks.

        • 1. Re: LDAP/AD authentication failing for users with comma in CN.
          jaikiran

          The stacktrace you posted doesn't show any reference to LDAP login module. Instead it's showing a reference to username login module which is based on users.properties and roles.properties files.

          • 2. Re: LDAP/AD authentication failing for users with comma in CN.
            greco

            The org.jboss.security.auth.spi.LdapLoginModule extends org.jboss.security.auth.spi.UsernamePasswordLoginModule. Here is my security-domain configuration.

             

                    <subsystem xmlns="urn:jboss:domain:security:1.0">

                        <security-domains>

                            <security-domain name="other" cache-type="default">

                                <authentication>

                                    <login-module code="Disabled" flag="required"/>

                                </authentication>

                            </security-domain>

                            <security-domain name="XXXXXXXSecurity">

                                <authentication>

                                    <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                                        <module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:636/"/>

                                        <module-option name="matchOnUserDN" value="false"/>

                                        <module-option name="principalDNPrefix" value="CN="/>

                                        <module-option name="principalDNSuffix" value=",OU=Users,OU=xxxxxxx,DC=xxxxxxxx,DC=com"/>

                                        <module-option name="uidAttributeID" value="sAMAccountName"/>

                                        <module-option name="rolesCtxDN" value="OU=Users,OU=xxxxxxxxx,DC=xxxxxxxx,DC=com"/>

                                        <module-option name="roleAttributeID" value="memberOf"/>

                                        <module-option name="roleAttributeIsDN" value="true"/>

                                        <module-option name="roleNameAttributeID" value="name"/>

                                        <module-option name="bindDN" value="CN=xxxxxxx,OU=xxxxxxx,OU=xxxxxxxx,DC=xxxxxxxx,DC=com"/>

                                        <module-option name="bindCredential" value="xxxxxxxxxxxx"/>

                                    </login-module>

                                    <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">

                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/XXXXXXXRoles.properties"/>

                                        <module-option name="replaceRole" value="true"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

                        </security-domains>

                    </subsystem>

             

            Accounts that do not have comma's in the CN get authenticated without any problems.

            • 3. Re: LDAP/AD authentication failing for users with comma in CN.
              greco

              Anybody have an answer?

              • 4. Re: LDAP/AD authentication failing for users with comma in CN.
                steffenwollscheid

                If any part of a distinguished name has comma or a space in it, this must be escaped in the string representation. See RFC 4514 Section 2.4 and the examples referencered therein. Maybe applying the correct escapes in your bindDN configuration might solve the problem.

                • 5. Re: LDAP/AD authentication failing for users with comma in CN.
                  greco

                  The issue is not with my bindDN. My connection to the AD is fine. It has to deal with the users in the domain in AD. I believe more precises it has to do with the Full Name when creating an entry in the AD. If the Full Name has a comma in it, such as "Smith, John", when jboss tries to authenticate against it the comma is causing an issue and the authentication fails. If the Full Name is "John Smith" or "Smith" the authentication works fine.

                   

                  The first pick shows an account that will not authenticate, wher ethe second one will authenticate correctly.

                  AD1.png

                  AD2.png

                  • 6. Re: LDAP/AD authentication failing for users with comma in CN.
                    greco

                    Switching to LdapExtLoginModule solves the issue. JBoss AS documentation should reflect that AD requires the LdapExtLoginModule.

                     

                    <authentication>

                                            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                                <module-option name="java.naming.provider.url" value="ldaps://172.30.106.110:636/"/>

                                                <module-option name="java.naming.referral" value="follow"/>

                                                <module-option name="bindDN" value="CN=xxxxxx,OU=Builtin,OU=xxxxxx,DC=xxxxxx,DC=com"/>

                                                <module-option name="bindCredential" value="xxxxxx"/>

                                                <module-option name="baseCtxDN" value="OU=xxxxxx,DC=xxxxxx,DC=com"/>

                                                <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                                <module-option name="rolesCtxDN" value="OU=Users,OU=xxxxxx,DC=xxxxxx,DC=com"/>

                                                <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                                <module-option name="roleAttributeID" value="memberOf"/>

                                                <module-option name="roleAttributeIsDN" value="true"/>

                                                <module-option name="roleNameAttributeID" value="CN"/>

                                                <module-option name="roleRecursion" value="2"/>

                                                <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                                <module-option name="java.naming.security.authentication" value="simple"/>

                                                <module-option name="allowEmptyPasswords" value="false"/>

                                                <module-option name="throwValidateError" value="true"/>

                                            </login-module>

                                            <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">

                                                <module-option name="rolesProperties" value="file://${jboss.server.config.dir}/xxxxxx.properties"/>

                                                <module-option name="replaceRole" value="true"/>

                                            </login-module>

                                        </authentication>