Debugging an Active Directory JAAS configuration
troy.sellers Mar 30, 2009 3:59 AMHi All,
I am not sure if this is a SEAM problem or simply a JAAS problem, but will start here.
I am trying to setup AD authentication for a Seam 2.1.1.GA application.
login-config.xml
<application-policy name="activeDirectory"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://10.1.128.113/ </module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">binduser@axedev.local</module-option> <module-option name="bindCredential">Bindpassword</module-option> <module-option name="baseCtxDN"> ,OU=Test Users,DC=axedev,DC=local </module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <!-- <module-option name="rolesCtxDN"> ,OU=Test Users,DC=axedev,DC=local </module-option> <module-option name="roleFilter">(sAMAccountName={0})</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="roleRecursion">1</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> --> </login-module> </authentication> </application-policy>
components.xml entry for identity store
<security:identity jaas-config-name="activeDirectory" />
The really strange thing (well, it seems strange to me!) that is happening is that using the Bind User in the applications login form will authentication, however using a different user will fail.
The bind user is setup in the same OU as three other test users.
Setting debug logging on the security stuff and I get
12:51:20,388 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=User 2 javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
I get no information in this log when I use the Bind User and sucessfully login.
I am curious if anyone has any tips on how to figure out what is going on here? How is it that the Bind User user is the only one that I can actually use to login through the application. This suggests to me that the AD configuration is correct, but that just confuses the issue further when trying to use the user2 credentials. (These have been confirmed to work using Apache Directory Studio)
I originally tried to set this up as per the
JBoss docs however in this configuration I couldn't even authenticate the bind user.
If someone has a configuration that works for this, or at least a method of debugging where this is failing, I would be most grateful.
Cheers,
Troy