7 Replies Latest reply on Jul 3, 2012 5:28 PM by rareddy

    LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.

    gamvi01

      Hi

       

      I need to use the user credentials (the loggedin user credentials ) when doing updates/inserts in ldap server. When i debugged i dont see getConnection() method getting hit  ?  How to use the user credentials instead of admin credentials to make update/deletes/inserts ?

        • 1. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
          van.halbert

          Did you have a chance to read the Admin Guide - 3.4.4. Security at Data Source levelhttp://docs.jboss.org/teiid/7.7.0.Final/admin-guide/en-US/html_single/#d0e687

           

          This section describes what can be done when you need to pass in other credentials to the data source.

          • 2. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
            gamvi01

            I guess the above describes configuring loginModule for the application. But i just need for thi specific translator.

            • 3. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
              rareddy

              Vineela,

               

              What Van suggested is right. Take look at https://docs.jboss.org/author/display/TEIID/LoginModules, in there look at "Security At Data Source Level". What you need to configure is "CallerIdentity" security model, where the configuration is same as the Login Module, with extra information about the data source and also "security-domain" element in the data source configuration.

               

              Ramesh..

              • 4. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
                gamvi01

                Iam getting this error after configuration and i no more see the table i have created in my translator(getMetadata()). Is there something that i have to do ?

                 

                [13:26:20.757][info][talledLocalContainer] 03 Jul 2012 13:26:20,757 PDT INFO  [RUNTIME] VDB Chorus.1 model userTest metadata is currently being loaded. Start Time: 7/3/12 1:26 PM

                [13:26:20.759][info][talledLocalContainer] 03 Jul 2012 13:26:20,759 PDT WARN  [SafetyHarnessExecutionFactory] [NOCODE : An unknown error has occurred: java.lang.SecurityException: Unauthenticated caller:admin]

                [13:26:20.759][info][talledLocalContainer] java.lang.SecurityException: Unauthenticated caller:admin

                [13:26:20.759][info][talledLocalContainer]     at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)

                [13:26:20.759][info][talledLocalContainer]     at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)

                [13:26:20.759][info][talledLocalContainer]     at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)

                [13:26:20.759][info][talledLocalContainer]     at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.resource.spi.WrappedConnectionFactory.getConnection(WrappedConnectionFactory.java:53)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:163)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:184)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.translator.BaseDelegatingExecutionFactory.getConnection(BaseDelegatingExecutionFactory.java:115)

                [13:26:20.760][info][talledLocalContainer]     at com.ca.chorus.teiid.safety.SafetyHarnessExecutionFactory.getConnection(SafetyHarnessExecutionFactory.java:79)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.dqp.internal.datamgr.ConnectorManager.getMetadata(ConnectorManager.java:121)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.deployers.VDBDeployer.loadMetadata(VDBDeployer.java:354)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.deployers.VDBDeployer.access$000(VDBDeployer.java:60)

                [13:26:20.760][info][talledLocalContainer]     at org.teiid.deployers.VDBDeployer$1.run(VDBDeployer.java:320)

                [13:26:20.760][info][talledLocalContainer]     at org.jboss.util.threadpool.RunnableTaskWrapper.run(RunnableTaskWrapper.java:147)

                [13:26:20.760][info][talledLocalContainer]     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)

                [13:26:20.760][info][talledLocalContainer]     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)

                [13:26:20.761][info][talledLocalContainer]     at java.lang.Thread.run(Thread.java:722)

                [13:26:20.764][info][talledLocalContainer] 03 Jul 2012 13:26:20,760 PDT INFO  [RUNTIME] VDB Chorus.1 model security_ldap metadata is currently being loaded.

                [13:26:20.764][info][talledLocalContainer] 03 Jul 2012 13:26:20,762 PDT INFO  [RUNTIME] VDB Chorus.1 model userTest_chorus_metadata metadata is currently being loaded. Start Time: 7/3/12 1:26 PM

                [13:26:20.764][info][talledLocalContainer] 03 Jul 2012 13:26:20,764 PDT INFO  [RUNTIME] VDB Chorus.1 model demo_h2_multisource metadata is currently being loaded.

                 

                 

                My ds file :

                 

                <?xml version="1.0" encoding="UTF-8"?>

                 

                 

                 

                <connection-factories>

                    <no-tx-connection-factory>

                        <jndi-name>SECURITY-LDAP-DS</jndi-name>

                        <rar-name>teiid-connector-ldap.rar</rar-name>

                        <connection-definition>javax.resource.cci.ConnectionFactory</connection-definition>

                        <config-property name="LdapAdminUserDN">uid=admin,ou=system</config-property>

                        <config-property name="LdapAdminUserPassword">secret</config-property>

                        <config-property name="LdapUrl">ldap://gamvi01-VM45587:10389/</config-property>

                        <security-domain>teiid-security</security-domain>

                    </no-tx-connection-factory>

                </connection-factories>

                 

                 

                teiid-jboss-beans.xml

                 

                <application-policy xmlns="urn:jboss:security-beans:1.0" name="teiid-security">

                        <authentication>

                           

                            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

                              <!-- property files can found under conf/props directory -->

                                <module-option name="password-stacking">useFirstPass</module-option>

                                <module-option name="usersProperties">props/teiid-security-users.properties</module-option>

                                <module-option name="rolesProperties">props/teiid-security-roles.properties</module-option>

                            </login-module>

                            <login-module code="org.jboss.resource.security.CallerIdentityLoginModule" flag="required">

                                    <module-option name="password-stacking">useFirstPass</module-option>

                                    <module-option name="managedConnectionFactoryName">jboss.jca:service=NoTxCM,name=SECURITY-LDAP-DS</module-option>

                                </login-module>

                        </authentication>

                    </application-policy>

                • 5. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
                  rareddy

                  Simple. Your connection to LDAP needs a user logged in before it can be used. The getMetadata on the translator needs a connection before it can return metadata, and this call is happening during the deployment of the VDB, so there no user connected to it yet. Dead lock.

                   

                  You can use the Designer VDB for metadata to avoid the metadata issue. Dynamic VDB is bad in this scenario, because you may be exposing the schema that is user specific and letting other users to connect to that VDB as global scope. So, having not work is right thing to do. If I can think of any other alternatives I will post a reply again.


                  Ramesh..

                  • 6. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
                    markaddleman

                    Hi Ramesh -

                     

                    I wasn't aware of of the ability to provide login modules at the data source level.  We have been faking out similar functionality using custom translators but I want to eliminate as much of this custom work as possible. 

                     

                    Our basic requirements are:

                    1. We have to use dynamic VDBs (lots of reasons for this)
                    2. We have a specific user id for the getMetadata call that we know at startup time
                    3. For all other connections, we want to use the caller's identity

                    I haven't looked at the source code, but I'm hoping that we could use the org.jboss.resource.security.CallerIdentityLoginModule (or a specialization of it) as described in https://community.jboss.org/wiki/ConfigJCALoginModule

                     

                    I think the getMetadata call is the only tricky thing.  Do you see any snake-in-the-grass in regards to it?

                    • 7. Re: LDAP Translator - How to use user credentials instead of the admin credentials configured in ds file.
                      rareddy

                      Yep, you are right. You can extend the CallerIdentityLoginModule, then provide that default credentials for initial "getMetadata" call, then all others you can use the user that is passed on thread context. Only thing is there is no way of telling if the connection call was made for the metadata vs other stuff, but some how if you can control privilege of the metadata user at source, then that issue can be solved.

                       

                      Ramesh..