management console security - racf - error
glkishore Sep 19, 2013 5:09 PMHi,
I am new to jboss. I am trying to configure the security for jboss management console using RACF/LDAP. I have gone though the some of the suggestions from community members and resolved most issue, but still I get error. I am using Jboss 7.1.1. and running in standalone mode.
I have made sure that 'TESTUSER" exists in the ADMINGROUP in RACF. We have websphere security configured with same credentials, which works fine - thought it need a lot more details.
Could you please check and let me know what could be wrong in my config?
<management>
<security-realms>
<security-realm name="racf_ldap">
<authentication>
<ldap connection="racf_ldap" base-dn="CN=RACFLDAP,C=US" user-dn="PROFILETYPE=USER,CN=RACFLDAP,C=US">
<!-- <username-filter attribute="racfid=%v"/> -JBAS015231: User 'TESTUSER' not found in directory-->
<!-- <advanced-filter filter="(&(racfuserid={0})(racfgroupid=ADMINGROUP))" />
<advanced-filter filter="(RACFID={0},PROFILETYPE=USER,CN=RACFLDAP,C=US)" />
- JBAS015231: User 'TESTUSER' not found in directory -->
<advanced-filter filter="(RACFID={0})" />
</ldap>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="racf_ldap" url="ldaps://ldap.comapny.org" search-dn="RACFID=racf_bind_user,PROFILETYPE=USER,CN=RACFLDAP,C=US" search-credential="racf_bind_user_passwd" />
</outbound-connections>
<management-interfaces>
<native-interface security-realm="racf_ldap">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="racf_ldap">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
Error message:
11:48:45,597 FINE [com.sun.net.httpserver] (HttpManagementService-threads - 1) POST /management HTTP/1.1 [401 Unauthorized] ()
11:48:53,584 DEBUG [org.jboss.as.domain.http.api] (HttpManagementService-threads - 1) Callback handle failed.: java.io.IOException: JBAS015220: Unable to perform verification
at org.jboss.as.domain.management.security.UserLdapCallbackHandler.handle(UserLdapCallbackHandler.java:220) [jboss-as-domain-management-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.domain.http.server.security.AuthenticationProvider$1.handle(AuthenticationProvider.java:80) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.domain.http.server.security.BasicAuthenticator.checkCredentials(BasicAuthenticator.java:135) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.com.sun.net.httpserver.BasicAuthenticator.authenticate(BasicAuthenticator.java:77)
at org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(BasicAuthenticator.java:102) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.domain.http.server.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:79) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)
at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)
at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)
at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_11]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_11]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11]
at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]
Caused by: java.io.IOException: JBAS015231: User 'TESTUSER' not found in directory.
at org.jboss.as.domain.management.security.UserLdapCallbackHandler.handle(UserLdapCallbackHandler.java:193) [jboss-as-domain-management-7.1.1.Final.jar:7.1.1.Final]
... 14 more
I tried to get the trace by enabling the trace on some of these modules, but I haven't got any usefull information.
<logger category="org.jboss.security"> | <level name="TRACE"/> | ||||||
</logger> | |||||||
<logger category="org.jboss.as.domain.http.server.security"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.com.sun.net.httpserver"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.as.domain.http.api"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="com.sun.jndi.ldap.LdapCtx"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="com.sun.net.httpserver"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.as.domain"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.as.domain.security"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.as.domain.management.security"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.as.domain.http.server"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.as.domain.management"> | |||||||
<level name="TRACE"/> | |||||||
</logger> | |||||||
<logger category="org.jboss.sun.net.httpserver.AuthFilter"> | |||||||
<level name="TRACE"/> | |||||||
</logger> |
Thanks in advance.
-Lakshmi