4 Replies Latest reply on Feb 25, 2015 6:53 AM by marcelomrwin

Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)

lazarius Aug 22, 2014 4:17 AM

Is there a way to authenticate against an Active Directory *Forest* via any of the Ldap Login Modules or any other special one?

having the following config in standalone.xml:

	<module-option name="java.naming.provider.url" value="ldap://ad.company.tld:389"/ >
	<module-option name="baseCtxDN" value="OU=DE,OU=Users,OU=Accounts,OU=US,OU=Hosting,DC=ad00,DC=company,DC=tld"/ >
	<module-option name="baseFilter" value="(CN={0})"/ >
	<module-option name="rolesCtxDN" value="OU=Groups,OU=Accounts,OU=US,OU=Hosting,DC=ad00,DC=company,DC=tld"/ >
	<module-option name="roleFilter" value="(member={1})"/>
	<module-option name="roleAttributeID" value="CN"/ >
	<module-option name="searchScope" value="SUBTREE_SCOPE"/>

on wildfly 8 I get a javax.naming.NameNotFoundException with a full stack trace pointing to

LdapCtx.java:3112. This in turn

	case LdapClient.LDAP_REFERRAL:
	e = new NamingException(message);
	break;

points to a Referral Error, thus it looks like the LDAP module can't follow the referral control. Moreover, I found

at http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html the Note (at the bottom):

Windows Active Directory: Because Active Directory does not support the Manage Referral control, none of the examples in this lesson will work against Active Directory.

thus I guess there is no chance for LdapExtLoginModule to succeed If it relies on JNDI provided by Java.

1. Re: Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)

marcelomrwin Sep 9, 2014 8:11 PM (in response to lazarius)

Did you solve your problem? I'm in the same trouble.
Actions
2. Re: Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)

lazarius Sep 10, 2014 6:52 AM (in response to lazarius)

no I did not, I work with an alternate solution (LDAP) yet. it looks like one has to either extend the LdapExtLoginModule, or to find an alternative module in any other way. one can also setup a reader node in the forest to make sure it answers without referrals
Actions
3. Re: Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)

lazarius Sep 11, 2014 3:57 AM (in response to lazarius)

I posted the same question to stackoverflow and received the following answer:

http://stackoverflow.com/questions/25738796/authenticating-via-ldapextloginmodule-against-active-directory-forest-ldap-r…

There were some issues with the referrals handling in the WildFly. They are already fixed in the codebase. Once the new version release in 9.x stream is released, it should work for you.
The JBoss EAP 6.3 and 6.2.4 have the issues fixed already.

here the link to the bug report:
Bug 1066470 – (6.3.0) LdapExtended login module: LDAP referrals not working despite earlier fix
Actions
4. Re: Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)

marcelomrwin Feb 25, 2015 6:53 AM (in response to lazarius)

Did you still need this feature. I resolve in Wildfly 8.2.0.Final.
Actions

Go to original post