7 Replies Latest reply on Feb 24, 2015 3:50 PM by pcraveiro

Picketlink and Active Directory (ldap store)

arthurgregorio Feb 20, 2015 1:48 PM

I'm using picketlink for safety in my application and now need to plug it in AD (SAMBA 4, not M$ AD). My setup is as follows:

public class SecurityConfiguration {
   
    @Inject
    private EntityManagerContextInitializer contextInitializer;
    
    private static final String BASE_DN = "DC=pti,DC=local";
    private static final String LDAP_URL = "ldap://ptidc0-teste.pti";
    private static final String BIND_DN = "CN=userbind,CN=users,DC=pti,DC=local";

    /**
     * 
     * @param event 
     */
    public void configureIdentityManager(@Observes SecurityConfigurationEvent event) {

        final SecurityConfigurationBuilder builder = event.getBuilder();
        
        System.setProperty("com.sun.jndi.ldap.connect.pool.authentication", "simple");
        System.setProperty("com.sun.jndi.ldap.connect.pool.maxsize", "10");
        System.setProperty("com.sun.jndi.ldap.connect.pool.prefsize", "5");
        System.setProperty("com.sun.jndi.ldap.connect.pool.timeout", "300000");
        System.setProperty("com.sun.jndi.ldap.connect.pool.debug", "all");
        
        final Properties properties = new Properties();

        // ldap properties
        properties.put("com.sun.jndi.ldap.connect.pool", "true");
        
        // ldap properties
        builder.idmConfig()
                .named("default")
                    .stores()
                    .jpa()
                        .supportCredentials(false)
                        .supportGlobalRelationship(  
                                Grant.class,  
                                GroupMembership.class)  
                        .supportType(
                                Role.class,
                                Group.class)
                        .addContextInitializer(this.contextInitializer)
                    .ldap()
                        .activeDirectory(true)
                        .connectionProperties(properties)
                        .baseDN(BASE_DN)
                        .bindDN(BIND_DN)
                        .bindCredential("secret")
                        .url(LDAP_URL)
                        .supportCredentials(true)
                        .mapping(User.class)
                            .objectClasses(
                                    "user",
                                    "person",
                                    "organizationalPerson")
                            .attribute("userName", "sAMAccountName", true)
                            .attribute("name", CN)
                            .attribute("email", EMAIL);
    }

However, when I try to authenticate the result is always invalid and the picketlink seems that does not send the user's full name. It does bind correctly, but instead of sending the full name of the user, sends only sAMAccountName=test1 followed by the password. The correct thing to send is: CN=test1,CN=Users,DC=pti,DC=local and then the password.

The way this, the only answer I have is: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

Any help?

1. Re: Picketlink and Active Directory (ldap store)

pcraveiro Feb 21, 2015 8:39 AM (in response to arthurgregorio)
Did you try setting the baseDN when configuring your user mapping ?

Something like that:

.mapping(User.class) .baseDN("CN=Users,DC=pti,DC=local") .objectClasses("user", "person", "organizationalPerson") .attribute("userName", "sAMAccountName", true) .attribute("name", CN) .attribute("email", EMAIL);

Regards.
1 of 1 people found this helpful
Actions
2. Re: Picketlink and Active Directory (ldap store)

arthurgregorio Feb 24, 2015 9:48 AM (in response to pcraveiro)
uhmmm

.mapping(User.class) .baseDN("CN=users,DC=pti,DC=local") .objectClasses( "user", "person") .attribute("userName", "CN", true) .attribute("name", "name") .attribute("email", EMAIL);

With this config i can make users from CN=users do login, but when ia change it to DC=pti,DC=local (the entire tree) no user can't do login...

Is there any way to pass to picketlink the base DN of the user dynamically? I say ths because keeping DN static wherein bind is to seek users and his properties, does not seem to make much sense ... Even more because seeking for everything, then I can filter for users of a specific CN that can login on the application.

Bonus:

What the method LDAPMappingConfigurationBuilder#bindingAttribute(String propertyName, String ldapAttributeName) do? The javadoc is not very clear about the use of it ...
Actions
3. Re: Picketlink and Active Directory (ldap store)

pcraveiro Feb 24, 2015 10:30 AM (in response to arthurgregorio)

Hi Arthur,

I've created [2]. This JIRA is about validating credentials for users despite the baseDN configured for a specific account type. However, you must provide the objectClasses for your account types, otherwise PL will not be able to understand which type is associated with an LDAP entry.

Regarding "bindAttribute", take a look at this JIRA [2] for more details. I'm going to update javadoc to get this more clear.

[1] [PLINK-681] LDAP password validation handler should validate based on entry namespace - JBoss Issue Tracker
[2] https://issues.jboss.org/browse/PLINK-507

Thanks.
Pedro Igor
1 of 1 people found this helpful
Actions
4. Re: Re: Picketlink and Active Directory (ldap store)

arthurgregorio Feb 24, 2015 1:35 PM (in response to pcraveiro)
i'm providing...

.mapping(User.class) .baseDN("OU=Corporativo,DC=pti,DC=local") .objectClasses( "user", "person", "organizationalPerson") .attribute("userName", "sAMAccountName", true) .bindingAttribute("name", "CN") .attribute("email", EMAIL);

In this case, the DN is ok for users inside only Corporativo and on login it looks like CN=Arthur Pereira Gregorio,OU=Corporativo,DC=pti,DC=local. But when the user is out of this DN? Or another OU is part of user DN? For example, users with DN: CN=Lucas Peruchi,OU=TIC,OU=Corporativo,DC=pti,DC=local, this user is from Coportativo, but because OU=TIC he can not login due to the fixed value of baseDN.

Is there any whay to do something like this:

<outbound-connections> <ldap name="ad-fpti" url="ldap://host" search-dn="CN=userbind,CN=Users,DC=pti,DC=local" search-credential="secret"/> </outbound-connections> <ldap connection="ad-fpti" base-dn="DC=pti,DC=local" recursive="true"> <advanced-filter filter="(&(sAMAccountName={0})(memberOf=CN=PORTAL_USER,OU=portalreservas,DC=pti,DC=local))"/> </ldap>

I use this configuration to authenticate users when try to access the wildfly web console, by this way, i can login any user from Corporativo member of PORTAL_USER

Man, I am very confused by it all! ehauahahe If you can transcribe this XML snippet for to a picketlink configuration, it will help me to understand what needs to be done!
Actions
5. Re: Re: Picketlink and Active Directory (ldap store)

pcraveiro Feb 24, 2015 2:29 PM (in response to arthurgregorio)

Hey,

Now you should be able to authenticate your users by just providing the baseDN (eg.: DC=pti,DC=local) . Can you test this using a SNAPSHOT ?

Regards.
Pedro Igor
Actions
6. Re: Re: Re: Picketlink and Active Directory (ldap store)

arthurgregorio Feb 24, 2015 3:43 PM (in response to pcraveiro)
PERFECT! Works like a charm!

Now, one single question, where can i meke this filter:

(&(sAMAccountName={0})(memberOf=CN=PORTAL_USER,OU=portalreservas,DC=pti,DC=local))

I need all the users from the entire tree can be foun, now it is ok, but only members of CN=PORTAL_USER can make login.

Any advice?
Actions
7. Re: Re: Re: Picketlink and Active Directory (ldap store)

pcraveiro Feb 24, 2015 3:50 PM (in response to arthurgregorio)

We don't support that today. But I believe this is something you can do in your application, no ?

I think you can query the groups for the user and check if he is a member of a group before authenticating.

Regards.
Actions

Go to original post