Role mapping using LDAP with Active Directory
sdotlittlenail Apr 22, 2015 11:03 AMI would like to replace the default authentication and authorization "UsersRoles" mechanism by the "LdapExtended" login module (JBoss 6.3, ModeShape 3.8.1).
Active Directory and LDAP is running.
When I try to get access to ModeShape's WebDAV service (using http://localhost:8080/modeshape-webdav/), a LDAP connection is established successfully to my Active Directory. However, it seems that ModeShape cannot match my User's Active Directory roles to ModeShape's hard coded role model (admin, readwrite, readonly and connect, documented in Authentication and authorization - ModeShape 3 - Project Documentation Editor) resulting in an 403 HTTP Response code.
My modeshape-security security-domain specification is the following one:
<security-domain name="modeshape-security" cache-type="default"> <authentication> <login-module code="LdapExtended" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="java.naming.provider.url" value="ldap://vmserver2015.novaDomain.local:389"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="bindDN" value="cn=Administrator,cn=Users,dc=novaDomain,dc=local"/> <module-option name="bindCredential" value="aPassword"/> <module-option name="baseCtxDN" value="DC=novaDomain,DC=local"/> <module-option name="baseFilter" value="(cn={0})"/> <module-option name="rolesCtxDN" value="cn=Users,dc=novaDomain,dc=local"/> <module-option name="roleFilter" value="(cn={0})" /> <module-option name="roleAttributeID" value="memberOf"/> </login-module> </authentication> </security-domain>
I created the following properties in my Active Directory:
- CN=sn (user), distinguished name: CN=sn,CN=Users,DC=novaDomain,DC=local
- CN=connect (group), distinguished name: CN=connect,CN=Users,DC=novaDomain,DC=local
- CN=admin (group), distinguished name: CN=admin,CN=Users,DC=novaDomain,DC=local
- CN=readwrite (group), distinguished name: CN=readwrite,CN=Users,DC=novaDomain,DC=local
A WebDAV login produces the following command prompt output:
16:05:24,389 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null
16:05:28,528 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: sn, cache entry: null
16:05:28,529 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: sn
16:05:28,533 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(modeshape-security), size: 4
16:05:28,536 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(modeshape-security), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(cn={0})
name=roleFilter, value=(cn={0})
name=java.naming.referral, value=follow
name=bindCredential, value=****
name=bindDN, value=cn=Administrator,cn=Users,dc=novaDomain,dc=local
name=java.naming.provider.url, value=ldap://vmserver2015.novaDomain.local:389
name=rolesCtxDN, value=cn=Users,dc=novaDomain,dc=local
name=baseCtxDN, value=DC=novaDomain,DC=local
name=roleAttributeID, value=memberOf
name=password-stacking, value=useFirstPass
16:05:28,542 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000236: Begin initialize method
16:05:28,542 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000240: Begin login method
16:05:28,549 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000269: Failed to parse roleRecursion as number, using default value 0
16:05:28,551 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=cn=Administrator,cn=Users,dc=novaDomain,dc=local, password-stacking=useFirstPass, baseCtxDN=DC=novaDomain,DC=local, roleAttributeID=memberOf, roleFilter=(cn={0}), rolesCtxDN=cn=Users,dc=novaDomain,dc=local, baseFilter=(cn={0}), jboss.security.security_domain=modeshape-security, java.naming.provider.url=ldap://vmserver2015.novaDomain.local:389, bindDN=cn=Administrator,cn=Users,dc=novaDomain,dc=local, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
16:05:28,573 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=CN=sn,CN=Users,DC=novaDomain,DC=local, password-stacking=useFirstPass, baseCtxDN=DC=novaDomain,DC=local, roleAttributeID=memberOf, roleFilter=(cn={0}), rolesCtxDN=cn=Users,dc=novaDomain,dc=local, baseFilter=(cn={0}), jboss.security.security_domain=modeshape-security, java.naming.provider.url=ldap://vmserver2015.novaDomain.local:389, bindDN=cn=Administrator,cn=Users,dc=novaDomain,dc=local, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
16:05:28,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000268: Assigning user to role CN=readwrite,CN=Users,DC=novaDomain,DC=local
16:05:28,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000268: Assigning user to role CN=connect,CN=Users,DC=novaDomain,DC=local
16:05:28,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000268: Assigning user to role CN=admin,CN=Users,DC=novaDomain,DC=local
16:05:28,579 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000241: End login method, isValid: true
16:05:28,580 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000242: Begin commit method, overall result: true
16:05:28,584 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@351a852b, subject: Subject(580174546).principals=org.jboss.security.SimplePrincipal@1417837242(sn)org.jboss.security.SimpleGroup@1111979182(Roles(members:CN=readwrite,CN=Users,DC=novaDomain,DC=local,CN=connect,CN=Users,DC=novaDomain,DC=local,CN=admin,CN=Users,DC=novaDomain,DC=local))org.jboss.security.SimpleGroup@1111979182(CallerPrincipal(members:sn))
16:05:28,586 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000207: updateCache, input subject: Subject(580174546).principals=org.jboss.security.SimplePrincipal@1417837242(sn)org.jboss.security.SimpleGroup@1111979182(Roles(members:CN=readwrite,CN=Users,DC=novaDomain,DC=local,CN=connect,CN=Users,DC=novaDomain,DC=local,CN=admin,CN=Users,DC=novaDomain,DC=local))org.jboss.security.SimpleGroup@1111979182(CallerPrincipal(members:sn)), cached subject: Subject(1730776044).principals=org.jboss.security.SimplePrincipal@1417837242(sn)org.jboss.security.SimpleGroup@1111979182(Roles(members:CN=readwrite,CN=Users,DC=novaDomain,DC=local,CN=connect,CN=Users,DC=novaDomain,DC=local,CN=admin,CN=Users,DC=novaDomain,DC=local))org.jboss.security.SimpleGroup@1111979182(CallerPrincipal(members:sn))
16:05:28,587 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@4540e5fb
16:05:28,588 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000201: End isValid, result = true
16:05:28,594 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000354: Setting security roles ThreadLocal: null
Obviously a connection can be established, my user is validated and my user's roles are found, but the role names cannot be matched to ModeShape which results in an 403 HTTP Response code (Access to the requested resource has been denied, shown in my browser)