2 Replies Latest reply on Jan 22, 2016 8:21 AM by larso

    WildFly - LDAP Security Realm

    larso
    larso Jan 20, 2016 2:33 AM

      Hi Forum,

       

      I need to authenticate users against a corporate central LDAP server. It used to be a trivial thing in the past, but the LDAP server connection will be additionally secured.

      So basically I need to:

      - Use SSL

      - Login / Authenticate our system (e.g. with a system account user/pw)

      - Then authenticate the actual credentials of the user that wants to access our web portal

       

      I have tried the following principles (using combined example fromLDAP Security Realm Examples)

      1. <security-realms> 
      2.             <security-realm name="LdapSSLRealm"> 
      3.                 <server-identities> 
      4.                     <ssl> 
      5.                         <keystore path="ldap.keystore" relative-to="jboss.server.config.dir" keystore-password="keystore_password" /> 
      6.                     </ssl> 
      7.                 </server-identities> 
      8.                 <authentication> 
      9.                     <truststore  path="ldap.truststore" relative-to="jboss.server.config.dir" keystore-password="truststore_password" /> 
      10.                 </authentication> 
      11.             </security-realm> 
      12.         </security-realms> 
      13.         <outbound-connections> 
      14.             <ldap name="LocalLdap" url="ldaps://localhost:10389" search-dn="uid=wildfly,dc=simple,dc=wildfly,dc=org" search-credential="secret"  security-realm="LdapSSLRealm" /> 
      15.         </outbound-connections> 

       

      The trace output that I get in logs do not really hint me if I have done something wrong in the actual realm set-up or if I have done something wrong in the actual query..

      A couple of questions:

      - is my approach the correct for what I need to achieve (e.g. first authenticate our system, then authenticate the actual user)

      - any way of increasing logging for ldap ?

       

      Any guide / advice appreciated

       

      Using WildFly 8.2

       

      Thanks.

       

      //Lars

      • 2037 Views
      • Tags:
        • 1. Re: WildFly - LDAP Security Realm
          mchoma
          mchoma Jan 20, 2016 6:42 AM (in response to larso)

          Hi,

           

          If you want to authenticate to LDAP with system user/password then you dont need server identities element. Just follow section "SSL" from referenced article. (Not section SSL with Client Certificate).

           

          Is your LDAP server configured to TLS/SSL on secured port. Btw. port 10389 you are connecting use to be unsecured port. Secured port use to be something like 636. Try to test SSL connection with openssl s_client.

          What error do you see in log?

           

          Martin

            • Actions
          • 2. Re: WildFly - LDAP Security Realm
            larso
            larso Jan 22, 2016 8:21 AM (in response to mchoma)

            Hi,

            Thanks for fast response and proposal.


            I found this setting and it increased the logging in a good way

            <logger category="org.jboss.security">
                  <level name="TRACE"/>
            </logger>

             

            Actually I think that our current problems are related to access problems (Firewall, account set-up or similar). So until I have sorted the out this will be pending.

            Will be back.

             

            Thanks

             

            Lars

              • Actions