2 Replies Latest reply on Nov 19, 2005 11:58 PM by Aaron

    LDAP Intergration

    Neil Lane Newbie

      I am in the process of trying to do a proof of concept for application logins.



      Background:



      Application running on JBoss-4.0.3, using form based authentication to a Fedora-DS LDAP server for login.



      I have modified the LoginModulesTestCase from the wiki to do the following:



      AppConfigurationEntry[] testLdap()

      {

      String name = "org.jboss.security.auth.spi.LdapExtLoginModule";

      HashMap options = new HashMap();

      options.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");



      options.put("java.naming.provider.url", "ldap://192.168.1.2:389/,o=,dc=,dc=,dc=");

      options.put("java.naming.security.authentication", "simple");



      options.put("bindDN", "cn=bob");

      options.put("bindCredential", "pwd");

      options.put("baseCtxDN", "");

      options.put("baseFilter", "(cn={0})");



      AppConfigurationEntry ace = new AppConfigurationEntry(name,

      AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);

      AppConfigurationEntry[] entry = {ace};

      return entry;

      }





      The Test does the most simple of tasks



      public void testLdap() throws Exception

      {

      UsernamePasswordHandler handler = new UsernamePasswordHandler("bob", "pwd");

      LoginContext lc = new LoginContext("testLdap", handler);

      try

      {

      lc.login();

      Subject subject = lc.getSubject();

      }

      catch (LoginException e)

      {

      System.out.println("Login Exception caught");

      e.printStackTrace();

      }

      lc.logout();

      }





      When I get to the Login() I get the following exception



      23:22:20,265 INFO [STDOUT] Login Exception caught

      23:22:20,265 INFO [STDOUT] javax.security.auth.login.FailedLoginException: Pass

      word Incorrect/Password Required

      23:22:20,265 INFO [STDOUT] at org.jboss.security.auth.spi.UsernamePasswordL

      oginModule.login(UsernamePasswordLoginModule.java:189)

      23:22:20,265 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(

      Native Method)

      23:22:20,265 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(U

      nknown Source)

      23:22:20,265 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invo

      ke(Unknown Source)

      23:22:20,265 INFO [STDOUT] at java.lang.reflect.Method.invoke(Unknown Sourc

      e)

      23:22:20,265 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke

      (Unknown Source)

      23:22:20,265 INFO [STDOUT] at javax.security.auth.login.LoginContext.access

      $000(Unknown Source)

      23:22:20,265 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(

      Unknown Source)

      23:22:20,265 INFO [STDOUT] at java.security.AccessController.doPrivileged(N

      ative Method)

      23:22:20,265 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke

      Module(Unknown Source)

      23:22:20,265 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(

      Unknown Source)





      Please could someone let me know if I am doing something fundamentally wrong, as this should be the simple part.



      Thanks

        • 1. Re: LDAP Intergration
          kelvin phan Newbie

          download jcifs.jar from http://jcifs.samba.org, and use it as a filter in your web.xml file.

          <?xml version="1.0" encoding="UTF-8"?>
          <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
          Application Description
          <display-name>Application Display Name</display-name>


          <!-- JCIFS FILTER FOR NTLM -->
          <filter-name>NtlmHttpFilter</filter-name>
          <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
          <init-param>
          <param-name>jcifs.http.domainController</param-name>
          <param-value>00.00.00.00</param-value>
          </init-param>
          <init-param>
          <param-name>jcifs.smb.client.domain</param-name>
          <param-value>your-domain-name</param-value>
          </init-param>
          <init-param>
          <param-name>jcifs.smb.client.username</param-name>
          <param-value>ldap-user-to-authenticate</param-value>
          </init-param>
          <init-param>
          <param-name>jcifs.smb.client.password</param-name>
          <param-value>ldap-user-password</param-value>
          </init-param>

          <filter-mapping>
          <filter-name>NtlmHttpFilter</filter-name>
          <url-pattern>/*</url-pattern>
          </filter-mapping>
          </web-app>

          • 2. Re: LDAP Intergration
            Aaron Novice

            First off, I don't see how a servlet filter will help with a JUnit test case. If he/she was using Cactus, maybe.... but this is an issue with the login module.

            Also, NTLM is not being used here. Neillane is using LDAP, not Windows. So Samba shouldn't be required.

            Neillane,

            For starters

            
            
            options.put("java.naming.provider.url", "ldap://192.168.1.2:389/,o=,dc=,dc=,dc=");
            
            


            Is the trailing ",o=,dc=,dc=,dc=" required? I have never used that in my naming URL, but then, I've never gone against an OpenLDAP server, just general LDAP systems. I believe this should just be the system name, directing JNDI to bind to the server. The options do the rest.

            options.put("java.naming.security.authentication", "simple");
            
            options.put("bindDN", "cn=bob");
            
            options.put("bindCredential", "pwd");
            


            Your BindDN should be a fully-qualified DN. For example:

            cn=bob,cn=Users,dc=mycompany,dc=com

            options.put("baseCtxDN", "");
            


            I'm not sure, but it may help to put a baseDN for your search, rather than blank. If it's for the entire organization, then just include the DC's. For example:

            options.put("baseCtxDN","dc=mycompany,dc=com").
            

            If all your users are in the Users container, then you should use that as your base:
            options.put("baseCtxDN","cn=Users,dc=mycompany,dc=com").
            options.put("baseFilter", "(cn={0})");
            


            Can you post your LDIF data as well?