-
1. Re: Authenticating to Active Directory with LdapExtLoginModu
javahollic Dec 20, 2005 11:06 AM (in response to javahollic)Posting back, this was all to do with getting the right attributes in the right place.
After reading the source code I now understand that a blank password is fine and expected, the checkPassword method does the ldap 'login' auth check that effects the same behaviour.
The issue with a constantly rejected userid password is related to the attribute 'java.naming.referral' not being set to 'follow'; found on the Jira site - http://www.atlassian.com/software/jira/docs/v2.6.1/ldap.html. I dont fully understand why as authentication should happen at the AD server Im connected to...
The modified TestCase for AD used the following attributes; the binduser needed suffixing with mydomain, and the search user referenced in the UsernamePasswordHandler did not, which allows the attribute match against sAMAccountName.BIND_USER="binduser@mydomain.net" BIND_PASS="bindpass" ROOT_DC="dc=..,dc=.." { java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url = ldap://myserver:389 java.naming.security.authentication = simple bindDN = BIND_USER bindCredential = BIND_PASS baseCtxDN = ROOT_DC baseFilter = (sAMAccountName={0}) searchScope = SUBTREE_SCOPE rolesCtxDN = ROOT_DC roleFilter = member={1}) roleAttributeID = memberOf roleAttributeIsDN = true roleNameAttributeID = name roleRecursion = 0 /*** * FIX for referral problem resulting in : javax.naming.PartialResultException: Unprocessed Continuation Reference(s) */ java.naming.referral = follow }
-
2. Re: Authenticating to Active Directory with LdapExtLoginModu
javahollic Feb 15, 2006 10:31 AM (in response to javahollic)Hello,
I have a web application which Im trying to secure via an Active Directory server. I have a Unit Test (configuration at end of post) derived from org.jboss.test.LoginModulesTestCase which connects and retrieves attributes (proving the login module can be poked to work). When I try and configure the webapp to connect to AD I always get a stack and a bad password comment. This happened in 4.0.3.sp1, and still with 4.0.4.sp1, can anyone spot something wrong with the login-config.xml?
I've reviewed the recently changed http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule page but I seem to be doing what is expected, here's my ticklist:
1. modified deploy/jbossweb-tomcat55.sar/server/xml to setup a SSL connector (see end for config).
2. have matched the WEB-INF/jboss-web.xml security-domain element to an entry in the server/conf/login-config.xml file
3. configured web-app to be secured, such that accesing its context triggers redirection to a login form, via SSL, and submits to j_security_check.
So In theory j_security_check is receiving the login user/pass and is passing them onto the ExtLdapLoginModule, but I keep geeting an invalid password (which it isnt!).
I have some thoughts I may have to specify an Iniital context provider in the ExtLdapModules jboss config, could this be the issue? (I happen to be running inside IBM 1.5 VM so com.sun wouldnd work if it were hard coded anywhere...)
Pointers? Ideas?
thanks in advance.
Andy.
=========
::jbossweb-tomcat55.sar/server.xml::<Connector port="8443" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" algorithm="IbmX509" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="password" sslProtocol = "TLS" />
::login-config.xml::<application-policy name="webapp"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.provider.url">ldap://myserver.net:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">user@mycompany.net</module-option> <module-option name="bindCredential">password</module-option> <module-option name="baseCtxDN">DC=mydomain,DC=net</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="rolesCtxDN">DC=mycompany,DC=net</module-option> <module-option name="roleAttributeID">memberOf</module-option> <module-option name="roleAttributeIsDN">true</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="roleRecursion">-1</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> </login-module> </authentication> </application-policy>
::Configuration::AppConfigurationEntry[] testLdapExtLoginToActiveDirectory() { String name = "org.jboss.security.auth.spi.LdapExtLoginModule"; HashMap options = new HashMap(); options.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); options.put("java.naming.provider.url", "ldap://myserver.net:389"); options.put("java.naming.security.authentication", "simple"); options.put(BIND_DN, ACCESS_UID); options.put(BIND_CREDENTIAL, ACCESS_PASS); options.put(BASE_CTX_DN, "dc=mycompnay,dc=net"); options.put(BASE_FILTER_OPT, "(sAMAccountName={0})"); options.put("rolesCtxDN", "dc=mycompany,dc=net"); options.put("roleFilter", "(member={1})"); options.put("roleAttributeID", "memberOf"); options.put("roleAttributeIsDN", "true"); options.put("roleNameAttributeID", "name"); options.put("roleRecursion", "-1"); options.put("searchTimeLimit","15000"); options.put("java.naming.referral","follow"); options.put(SEARCH_SCOPE_OPT,"SUBTREE_SCOPE"); AppConfigurationEntry ace = new AppConfigurationEntry(name, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); AppConfigurationEntry[] entry = { ace }; return entry; }
::server.log Stacktrace::2006-02-09 16:58:37,051 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Failed to validate password javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=mycompany,DC=net' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2778) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1823) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1746) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1763) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:409) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:391) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:373) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:278) at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:403) at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:340) at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:229) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:201) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:615) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709) at java.security.AccessController.doPrivileged(AccessController.java:241) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706) at javax.security.auth.login.LoginContext.login(LoginContext.java:603) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) at java.lang.Thread.run(Thread.java:788) 2006-02-09 16:58:37,061 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=myuser
-
3. Re: Authenticating to Active Directory with LdapExtLoginModu
asylumx Mar 6, 2006 3:36 PM (in response to javahollic)Not sure if you ever got a response to this but it looks like your BindDN is actually mapped to a userPrincipalName. You probably need to map it to the actual DN.