3 Replies Latest reply on Mar 6, 2006 3:36 PM by Thomas Busch

    Authenticating to Active Directory with LdapExtLoginModule

    Andy Brook Newbie

      Hi,
      Im using 4.03SP1 and and using a modified copy of the LoginModulesTestCase, found on the Wiki page for the LdapExtLoginModel. I've debugged into the login() but in the UsernamePasswordLoginModule and just seem to get an empty (not null) expected password.

      I attempted to do this for a web app via login-config.xml but cant seem to debug it, hence the simple case. The bind DN is good as I have this working in WAS5 (Im attempting to migrate applications to jboss :)

      My config is ish as follows:

      {
       org.jboss.security.auth.spi.LdapExtLoginModule
       java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
       java.naming.provider.url=ldap:/myserver
       java.naming.security.authentication=simple
       bindDN='cn=..,ou=..,ou=..,ou=..,dc=..,dc=..'
       bindCredential=pwd
       baseCtxDN='dc=..,dc=..'
       baseFilter='sAMAccountName={0}'
       rolesCtxDN='dc=..,dc=..'
       roleFilter=member={1})
       roleAttributeID=cn
       roleRecursion=0
      }
      


      Has anyone ever authenticated with Active Directory? Spot the deliberate mistake?

      Thanks,
      andy

        • 1. Re: Authenticating to Active Directory with LdapExtLoginModu
          Andy Brook Newbie

          Posting back, this was all to do with getting the right attributes in the right place.

          After reading the source code I now understand that a blank password is fine and expected, the checkPassword method does the ldap 'login' auth check that effects the same behaviour.

          The issue with a constantly rejected userid password is related to the attribute 'java.naming.referral' not being set to 'follow'; found on the Jira site - http://www.atlassian.com/software/jira/docs/v2.6.1/ldap.html. I dont fully understand why as authentication should happen at the AD server Im connected to...

          The modified TestCase for AD used the following attributes; the binduser needed suffixing with mydomain, and the search user referenced in the UsernamePasswordHandler did not, which allows the attribute match against sAMAccountName.

          BIND_USER="binduser@mydomain.net"
          BIND_PASS="bindpass"
          ROOT_DC="dc=..,dc=.."
          
          {
           java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
           java.naming.provider.url = ldap://myserver:389
           java.naming.security.authentication = simple
          
           bindDN = BIND_USER
           bindCredential = BIND_PASS
           baseCtxDN = ROOT_DC
           baseFilter = (sAMAccountName={0})
           searchScope = SUBTREE_SCOPE
          
           rolesCtxDN = ROOT_DC
           roleFilter = member={1})
           roleAttributeID = memberOf
           roleAttributeIsDN = true
           roleNameAttributeID = name
           roleRecursion = 0
          
          /***
           * FIX for referral problem resulting in : javax.naming.PartialResultException: Unprocessed Continuation Reference(s)
           */
           java.naming.referral = follow
          }
          



          • 2. Re: Authenticating to Active Directory with LdapExtLoginModu
            Andy Brook Newbie

            Hello,
            I have a web application which Im trying to secure via an Active Directory server. I have a Unit Test (configuration at end of post) derived from org.jboss.test.LoginModulesTestCase which connects and retrieves attributes (proving the login module can be poked to work). When I try and configure the webapp to connect to AD I always get a stack and a bad password comment. This happened in 4.0.3.sp1, and still with 4.0.4.sp1, can anyone spot something wrong with the login-config.xml?

            I've reviewed the recently changed http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule page but I seem to be doing what is expected, here's my ticklist:

            1. modified deploy/jbossweb-tomcat55.sar/server/xml to setup a SSL connector (see end for config).
            2. have matched the WEB-INF/jboss-web.xml security-domain element to an entry in the server/conf/login-config.xml file
            3. configured web-app to be secured, such that accesing its context triggers redirection to a login form, via SSL, and submits to j_security_check.

            So In theory j_security_check is receiving the login user/pass and is passing them onto the ExtLdapLoginModule, but I keep geeting an invalid password (which it isnt!).

            I have some thoughts I may have to specify an Iniital context provider in the ExtLdapModules jboss config, could this be the issue? (I happen to be running inside IBM 1.5 VM so com.sun wouldnd work if it were hard coded anywhere...)

            Pointers? Ideas?

            thanks in advance.
            Andy.
            =========

            ::jbossweb-tomcat55.sar/server.xml::

             <Connector port="8443" address="${jboss.bind.address}"
             maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
             emptySessionPath="true" algorithm="IbmX509"
             scheme="https" secure="true" clientAuth="false"
             keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
             keystorePass="password" sslProtocol = "TLS" />
            


            ::login-config.xml::
            <application-policy name="webapp">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://myserver.net:389/</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">user@mycompany.net</module-option>
             <module-option name="bindCredential">password</module-option>
             <module-option name="baseCtxDN">DC=mydomain,DC=net</module-option>
             <module-option name="baseFilter">(sAMAccountName={0})</module-option>
             <module-option name="roleFilter">(member={1})</module-option>
             <module-option name="rolesCtxDN">DC=mycompany,DC=net</module-option>
             <module-option name="roleAttributeID">memberOf</module-option>
             <module-option name="roleAttributeIsDN">true</module-option>
             <module-option name="roleNameAttributeID">cn</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
             </login-module>
             </authentication>
            </application-policy>
            


            ::Configuration::
             AppConfigurationEntry[] testLdapExtLoginToActiveDirectory()
             {
             String name = "org.jboss.security.auth.spi.LdapExtLoginModule";
             HashMap options = new HashMap();
             options.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
             options.put("java.naming.provider.url", "ldap://myserver.net:389");
             options.put("java.naming.security.authentication", "simple");
            
             options.put(BIND_DN, ACCESS_UID);
             options.put(BIND_CREDENTIAL, ACCESS_PASS);
             options.put(BASE_CTX_DN, "dc=mycompnay,dc=net");
             options.put(BASE_FILTER_OPT, "(sAMAccountName={0})");
            
             options.put("rolesCtxDN", "dc=mycompany,dc=net");
             options.put("roleFilter", "(member={1})");
             options.put("roleAttributeID", "memberOf");
             options.put("roleAttributeIsDN", "true");
             options.put("roleNameAttributeID", "name");
             options.put("roleRecursion", "-1");
             options.put("searchTimeLimit","15000");
            
            
             options.put("java.naming.referral","follow");
             options.put(SEARCH_SCOPE_OPT,"SUBTREE_SCOPE");
            
             AppConfigurationEntry ace = new AppConfigurationEntry(name,
             AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
             AppConfigurationEntry[] entry = { ace };
             return entry;
             }
            


            ::server.log Stacktrace::
            2006-02-09 16:58:37,051 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Failed to validate password
            javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=mycompany,DC=net'
             at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2778)
             at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752)
             at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1823)
             at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1746)
             at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1763)
             at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:409)
             at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:391)
             at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:373)
             at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:278)
             at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:403)
             at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:340)
             at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:229)
             at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:201)
             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
             at java.lang.reflect.Method.invoke(Method.java:615)
             at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
             at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
             at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
             at java.security.AccessController.doPrivileged(AccessController.java:241)
             at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
             at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
             at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
             at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
             at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
             at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306)
             at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
             at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
             at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
             at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
             at java.lang.Thread.run(Thread.java:788)
            2006-02-09 16:58:37,061 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=myuser
            


            • 3. Re: Authenticating to Active Directory with LdapExtLoginModu
              Thomas Busch Newbie

              Not sure if you ever got a response to this but it looks like your BindDN is actually mapped to a userPrincipalName. You probably need to map it to the actual DN.