2 Replies Latest reply on Oct 25, 2007 4:45 PM by Ryan Bartig

    LdapLoginModule talking to microsoft adam

    Ryan Bartig Newbie

      I'm forced to port our ldap server to microsoft adam and am having some issues getting jboss to talk to adam. Currently I've got the users/groups ported to adam and the msDS-UserAccountDisabled attribute is set to false (user is active). When I reset the password in Adsi Edit and try to log into one of our apps I'm getting the following:

      2007-10-16 16:00:14,198 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=minime
      javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, va28

      <application-policy name="LdapRealm">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">uid=</module-option>
      <module-option name="principalDNSuffix">,o=my.org</module-option>
      <module-option name="rolesCtxDN">o=my.org</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="uidAttributeID">memberOf</module-option>
      <module-option name="matchOnUserDN">false</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      </login-module>

      </application-policy>

      I'm 90% sure I've got the LdapLoginModule wrong but am new to ldap/adam. Currently I'm using jboss 4.2.1 with adam 1.0. Any help would be greatly appreciated.

        • 1. Re: LdapLoginModule talking to microsoft adam
          Ryan Bartig Newbie

          I'm closer in getting microsoft adam and jboss talking. When I give it a bad login it throws an exception and writes the following message to the server.log file. But when I give it a correct login it keeps prompting me for a username/password. Anyone else have this issue with adam, active directory, or any other ldap servers? Why can't microsoft adam (which I heard is a 90% ldap compliant server) and jboss play nice?

          2007-10-22 14:50:30,086 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=butt
          javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, va28

          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
          <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
          <module-option name="java.naming.provider.url">ldap://127.0.0.1:389/</module-option>
          <module-option name="java.naming.security.authentication">simple</module-option>
          <module-option name="principalDNPrefix">CN=</module-option>
          <module-option name="principalDNSuffix">,OU=users,O=my.org</module-option>
          <module-option name="roleAttributeIsDN">true</module-option>
          <module-option name="roleNameAttributeID">CN=</module-option>
          <module-option name="rolesCtxDN">OU=groups,O=my.org</module-option>
          <module-option name="uidAttributeID">member</module-option>
          <module-option name="matchOnUserDN">true</module-option>
          <module-option name="allowEmptyPasswords">false</module-option>
          </login-module>

          • 2. Re: LdapLoginModule talking to microsoft adam
            Ryan Bartig Newbie

            I finally figured it out and thought I'd post what I found in case someone else has the same issue. Turned on the trace in jboss and read through the LdapLoginModule source code. The user I was trying to log in with wasn't in the Administrators or Readers role. Doesn't even matter if they're in the Users role. Think I'm going to use LdapExtLoginModule instead. Not sure if this is a parameter that can be turned off because I couldn't find any detailed documentation on adam.

            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="principalDNPrefix">CN=</module-option>
            <module-option name="principalDNSuffix">,O=my.org</module-option>
            <module-option name="rolesCtxDN">O=my.org</module-option>
            <module-option name="roleAttributeID">CN</module-option>
            <module-option name="uidAttributeID">member</module-option>
            <module-option name="roleAttributeIsDN">false</module-option>
            <module-option name="roleNameAttributeID">name</module-option>
            <module-option name="allowEmptyPasswords">false</module-option>
            <module-option name="matchOnUserDN">true</module-option>