1 2 3 Previous Next 30 Replies Latest reply on Nov 2, 2007 5:47 AM by Boleslaw Dawidowicz

    JBoss Portal LDAP Setup

    olivwalt Newbie

      Hello,

      i`ve setup JBoss Portal with LdapExtLoginModule in $JBOSS_HOME\server\default\deploy\jboss-portal.sar\conf\login-config.xml

      <application-policy name="portal">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional" >
       <module-option name="java.naming.factory.initial">
       com.sun.jndi.ldap.LdapCtxFactory
       </module-option>
       <module-option name="java.naming.provider.url">
       ldap://bridge6.eu.boschrexroth.com:389/
       </module-option>
       <module-option name="java.naming.security.authentication">
       simple
       </module-option>
       <module-option name="baseCtxDN">ou=People,o=boschrexroth</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="rolesCtxDN">ou=Groups,o=boschrexroth</module-option>
       <module-option name="roleFilter">(member={1})</module-option>
       <module-option name="roleAttributeID">member</module-option>
       <module-option name="roleRecursion">-1</module-option>
       </login-module>
       </authentication>
       </application-policy>


      So far i think i can login, no error in server.log, but after authentication i`m not able to access any portal component at path: http://localhost:8080/portal/auth/*
      (e.g. http://localhost:8080/portal/auth/portal/default/default/UserPortletWindow?action=a&windowstate=normal)
      which is redirected to direct after login process.

      Always i get a tomact error: HTTP Status 403 - Access to the requested resource has been denied

      What else do i missing? I think it must somewhere an authorazition issue.

      Regards Oliver

        • 1. Re: JBoss Portal LDAP Setup
          Boleslaw Dawidowicz Master

          Unless you configured everything well what you are missing is that each user must belong to "Authenticated" role to be authorized to access portal resources. The mechanism in portal is that in IdentityLoginModule after user credentials are confirmed membership in role "Authenticated" is injected. You will find it in configuration:

          <application-policy name="portal">
           <authentication>
           <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
           <module-option name="unauthenticatedIdentity">guest</module-option>
           <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
           <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
           <module-option name="additionalRole">Authenticated</module-option>
           <module-option name="password-stacking">useFirstPass</module-option>
           </login-module>
           </authentication>
           </application-policy>


          Look in portal-server.war web.xml - servlets have:

          <security-role-ref>
           <role-name>Authenticated</role-name>
           <role-link>Authenticated</role-link>
           </security-role-ref>


          • 2. Re: JBoss Portal LDAP Setup
            olivwalt Newbie

            Hi bdaw,

            thx for your help. Right now i`m not sure how to inject the "Authenticated" role in org.jboss.security.auth.spi.LdapExtLoginModule? Our LDAP will never have a "Authenicated" role and the org.jboss.security.auth.spi.LdapExtLoginModule does not have a <module-option name="additionalRole">.

            So only wy i think is to adjust the <security-role-ref> in portal-server.war web.xml, is that correct?

            Regards Oliver

            • 3. Re: JBoss Portal LDAP Setup
              olivwalt Newbie

              Hi,

              adjustment of <security-role-ref> in portal-server.war web.xml did not solve this issue :(.

              Oliver

              • 4. Re: JBoss Portal LDAP Setup
                Boleslaw Dawidowicz Master

                1) You can create role 'Authenticated' in your LDAP and assigne every user that needs to access portal to it
                2) You can alter web.xml to point to any other role that every user in your LDAP belongs to

                it's not just security-role-ref. Investigate that file more carefully. You will find "security-constraint" part in it.

                I'm sure it's possible. I tried it myself with LdapLoginModule. Portal is set up to restrict access to all /auth/* resources for specific role membership. It's standard based (JAAS) so you can change it to whatever you want. The only two places where portal plugs in to security exposed by Application Server is it's own JAAS LoginModule implementation and configuration in web.xml

                • 5. Re: JBoss Portal LDAP Setup
                  olivwalt Newbie

                  Hello bdaw,

                  ok i will try first to create a test role in LDAP called "Authenticate". Maybe i`ve to play a bit with "roleAttributeIsDN" option. Where can i turn on the DEBUG output for AuthenticatorBase, RealmBase and FormAuthenticator like in post http://jboss.org/index.html?module=bb&op=viewtopic&t=91871?
                  My log4j.xml option in conf directory for org.jboss is on DEBUG, but i don`t get this output in server.log.

                  For http://jira.jboss.com/jira/browse/JBPORTAL-1047 this could maybe helpful:

                  1. Set it up like IdentityLoginModule, where you can set an "additionalRole" as moddule-option. Normally (anyway in our company) there no such "global" role in LDAP for users. (I check for e.g. SAP NetWeaver and there exists also a built in "Authenticated Users" role.)

                  2. Another idea is to built in filters on users and roles, so that you can have your default admin and user users be authenticated against the portal database instead of LDAP, like
                  <module-option name="ldapUserFilter">admin, user</module-option>
                  <module-option name="ldapUserFilter">Administrators,Users</module-option>

                  3. Attribute mapping between portal and ldap with access-option like read-write or read only. Portal attributes which are not mapped against LDAP should be stored in portal db an be merged with the principals.

                  Hope this gives you some ideas for a powerful LDAP implementation.

                  Regards Oliver

                  • 6. Re: JBoss Portal LDAP Setup
                    Boleslaw Dawidowicz Master

                     

                    My log4j.xml option in conf directory for org.jboss is on DEBUG, but i don`t get this output in server.log.


                    Try setting DEBUG for org.apache as well. You can also change console appender threshold to DEBUG. log4j.xml is scanned for changes every 30s by AS so you can do it after portal deployment.

                    in 2.4 there is no default support for LDAP so you can plug it as portal security is based on JAAS but it has some limitations. Instead of just using LdapLoginModule you should just implement your own LoginModule that authenticate against ldap and inject additional role for J2EE security constraints.

                    http://jira.jboss.com/jira/browse/JBPORTAL-464

                    LDAP support planned for 2.6 is discussed here:
                    http://jboss.org/index.html?module=bb&op=viewtopic&t=92487
                    http://jboss.org/index.html?module=bb&op=viewtopic&t=94631
                    http://jboss.org/index.html?module=bb&op=viewtopic&t=95134

                    I think that some of yours suggestions are covered in roadmap already

                    • 7. Re: JBoss Portal LDAP Setup
                      olivwalt Newbie

                      Hello bdaw,

                      it works :). Great thx a lot for your help. Here is my setup.

                      1. Update $JBOSS_HOME\server\default\deploy\jboss-portal.sar\conf\login-config.xml an replace existing

                      <!-- <application-policy name="portal">
                       <authentication>
                       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
                       <module-option name="unauthenticatedIdentity">guest</module-option>
                       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                       <module-option name="additionalRole">Authenticated</module-option>
                       <module-option name="password-stacking">useFirstPass</module-option>
                       </login-module>
                       </authentication>
                       </application-policy> -->
                      with
                      <application-policy name="portal">
                       <authentication>
                       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
                       <module-option name="unauthenticatedIdentity">guest</module-option>
                       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                       <module-option name="additionalRole">Authenticated</module-option>
                       <module-option name="password-stacking">useFirstPass</module-option>
                       </login-module>
                       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                       <module-option name="java.naming.factory.initial">
                       com.sun.jndi.ldap.LdapCtxFactory
                       </module-option>
                       <module-option name="java.naming.provider.url">
                       ldap://bridge6.eu.boschrexroth.com:389/
                       </module-option>
                       <module-option name="java.naming.security.authentication">
                       simple
                       </module-option>
                       <module-option name="baseCtxDN">ou=People,o=boschrexroth</module-option>
                       <module-option name="baseFilter">(uid={0})</module-option>
                       <module-option name="rolesCtxDN">ou=Groups,o=boschrexroth</module-option>
                       <module-option name="roleFilter">(member={1})</module-option>
                       <module-option name="roleAttributeID">member</module-option>
                       <module-option name="roleRecursion">-1</module-option>
                       <module-option name="roleNameAttributeID">cn</module-option>
                       <module-option name="roleAttributeIsDN">true</module-option>
                       <module-option name="searchTimeLimit">5000</module-option>
                       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>


                      We use LdapExtLoginModule, due to a hierarchical structure in our LDAP server. As our structure is equal to example1.ldif (http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule) i set the module-options "roleAttributeIsDN" and "roleNameAttributeID" (in our case "cn").

                      Add the IdentityLoginModule with flag="sufficient", if you want the existing default admin and user still login.

                      2. Create a role in LDAP with name "Authenticated" and add all users, which you want to login as members to the role. I`m sure you also can map the security-constraint in portal-server.war\WEB-INF\web.xml, to any other already existing role, but never tested that.

                      Regards Oliver

                      • 8. Re: JBoss Portal LDAP Setup
                        Boleslaw Dawidowicz Master

                        Great to hear it! Could you describe your configuration in wiki? It's the common question in the user forum recently.

                        • 9. Re: JBoss Portal LDAP Setup
                          olivwalt Newbie

                           

                          "bdaw" wrote:
                          Great to hear it! Could you describe your configuration in wiki? It's the common question in the user forum recently.



                          Hi bdaw, sure i could do it, but ... i don`t know where. JBoss Wiki is still confusing me a little bit.

                          Regards Oliver

                          • 10. Re: JBoss Portal LDAP Setup
                            olivwalt Newbie

                            Hello bdaw,

                            have a look at http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication. Please have also a look at the already existing information, i have moved it "Configuration prior to Portal 2.4", but i`m not sure if tihs is correct.

                            regards Oliver

                            • 11. Re: JBoss Portal LDAP Setup
                              Boleslaw Dawidowicz Master

                              It's very good. Thanks!. It'll be helpfull for the community.

                              • 12. Re: JBoss Portal LDAP Setup
                                David Roberts Apprentice

                                This is a great thread for LDAP integration, and I used your Wiki to setup my LDAP integration successfully...well...almost. I have a problem, and I've found two other posts from different people with the same/similair problem, however they never got any replies. You guys seem clued up, lets see if you or anyone else can help. I'm sure others will benefit aswell.

                                I have setup portal 2.4.1 to use LDAP authentication. However, it only authenticates with LDAP and allows access to portal. It doesn't pull in any user information from LDAP. So I also have to create a local user in portal for each of my LDAP users. But now when I assign that local user security rights to certain pages, and then login with the username and "ldap" password, it authenticates correctly, but the logged in user cannot see the pages I gave him rights to. However, If I login with the same user, but dont use my "ldap" password, and use the "local" portal password instead for that same user, I can login and then see the pages that I gave him security rights to. I need to be able to use the "ldap" password to login for every user, not the "local" password.

                                So basically it seems that if I use the local jboss password for user "bob", it uses the security rights setup for "bob". But if I use the ldap password for user "bob", it treats the login as a different user or something, and all security rights are missing and I cant see his pages.

                                Any help please?

                                • 13. Re: JBoss Portal LDAP Setup
                                  Thomas Heute Master

                                  Can you please stop cross-posting ?
                                  It's the 3 email that you hijack with the same text.

                                  You also started a thread here that seems related: http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4009914#4009914
                                  But never came back on it.

                                  We need good behavior from the forum user to keep it as a good knowledge base, and i would appreciate if you could go in that way.

                                  Thanks,
                                  Thomas.

                                  • 14. Re: JBoss Portal LDAP Setup
                                    David Roberts Apprentice

                                    My appologies. I did find 2 other threads where they asked the same question, and no body replied. So I posted my question there too in hopes that the original creators of the thread may have found a solution, and they would get a topic reply notification, in which case they could help me. It would also bump up the post, so if they couldnt find a solution, someone new may then see that thread and be able to help all of us that are looking for the same answer.

                                    The thread I started was with regards importing users. I have now done that, and this new problem is with security/permissions, which I thought was a different issue.

                                    I will try to keep from cross-posting in future.

                                    Kind regards.

                                    1 2 3 Previous Next