9 Replies Latest reply on Nov 2, 2007 5:31 AM by bdaw

LDAP Authentication & Authorization to eDirectory

arnieaustin May 22, 2007 2:12 PM

I am working with the jboss-portal-2.6-CR2 bundle. After getting it configured for MySQL and logging in as 'admin', I reconfigured it for LDAP using the LDAPExtUser/RoleModuleImpl classes. We are using Novell eDirectory setup in an Identity Vault configuration (nearly flat directory with different ou's for users and groups). Anyway, so far so good. I can log in. Well, actually Admin can login. I cannot. Keep getting "Your account is disabled." message on the login screen. Which is WRONG since my account is neither disabled nor locked in LDAP. My guess is this misleading message has something to do with Authorization.

Our LDAP structure:

o=idv
ou=groups,o=idv
ou=apps,ou=groups,o=idv
ou=jbossportal,ou=apps,ou=groups,o=idv
cn=Administrators,ou=jbossportal,ou=apps,ou=groups,o=idv
cn=Users,ou=jbossportal,ou=apps,ou=groups,o=idv

ou=people,o=idv
ou=apps,ou=people,o=idv
cn=admin,ou=apps,ou=people,o=idv
ou=employees,ou=people,o=idv
ou=al,ou=employees,ou=people,o=idv
cn=acm3,ou=al,ou=employees,ou=people,o=idv

Note that the admin I am using to authenticate is in a different container in the tree. My account (acm3) is where most employees would be.

The two groups mentioned have various users in them. In the Administrators case, Admin and ACM3 are both members. Yet when Admin logs in, the "Admin" link doesn't appear in the portal window. And ACM3 cannot log in at all.

What could I be missing here? There were no messages on the console log or in server.log that something was wrong.

I've included the ldap_identity-config.xml below:

<identity-configuration>
 <datasources>
 <datasource>
 <name>LDAP</name>
 <config>
 <option>
 <name>host</name>
 <value>idv1-lab.oag.state.tx.us</value>
 </option>
 <option>
 <name>port</name>
 <value>389</value>
 </option>
 <option>
 <name>adminDN</name>
 <value>cn=portalsystem,ou=apps,ou=people,o=idv</value>
 </option>
 <option>
 <name>adminPassword</name>
 <value>password</value>
 </option>
 <!--<option>
 <name>protocol</name>
 <value>ssl</value>
 </option>-->
 </config>
 </datasource>
 </datasources>
 <modules>
 <module>
 <!--type used to correctly map in IdentityContext registry-->
 <type>User</type>
 <implementation>LDAP</implementation>
 <class>org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl</class>
 <config/>
 </module>
 <module>
 <type>Role</type>
 <implementation>LDAP</implementation>
 <class>org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl</class>
 <config/>
 </module>
 <module>
 <type>Membership</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>UserProfile</type>
 <implementation>DELEGATING</implementation>
 <config>
 <option>
 <name>ldapModuleJNDIName</name>
 <value>java:/portal/LDAPUserProfileModule</value>
 </option>
 </config>
 </module>
 <module>
 <type>DBDelegateUserProfile</type>
 <implementation>DB</implementation>
 <config>
 <option>
 <name>randomSynchronizePassword</name>
 <value>true</value>
 </option>
 </config>
 </module>
 <module>
 <type>LDAPDelegateUserProfile</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 </modules>

 <options>
 <option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=PEOPLE,o=IDV</value>
 </option>
 <option>
 <name>roleCtxDN</name>
 <value>ou=GROUPS,o=IDV</value>
 </option>
 <option>
 <name>userSearchFilter</name>
 <value>(cn={0})</value>
 </option>
 <option>
 <name>roleSearchFilter</name>
 <value>(cn={0})</value>
 </option>
 <option>
 <name>uidAttributeID</name>
 <value>cn</value>
 </option>
 <option>
 <name>passwordAttributeID</name>
 <value>password</value>
 </option>
 <option>
 <name>membershipAttributeId</name>
 <value>member</value>
 </option>
 <option>
 <name>membershipAttributeIsDN</name>
 <value>true</value>
 </option>
 </option-group>
 <option-group>
 <group-name>userCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <!--This objectclasses should work with Red Hat Directory-->
 <value>top</value>
 <value>person</value>
 <value>inetOrgPerson</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <option>
 <name>sn</name>
 <value>none</value>
 </option>
 </option-group>
 <option-group>
 <group-name>roleCreateAttibutes</group-name>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <!--Some directory servers require this attribute to be valid DN-->
 <!--For safety reasons point to the admin user here-->
 <option>
 <name>member</name>
 <value>cn=portalsytem,ou=apps,ou=people,o=idv</value>
 </option>
 </option-group>
 </options>
</identity-configuration>

1. Re: LDAP Authentication & Authorization to eDirectory

bdaw May 22, 2007 4:21 PM (in response to arnieaustin)

Hi. I'm aware that there was a bug related to this in CR2. At first could you try with newest sources from svn? To build portal from sources you need to do:

svn co http://anonsvn.jboss.org/repos/portal/trunk/ jboss-portal-2.6

and then with JBOSS_HOME env set do
./build/build.sh deploy
./core-admin/build.sh deploy
./core-cms/build.sh deploy
./core-management/build.sh deploy
./core-search/build.sh deploy

Please try and let me know if you still have issues with this.
Actions
2. Re: LDAP Authentication & Authorization to eDirectory

arnieaustin May 23, 2007 11:00 AM (in response to arnieaustin)

Well, THAT was an exercise in futility! :) No change what so ever. I did notice that the ant builds were creating the sar and wars as ZIP files. So I unzipped the jboss-portal.sar file to a folder in the ./deploy folder. Then I placed the other wars into the .sar folder. Note that I simply removed the old jboss-portal.sar folder for the new one, in the same jboss-as installation that originally came w/t bundle.

After reconfiguring the \jboss-portal.sar\conf\identity\ldap_identity-config.xml file, was able to boot the server. To no avail.

I do see:
09:39:40,687 ERROR [LDAPUserProfileModuleImpl] No such attribute ('seeAlso') in entry: cn=admin,ou=APPS,ou=PEOPLE,o=IDV

Now, I can't speak to other LDAP servers, but in the case of Novell eDirectory, the seeAlso attribute is a list of DNs, not a text field. Is that what the ProfileModuleImp class is expecting? Can I map it to some other field? Say, description - which is a multivalued caseIgnoreString?

The log file shows:

2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] findUserByUserName(): username = admin
2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filterArg: {0}: admin
2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search ctx: ou=People,o=idv
2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user uid: cn=admin,ou=APPS,ou=PEOPLE,o=IDV
2007-05-23 09:39:30,187 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user dn: cn=admin,ou=APPS,ou=PEOPLE,o=IDV
2007-05-23 09:39:30,203 DEBUG [org.jboss.portal.identity.ldap.LDAPStaticRoleMembershipModuleImpl] findRoles(): role = cn=admin,ou=APPS,ou=PEOPLE,o=IDV

I must have something misconfigured because if I read this right, findRoles() will never find anything like cn=admin,ou=APPS,ou=PEOPLE,o=IDV since that's a user object, not a group object!
Actions
3. Re: LDAP Authentication & Authorization to eDirectory

arnieaustin May 23, 2007 11:20 AM (in response to arnieaustin)

I tweaked a setting and now get:

2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] findUserByUserName(): username = admin
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filterArg: {0}: admin
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search ctx: ou=People,o=idv
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user uid: cn=admin,ou=APPS,ou=PEOPLE,o=IDV
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user dn: cn=admin,ou=APPS,ou=PEOPLE,o=IDV
2007-05-23 10:08:39,765 DEBUG [org.jboss.portal.identity.ldap.LDAPStaticRoleMembershipModuleImpl] findRoles(): role = cn=admin,ou=APPS,ou=PEOPLE,o=IDV
2007-05-23 10:08:39,781 DEBUG [org.jboss.portal.identity.ldap.LDAPRoleModule] findRoleByDN(): DN = cn=Administrators,ou=JBossPortal,ou=APPS,ou=GROUPS,o=IDV
2007-05-23 10:08:39,781 DEBUG [org.jboss.portal.identity.ldap.LDAPRoleModule] role uid: cn=Administrators,ou=JBossPortal,ou=APPS,ou=GROUPS,o=IDV
2007-05-23 10:08:39,781 DEBUG [org.jboss.portal.identity.ldap.LDAPRoleModule] role dn: cn=Administrators,ou=JBossPortal,ou=APPS,ou=GROUPS,o=IDV
2007-05-23 10:08:39,875 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] findUserByUserName(): username = admin
2007-05-23 10:08:39,875 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 10:08:39,875 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 10:08:39,875 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filterArg: {0}: admin
2007-05-23 10:08:39,875 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search ctx: ou=People,o=idv
2007-05-23 10:08:39,921 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user uid: cn=admin,ou=APPS,ou=PEOPLE,o=IDV
2007-05-23 10:08:39,921 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user dn: cn=admin,ou=APPS,ou=PEOPLE,o=IDV

But still no "Admin" link when admin logs in.

I still get "Your account is disabled" when ACM3 tries to log in. Log shows:

2007-05-23 10:12:57,609 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] findUserByUserName(): username = acm3
2007-05-23 10:12:57,609 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 10:12:57,609 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filter: (cn={0})
2007-05-23 10:12:57,609 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search filterArg: {0}: acm3
2007-05-23 10:12:57,609 DEBUG [org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl] Search ctx: ou=People,o=idv
2007-05-23 10:12:57,625 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user uid: cn=ACM3,ou=AL,ou=EMPLOYEES,ou=PEOPLE,o=IDV
2007-05-23 10:12:57,625 DEBUG [org.jboss.portal.identity.ldap.LDAPUserModule] user dn: cn=ACM3,ou=AL,ou=EMPLOYEES,ou=PEOPLE,o=IDV
2007-05-23 10:12:57,625 DEBUG [org.jboss.portal.identity.DelegatingUserProfileModuleImpl] getProperty: portal.user.enabled
2007-05-23 10:12:57,625 DEBUG [org.jboss.portal.identity.DelegatingUserProfileModuleImpl] Delegating to DB module
2007-05-23 10:12:57,625 DEBUG [org.jboss.portal.identity.db.HibernateUserProfileModuleImpl] Processing non HibernateUserImpl object: class org.jboss.portal.identity.ldap.LDAPUserImpl

So I guess the next questions are:

1) Can the "role" membership records that the portal uses in authorization be moved to LDAP group Objects?

2) If I descend my own versions the org.jboss.portal.identity.RoleModule interface, where do my .class files have to be for JBoss to see them during boot and where do i reference them in the configuration files? ldap_identity-config.xml perhaps?
Actions
4. Re: LDAP Authentication & Authorization to eDirectory

bdaw May 23, 2007 4:25 PM (in response to arnieaustin)

a lot of questions in your posts :)

... lets start from the beginning. I'm sure that the issue with disabled account should be resolved in newest sources. Did you flush the database content? Please try to redeploy portal from the newest sources, start with clean database, and let me know if you have still issues.

To have admin account portal needs to resolve account 'admin' with role 'Admin'. So I beleive that if you change 'Administrators' to 'Admin' in your LDAP you should get proper privilages.

You can workaround this by uncommenting following lines in login-config.xml:

<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient">
<module-option name="dsJndiName">java:/PortalDS</module-option>
<module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
<module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">HEX</module-option>
<module-option name="additionalRole">Authenticated</module-option>
</login-module>

and remove admin account from your LDAP. This will enable portal to use built in 'admin' account from the database. Please look at "Authentication and Authorization' chapter in latest 2.6 Reference Guide to learn more about this configuration.

If you update to latest portal sources:
svn co http://anonsvn.jboss.org/repos/portal/trunk/ jboss-portal-2.6

Then you can edit those configuration files directly in:
portal-sources/core/src/resources/portal-core-sar/ ...

then simply set JBOSS_HOME env and deploy whole using

portal-sources/build/build.sh deploy-all

I hope this will help you to avoid unpacking the jars :)

If you have issues with 'seeAlso' attribute just remove related 'ldap' mapping from profile-config.xml file.
Actions
5. Re: LDAP Authentication & Authorization to eDirectory

arnieaustin May 23, 2007 5:02 PM (in response to arnieaustin)

I did pull the latest (ie HEAD) out of the repository (it took quite a while).

Emptying the database to start over just generated reams of errors from the JBPM module.

Bleh. This isn't worth the effort.
Actions
6. Re: LDAP Authentication & Authorization to eDirectory

bdaw May 23, 2007 5:23 PM (in response to arnieaustin)

Emptying the database to start over just generated reams of errors from the JBPM module.

what kind of errors? Could you be a little more specific? So you were able to deploy a portal using an empty database before, and then turning off the AS, cleaning the database and turning back the AS gave you JBPM errors?
Actions
7. Re: LDAP Authentication & Authorization to eDirectory

ebrennan Oct 30, 2007 4:50 PM (in response to arnieaustin)

I am trying to set up Active Directory also. I can log fine using my AD Account.

Q? Do I have to have full read/write permission to AD to get this up and running. Right now the IT guys have only set up an account to query the Database. I don't plan on changing any of the info in AD. Using the query account they supplied I can validate my user and login to JBP.

Roles:
I don't know if our Group/Role structure is unusual or not.
In my User Entry I am a "MemberOf" my department (EAEUsr)
This group (EAEUsr) then is a "MemberOf" (HQ Users).

I then have a Group set up call Portal_User that has HQ Users as a "member"

All of the groups have a object class of "group" and I have change my roleFilter to match.

As soon as I comment out the below I get an error.

dynamic
portal.user.homepage

seeAlso
Actions
8. Re: LDAP Authentication & Authorization to eDirectory

ebrennan Nov 1, 2007 9:34 AM (in response to arnieaustin)

I have enable the workaround in the login-config.xml file so that if the User is not found in Ldap it looks at the datastore. This does not seem to have any effect.
Actions
9. Re: LDAP Authentication & Authorization to eDirectory

bdaw Nov 2, 2007 5:31 AM (in response to arnieaustin)

For the "seeAlso" errors - edit profile-config.xml and comment out proper ldap attribute mapping. What exactly did you put in login-config.xml ?
Actions

Go to original post