14 Replies Latest reply on Aug 23, 2007 4:23 PM by D D

    LDAP Authentication

    D Johnson Newbie

      I have configured JBoss Portal 2.6 to use LDAP and what I believe to be a configuration for AD.

      However, when I start the server I get exception in regard to user "admin" not being found. I do not have an active directory account for admin.

      Can this be changed.

      2007-07-17 15:49:28,913 DEBUG [org.jboss.portal.jems.as.system.JBossServiceModelMBean$ServiceMixin] Starting failed JBossServiceModelMBean$ServiceMixin
      org.jboss.portal.identity.NoSuchUserException: No such user No user found with name: admin
      at org.jboss.portal.identity.ldap.LDAPUserModuleImpl.findUserByUserName(LDAPUserModuleImpl.java:102)
      at org.jboss.portal.cms.impl.jcr.JCRCMS.createContent(JCRCMS.java:410)
      at org.jboss.portal.cms.impl.jcr.JCRCMS.startJCR(JCRCMS.java:362)
      at org.jboss.portal.cms.impl.jcr.JCRCMS.startService(JCRCMS.java:315)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
      at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:196)
      at org.jboss.portal.jems.as.system.AbstractJBossService.start(AbstractJBossService.java:73)
      at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.portal.jems.as.system.JBossServiceModelMBean$ServiceMixin.execute(JBossServiceModelMBean.java:488)
      at org.jboss.portal.jems.as.system.JBossServiceModelMBean$ServiceMixin.startService(JBossServiceModelMBean.java:454)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
      at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:196)
      at org.jboss.portal.jems.as.system.JBossServiceModelMBean$6.invoke(JBossServiceModelMBean.java:376)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:995)
      at $Proxy0.start(Unknown Source)
      at org.jboss.system.ServiceController.start(ServiceController.java:417)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at org.jboss.system.ServiceController.start(ServiceController.java:435)
      at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
      at $Proxy4.start(Unknown Source)
      at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
      at $Proxy173.start(Unknown Source)
      at org.jboss.deployment.XSLSubDeployer.start(XSLSubDeployer.java:197)
      at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782)
      at sun.reflect.GeneratedMethodAccessor117.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
      at $Proxy8.deploy(Unknown Source)
      at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:421)
      at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:634)
      at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:263)
      at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:336)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
      at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978)
      at $Proxy0.start(Unknown Source)
      at org.jboss.system.ServiceController.start(ServiceController.java:417)
      at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
      at $Proxy4.start(Unknown Source)
      at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302)
      at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:766)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
      at $Proxy5.deploy(Unknown Source)
      at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:482)
      at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
      at org.jboss.Main.boot(Main.java:200)
      at org.jboss.Main$1.run(Main.java:490)
      at java.lang.Thread.run(Thread.java:595)

        • 1. Re: LDAP Authentication
          Boleslaw Dawidowicz Master

          I think you will see this only during the first startup. When you switch identity store to LDAP you need to provide default admin user/role - admin/Admin - for administration. This is needed by CMS.

          • 2. Re: LDAP Authentication
            roth Newbie

             

            "bdaw" wrote:
            When you switch identity store to LDAP you need to provide default admin user/role - admin/Admin - for administration. This is needed by CMS.


            Is this a hardcoded dependency? I switched to ldap and so far managed to map admin access to one of my ldap roles for 'User Portlet', 'Role Portlet', 'WSRP Portlet' and 'Admin Portlet', but not for CMS.

            I am not sure however if this was a good approach, maybe I should just fall back for the database to provide the admin user/role. I get all sorts of weird errors which I think is related to me not having a user/role called 'admin' in my ldap.

            Also, when running with ldap like this, the following 7 tables are never generated, which causes more errors:

            jbp_endpoint_info, jbp_producer_info, jbp_reg_prop_desc, jbp_reg_prop_desc_aliases, jbp_reg_prop_desc_usages, jbp_reg_property,
            jbp_registration_info.

            All other tables are generated at the first startup.

            Thanks,
            Tobias

            • 3. Re: LDAP Authentication
              roth Newbie

              Btw, thanks Boleslaw for fixing the comma-escaping, this works nicely now!

              • 4. Re: LDAP Authentication
                Julien Cornouiller Newbie

                hie,
                i have similar problem, i have create a user admin in my LDAP (Active Directory) and it works, but i don t thinks it s a good solution, if i have to install JBOSS Portal to my customers, i don t thinks they understand and approve the creation of a "fake" user named admin with the pass admin.
                do you any solution?

                best regards
                Julien Cornouiller.

                • 5. Re: LDAP Authentication
                  roth Newbie

                  Well, we have the same problem then. There are at least two options, but I didn't get any of them working completely yet.

                  1) map Admin role to a role from ldap
                  2) fall back to the db or plain files to get the admin user and role when it isn't found in ldap

                  For 1), I mapped access to the admin portlet, user, role, wsrp and now cms (that's an update to my previous post), but I still get some errors, and CMS isn't working quite right.

                  For 2), this looks easy when you open jboss-portal.sar/conf/login-config.xml. There is an entry commented out that should do this, only it's not working for me when I just uncomment it back in.

                  I'm still working on both and will report back here, or open more threads with more detailed problem reports.

                  Cheers,
                  Tobias

                  • 6. Re: LDAP Authentication
                    Boleslaw Dawidowicz Master

                    I'm not very knowledgeable about cms internal but on the first portal run it creates some stuff based on what it finds in identity store. Look at jboss-beans-security.xml in cms module. You'll find definitions of priviligas related to Anonymous, User and Admin roles type access. Did you try to alter this?

                    Sohil?

                    • 7. Re: LDAP Authentication
                      D D Newbie

                      I was able to get it to authenticate users but authorize anyone since there was no admin role.

                      Since most organizations directory services group won't go for adding a role called admin or administrator. This name is already used within our AD so we cannot use it for JBoss, the role name should be configurable.

                      Additionally, the userCtx is not a subtree search, you have to add in the DN for every container that has a user who access the portal. Our users are located in a subtree of containers org'ed by group and department. THis should be configurable, I see it in the code for roleCtx so I would think it would be easy to fix.

                      • 8. Re: LDAP Authentication
                        roth Newbie

                        Boleslaw: I updated http://wiki.jboss.org/wiki/Wiki.jsp?page=GiveAdminPrivileges with the exact steps I took to map admin access tro ne of my ldap rules.

                        It mostly works, but I still get errors and I'm reading some more docs right now. I'll keep you updated.

                        • 9. Re: LDAP Authentication
                          roth Newbie

                          I found the culprit. There is the string 'admin' hardcoded in cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java.

                          Once I change this to an existing user, all my errors go away. Can we unhardcode this please?

                           /** Loads content from sar and adds it to the repo. */
                           public void createContent() throws Exception
                           {
                           log.info("Creating default CMS content.");
                          
                          
                           // Get the content
                           URL root = Thread.currentThread().getContextClassLoader().getResource(defaultContentLocation);
                          
                           //make the user executing these to create the default content, an 'Admin' user
                           //without this, the fine grained security won't allow the creation
                           UserModule userModule = getUserModule();
                           if(userModule != null)
                           {
                           org.hibernate.Session session = org.jboss.portal.cms.hibernate.state.Tools.getOpenSession();
                           org.hibernate.Transaction tx = session.beginTransaction();
                           User user = userModule.findUserByUserName("admin"); // HERE
                           if(user!=null)
                           {
                           JCRCMS.getUserInfo().set(user);
                           }
                           tx.rollback();
                           org.jboss.portal.cms.hibernate.state.Tools.closeSession(session);
                           }


                          • 10. Re: LDAP Authentication
                            Boleslaw Dawidowicz Master

                            ouch... this doesn't look nice idneed. Could you file a bug in JIRA? Thanks for digging in!

                            • 11. Re: LDAP Authentication
                              roth Newbie

                              Done: http://jira.jboss.com/jira/browse/JBPORTAL-1646

                              It has been auto-assigned to Sohil.

                              Thanks,
                              Tobias

                              • 12. Re: LDAP Authentication
                                Sohil Shah Master

                                Tobias-

                                Let me take a look at this and see whats the best way to fix this.

                                Thanks for the feedback

                                • 13. Re: LDAP Authentication
                                  Sohil Shah Master

                                  Guys-

                                  A simple explanantion for the admin user requirement is that the CMS Security Engine, is built to provide unix like access control to resources stored in the cms (read,write,manager) to users and groups of users (we call roles in portal lingua).

                                  Now, the 'admin' user is designated as what we call 'root' in the Unix world. The reason being, say you have your security policy fudged up, and no one can access the system, someone with access to the 'admin' account, can go in and fix things without any restrictions. However, just like the root user, admin user information should be kept secret.

                                  Now, I will have to look and see if 'root' designation can be made configurable to any user you suggest instead of the core 'admin' user that is selected in the code.

                                  I will update the JIRA task with details on the fix.

                                  Thanks again

                                  • 14. Re: LDAP Authentication
                                    D D Newbie


                                    Other commercial portal platforms I have worked with allow you to configure an admin account. As I have said if your going to support pre-exist directory services your going to run into problems.