3 Replies Latest reply on Sep 25, 2007 12:07 PM by tl le

    LDAP Connection error

    tl le Newbie

      Hi,
      I am trying to set up an LDAP connection to the ApacheDS. However I got an error when trying to connect to the server. Here are my setup

      in jboss-service.xml

      change the name of identity-config.xml to ldap_identity-config.xml (as said in the document, chapter 16)

      in ldap_identity-config.xml: change the following codes



      <datasource>
       <name>LDAP</name>
       <config>
       <option>
       <name>host</name>
       <value>localhost</value>
       </option>
       <option>
       <name>port</name>
       <value>10389</value>
       </option>
       <option>
       <name>adminDN</name>
       <value>uid=admin,ou=system</value>
       </option>
       <option>
       <name>adminPassword</name>
       <value>secret</value>
       </option>
       <!--<option>
       <name>protocol</name>
       <value>ssl</value>
       </option>-->
       <option>
       <name>externalContextJndiName</name>
       <value>external/ldap/jboss</value>
       </option>
       </config>
       </datasource>
       </datasources>
      


      in login-config.xml: change the following codes (as said in the wiki: http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication)

      <application-policy name="portal">
       <authentication>
      
       <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
       configure portal identity modules for this-->
       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://localhost:10389</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="baseCtxDN">ou=People,o=portal</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="rolesCtxDN">ou=Groups,o=portal</module-option>
       <module-option name="roleFilter">(member={1})</module-option>
       <module-option name="roleAttributeID">member</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="searchTimeLimit">5000</module-option>
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       </login-module>
      </authentication>
      


      I am using the ldif file: portal-sample-local.ldif provided in jboss source

      I am able to connect to the server using jxplorer application with the same admin user name and password (as stated in the ldap_identity-config.xml)
      However, from within jboss server, when I try to login using the username/password: admin/admin, I recieved errors


      ERROR [IdentityLoginModule] Error when validating password
      org.jboss.portal.common.transaction.NestedException: javax.security.auth.login.LoginException: org.jboss.portal.identity.IdentityException: Unable to connect to
      LDAP: Name: null, Host: localhost, Port: 10389, Context factory: com.sun.jndi.ldap.LdapCtxFactory, Admin user: uid=admin,ou=system, Admin password: ***, Authen
      tication: simple, Protocol: null


      I am using Jboss portal 2.6.1
      What am I missing here? Or is there any step should I follow?
      Your help is greatly appreciated

      Thanks,
      SGM

        • 1. Re: LDAP Connection error
          Selcuk Bozdag Newbie

          I used to have almost the same problem.

          I am 100% sure that I did not change the configuration file jboss-service.xml. I only followed the instructions given on page http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication . And it worked! You should exactly notice that there is no such a configuration step for jboss-service.xml or ldap_identity-config.xml on that wiki. I have tried so many times before in the same way you did. However they did not work.

          Anyway, just follow the steps on the wiki and don't forget to check out the troubleshooting listing below the page(only three lines)

          I am also using version 2.6.1GA. I tried it against a openldap server.

          And the last notice, don't forget to add a role name 'Authenticated'(or whatever name you want, But be aware of synch that name with your login-config file) to your ldap server. And make your user a member of it.

          Also, reading chapters about authentication/authorization will help you so much as well as they helped me.

          hope this helps,

          • 2. Re: LDAP Connection error
            Boleslaw Dawidowicz Master

            You have

            <option>
             <name>externalContextJndiName</name>
             <value>external/ldap/jboss</value>
            </option>
            

            uncommented. Using this all other LDAP connection options are ignored. Did you read the docs?

            http://docs.jboss.com/jbportal/v2.6/referenceGuide/html/ldap.html#d0e6811

            If you configure all modules in ldap_identity-config.xml you don't need to change login-config.xml to authenticate.



            • 3. Re: LDAP Connection error
              tl le Newbie

              Hi,
              Thanks for all responds.

              First, I tried the suggestions from sbozdag. When I tried to log in, jboss displayed message: "your account is disabled" with admin/admin. If I tried to login with jduke1/theduke, jboss gave me the message: "this account doesn't not exist ...."

              Here is my configuration:

              1. I am using ApacheDS(Apache directory server) and using JXplorer to log in. ApacheDS doesn't allow anonymous login. So I used the option username+password
              username: uid=admin,ou=system
              password: secret

              2. Because ApacheDS doen't allow anonymous login, I then change the configuration in login-config.xml a little bit and added two lines

              <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
               <module-option name="unauthenticatedIdentity">guest</module-option>
               <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
               <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
               <module-option name="additionalRole">Authenticated</module-option>
               <module-option name="password-stacking">useFirstPass</module-option>
               </login-module>
               <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
               <module-option name="java.naming.factory.initial">
               com.sun.jndi.ldap.LdapCtxFactory
               </module-option>
               <module-option name="java.naming.provider.url">
               ldap://localhost:10389/
               </module-option>
               <module-option name="java.naming.security.authentication">
               simple
               </module-option>
               <module-option name="binDN">uid=admin,ou=system</module-option>
               <module-option name="bindCredential">secret</module-option>
               <module-option name="baseCtxDN">ou=People,o=portal</module-option>
               <module-option name="baseFilter">(uid={0})</module-option>
               <module-option name="rolesCtxDN">ou=Groups,o=portal</module-option>
               <module-option name="roleFilter">(member={0})</module-option>
               <module-option name="roleAttributeID">member</module-option>
               <module-option name="roleRecursion">-1</module-option>
               <module-option name="roleNameAttributeID">cn</module-option>
               <module-option name="roleAttributeIsDN">true</module-option>
               <module-option name="searchTimeLimit">5000</module-option>
               <module-option name="searchScope">SUBTREE_SCOPE</module-option>
               </login-module>
              


              I also added the "Authenticated" and associated all users to this role in the server.
              I think once I hit the login button, this configuration doesn't get called at all since jboss is not able to find the jduke1 username in the server.
              I don't know if the changes (in red color) I made in this configuration are correct or is there anything i am missing here?

              I am using the portal-sample-local.ldif provided in jboss source
              Your help on this is greatly appreciated

              Thanks,

              SGM