1 Reply Latest reply on Jul 3, 2008 3:40 AM by amit dongre

    Ldap Configuration With Jboss Portal

    amit dongre Newbie

      Hi All,
      I am unable get to log in into Portal after configuring Portal with OpenDS Ldap.
      When first time i am trying to get log in by user/user credential its showing me an error of "message: Access to the requested resource has been denied.description: Access to the specified resource (Access to the requested resource has been denied) has been forbidden."
      but on very second attempt portal get authenticate with same credentials (user/user).This same case happens with admin/admin credentials.
      but if I am trying to get log in with other credentials then it shows me an error of "Your account is disabled ">
      Please help me out with this error.
      I made following changes to configure portal with OpenDS Ldap:
      All changes are in Bold

      I used Following ldif:

      dn: dc=jboss,dc=org
      objectclass: top
      objectclass: dcObject
      objectclass: organization
      dc: jboss
      o: jboss
      
      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=user,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: inetOrgPerson
      objectclass: person
      uid: user
      cn: JBoss Portal user
      sn: user
      userPassword: user
      mail: email@email.com
      
      
      dn: uid=admin,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: inetOrgPerson
      objectclass: person
      uid: admin
      cn: JBoss Portal admin
      sn: admin
      userPassword: admin
      mail: email@email.com
      
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      
      dn: cn=User,ou=Roles,dc=jboss,dc=org
      objectClass: top
      objectClass: groupOfNames
      cn: User
      description: the JBoss Portal user group
      member: uid=user,ou=People,dc=jboss,dc=org
      
      dn: cn=Admin,ou=Roles,dc=jboss,dc=org
      objectClass: top
      objectClass: groupOfNames
      cn: Echo
      description: the JBoss Portal admin group
      member: uid=admin,ou=People,dc=jboss,dc=org






      1.In C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\META-INF\jboss-service.xml

      <mbean
       code="org.jboss.portal.core.identity.service.IdentityServiceControllerImpl"
       name="portal:service=Module,type=IdentityServiceController"
       xmbean-dd=""
       xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
       <xmbean/>
       <depends>portal:service=Hibernate</depends>
       <depends
       optional-attribute-name="IdentityEventBroadcaster"
       proxy-type="attribute">portal:service=IdentityEventManager</depends>
       <attribute name="JndiName">java:/portal/IdentityServiceController</attribute>
       <attribute name="RegisterMBeans">true</attribute>
       <attribute name="ConfigFile">conf/identity/ldap_identity-config.xml</attribute>
       <attribute name="DefaultConfigFile">conf/identity/standardidentity-config.xml</attribute>
       </mbean>
      


      2.In C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\conf\identity\ldap_identity-config.xml

      <identity-configuration>
       <datasources>
       <datasource>
       <name>LDAP</name>
       <config>
       <option>
       <name>host</name>
       <value>localhost</value>
       </option>
       <option>
       <name>port</name>
       <value>389</value>
       </option>
       <option>
       <name>adminDN</name>
       <value>cn=Directory Manager</value>
       </option>
       <option>
       <name>adminPassword</name>
       <value>password</value>
       </option>
       <!--<option>
       <name>protocol</name>
       <value>ssl</value>
       </option>-->
       </config>
       </datasource>
       </datasources>
       <modules>
       <module>
       <!--type used to correctly map in IdentityContext registry-->
       <type>User</type>
       <implementation>LDAP</implementation>
       <!--Use this implementation for more flexible user retrieval-->
       <class>
       org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl
       </class>
       <config/>
       </module>
       <module>
       <type>Role</type>
       <implementation>LDAP</implementation>
       <!--Use this implementation for more flexible user retrieval-->
       <class>
       org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl
       </class>
       <config/>
       </module>
       <module>
       <type>Membership</type>
       <implementation>LDAP</implementation>
       <config/>
       </module>
       <module>
       <type>UserProfile</type>
       <implementation>DELEGATING</implementation>
       <config>
       <option>
       <name>ldapModuleJNDIName</name>
       <value>java:/portal/LDAPUserProfileModule</value>
       </option>
       </config>
       </module>
       <module>
       <type>DBDelegateUserProfile</type>
       <implementation>DB</implementation>
       <config>
       <option>
       <name>randomSynchronizePassword</name>
       <value>true</value>
       </option>
       </config>
       </module>
       <module>
       <type>LDAPDelegateUserProfile</type>
       <implementation>LDAP</implementation>
       <config/>
       </module>
       </modules>
      
       <options>
       <option-group>
       <group-name>common</group-name>
       <option>
       <name>userCtxDN</name>
       <value>ou=People,dc=jboss,dc=org</value>
       </option>
       <!--Uncomment to use with LDAPExtUserModuleImpl-->
       <option>
       <name>userSearchFilter</name>
       <value><![CDATA[(&((uid={0})(objectClass=person)))]]></value>
       </option>
       <option>
       <name>roleCtxDN</name>
       <value>ou=Roles,dc=jboss,dc=org</value>
       </option>
       <!--Uncomment to use with LDAPExtRoleModuleImpl-->
       <option>
       <name>roleSearchFilter</name>
       <value><![CDATA[(&((cn={0})(objectClass=groupOfNames)))]]></value>
       </option>
       </option-group>
       </options>
      
      </identity-configuration>


      3.In C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\conf\login-config.xml

      <application-policy name="portal">
       <authentication>
       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <module-option name="java.naming.factory.initial">
       com.sun.jndi.ldap.LdapCtxFactory
       </module-option>
       <module-option name="java.naming.provider.url">
       ldap://localhost:389/
       </module-option>
       <module-option name="java.naming.security.authentication">
       simple
       </module-option>
       <module-option name="bindDN">cn=Directory Manager</module-option>
       <module-option name="bindCredential">password</module-option>
       <module-option name="baseCtxDN">ou=People,dc=jboss,dc=org</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="rolesCtxDN">ou=Roles,dc=jboss,dc=org</module-option>
       <module-option name="roleFilter">(member={1})</module-option>
       <module-option name="roleAttributeID">memberOf</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="searchTimeLimit">5000</module-option>
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       </login-module>
       </authentication>
       </application-policy>
      




        • 1. Re: Ldap Configuration With Jboss Portal
          amit dongre Newbie

          Hi All,

          I made changes in my C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\conf\login-config.xml file where <application-policy name="portal">.............</application-policy name="portal">

          and now I am able to get log in with available credentials in Ldap but again i come up with another problem i.e. I am unable to create new user through JBoss Portal Registration Page....
          Please refer my last post.
          Please can anybody help me out???
          I'll be thankful to you guys.

          <application-policy name="portal">
           <authentication>
          
           <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
           configure portal identity modules for this-->
           <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
           <module-option name="unauthenticatedIdentity">guest</module-option>
           <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
           <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
           <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
           <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
           <module-option name="additionalRole">Authenticated</module-option>
           <module-option name="password-stacking">useFirstPass</module-option>
           </login-module>
          
           <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so
           all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that
           was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to)
           is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will
           try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also
           define one "defaultAssignRole" that will be always assigned to synchronized user.
           It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule
           but it will inject role defined in "additionalRole". For obvious reasons
           this is designed to use with portal identity modules configured with DB and not LDAP-->
           <!--There is also SynchronizingLDAPLoginModule which provide the same set of options on top of JBossSX LdapLoginModule-->
           <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required">
           <module-option name="synchronizeIdentity">true</module-option>
           <module-option name="synchronizeRoles">true</module-option>
           <module-option name="preserveRoles">true</module-option>
           <module-option name="additionalRole">Authenticated</module-option>
           <module-option name="defaultAssignedRole">User</module-option>
           <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
           <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
           <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
           <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
           <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
           <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option>
           <module-option name="java.naming.security.authentication">simple</module-option>
           <module-option name="bindDN">cn=Directory Manager</module-option>
           <module-option name="bindCredential">lolo</module-option>
           <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
           <module-option name="baseFilter">(uid={0})</module-option>
           <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
           <module-option name="roleFilter">(member={1})</module-option>
           <module-option name="roleAttributeID">cn</module-option>
           <module-option name="roleRecursion">-1</module-option>
           <module-option name="searchTimeLimit">10000</module-option>
           <module-option name="searchScope">SUBTREE_SCOPE</module-option>
           <module-option name="allowEmptyPasswords">false</module-option>
           </login-module>-->
          
           <!--This login module should be placed at the end of authentication stack. It always returns
           true in login() method so it should be always "optional" and exists after other "required" module in the stack.
           It will try to synchronize authenticated user into portal store using portal identity modules. Each subject principal assigned
           by previous modules will be tried to synchronize into portal as a role. -->
           <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
           <module-option name="synchronizeIdentity">true</module-option>
           <module-option name="synchronizeRoles">true</module-option>
           <module-option name="preserveRoles">true</module-option>
           <module-option name="additionalRole">Authenticated</module-option>
           <module-option name="defaultAssignedRole">User</module-option>
           <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
           <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
           <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
           <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
           </login-module>-->
          
           <!--Uncomment this if you want to fall down to users kept in DB if LDAP authentication fails
           This may be usefull if you want to use Admin user provided with portal database schema-->
           <!--Note that this may lead to the security risk - with LDAP when storing user profile information
           that are not mapped as attribute you may have LDAP user synchronized into DB with no password set.
           Please see HibernateUserProfileImpl module options "synchronizeNonExistingUsers", "acceptOtherImplementations"
           "defaultSynchronizePassword" or "randomSynchronizePassword" to manage this behaviour-->
           <!--<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient">
           <module-option name="dsJndiName">java:/PortalDS</module-option>
           <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
           <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
           <module-option name="hashAlgorithm">MD5</module-option>
           <module-option name="hashEncoding">HEX</module-option>
           <module-option name="additionalRole">Authenticated</module-option>
           </login-module>-->
          
           </authentication>
           </application-policy>