1 Reply Latest reply on Jul 3, 2008 3:40 AM by amitdon19

Ldap Configuration With Jboss Portal

amitdon19 Jul 2, 2008 12:14 PM

Hi All,
I am unable get to log in into Portal after configuring Portal with OpenDS Ldap.
When first time i am trying to get log in by user/user credential its showing me an error of "message: Access to the requested resource has been denied.description: Access to the specified resource (Access to the requested resource has been denied) has been forbidden."
but on very second attempt portal get authenticate with same credentials (user/user).This same case happens with admin/admin credentials.
but if I am trying to get log in with other credentials then it shows me an error of "Your account is disabled ">
Please help me out with this error.
I made following changes to configure portal with OpenDS Ldap:
All changes are in Bold

I used Following ldif:

dn: dc=jboss,dc=org
objectclass: top
objectclass: dcObject
objectclass: organization
dc: jboss
o: jboss

dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=user,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: inetOrgPerson
objectclass: person
uid: user
cn: JBoss Portal user
sn: user
userPassword: user
mail: email@email.com


dn: uid=admin,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: inetOrgPerson
objectclass: person
uid: admin
cn: JBoss Portal admin
sn: admin
userPassword: admin
mail: email@email.com

dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=User,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: User
description: the JBoss Portal user group
member: uid=user,ou=People,dc=jboss,dc=org

dn: cn=Admin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: Echo
description: the JBoss Portal admin group
member: uid=admin,ou=People,dc=jboss,dc=org

1.In C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\META-INF\jboss-service.xml

<mbean
 code="org.jboss.portal.core.identity.service.IdentityServiceControllerImpl"
 name="portal:service=Module,type=IdentityServiceController"
 xmbean-dd=""
 xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
 <xmbean/>
 <depends>portal:service=Hibernate</depends>
 <depends
 optional-attribute-name="IdentityEventBroadcaster"
 proxy-type="attribute">portal:service=IdentityEventManager</depends>
 <attribute name="JndiName">java:/portal/IdentityServiceController</attribute>
 <attribute name="RegisterMBeans">true</attribute>
 <attribute name="ConfigFile">conf/identity/ldap_identity-config.xml</attribute>
 <attribute name="DefaultConfigFile">conf/identity/standardidentity-config.xml</attribute>
 </mbean>

2.In C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\conf\identity\ldap_identity-config.xml

<identity-configuration>
 <datasources>
 <datasource>
 <name>LDAP</name>
 <config>
 <option>
 <name>host</name>
 <value>localhost</value>
 </option>
 <option>
 <name>port</name>
 <value>389</value>
 </option>
 <option>
 <name>adminDN</name>
 <value>cn=Directory Manager</value>
 </option>
 <option>
 <name>adminPassword</name>
 <value>password</value>
 </option>
 <!--<option>
 <name>protocol</name>
 <value>ssl</value>
 </option>-->
 </config>
 </datasource>
 </datasources>
 <modules>
 <module>
 <!--type used to correctly map in IdentityContext registry-->
 <type>User</type>
 <implementation>LDAP</implementation>
 <!--Use this implementation for more flexible user retrieval-->
 <class>
 org.jboss.portal.identity.ldap.LDAPExtUserModuleImpl
 </class>
 <config/>
 </module>
 <module>
 <type>Role</type>
 <implementation>LDAP</implementation>
 <!--Use this implementation for more flexible user retrieval-->
 <class>
 org.jboss.portal.identity.ldap.LDAPExtRoleModuleImpl
 </class>
 <config/>
 </module>
 <module>
 <type>Membership</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>UserProfile</type>
 <implementation>DELEGATING</implementation>
 <config>
 <option>
 <name>ldapModuleJNDIName</name>
 <value>java:/portal/LDAPUserProfileModule</value>
 </option>
 </config>
 </module>
 <module>
 <type>DBDelegateUserProfile</type>
 <implementation>DB</implementation>
 <config>
 <option>
 <name>randomSynchronizePassword</name>
 <value>true</value>
 </option>
 </config>
 </module>
 <module>
 <type>LDAPDelegateUserProfile</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 </modules>

 <options>
 <option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=People,dc=jboss,dc=org</value>
 </option>
 <!--Uncomment to use with LDAPExtUserModuleImpl-->
 <option>
 <name>userSearchFilter</name>
 <value><![CDATA[(&((uid={0})(objectClass=person)))]]></value>
 </option>
 <option>
 <name>roleCtxDN</name>
 <value>ou=Roles,dc=jboss,dc=org</value>
 </option>
 <!--Uncomment to use with LDAPExtRoleModuleImpl-->
 <option>
 <name>roleSearchFilter</name>
 <value><![CDATA[(&((cn={0})(objectClass=groupOfNames)))]]></value>
 </option>
 </option-group>
 </options>

</identity-configuration>

3.In C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\conf\login-config.xml

<application-policy name="portal">
 <authentication>
 <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="java.naming.factory.initial">
 com.sun.jndi.ldap.LdapCtxFactory
 </module-option>
 <module-option name="java.naming.provider.url">
 ldap://localhost:389/
 </module-option>
 <module-option name="java.naming.security.authentication">
 simple
 </module-option>
 <module-option name="bindDN">cn=Directory Manager</module-option>
 <module-option name="bindCredential">password</module-option>
 <module-option name="baseCtxDN">ou=People,dc=jboss,dc=org</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>
 <module-option name="rolesCtxDN">ou=Roles,dc=jboss,dc=org</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeID">memberOf</module-option>
 <module-option name="roleRecursion">-1</module-option>
 <module-option name="roleNameAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="searchTimeLimit">5000</module-option>
 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
 </login-module>
 </authentication>
 </application-policy>

1. Re: Ldap Configuration With Jboss Portal

amitdon19 Jul 3, 2008 3:40 AM (in response to amitdon19)

Hi All,

I made changes in my C:\jboss-portal-2.6.5.SP1\server\default\deploy\jboss-portal.sar\conf\login-config.xml file where <application-policy name="portal">.............</application-policy name="portal">

and now I am able to get log in with available credentials in Ldap but again i come up with another problem i.e. I am unable to create new user through JBoss Portal Registration Page....
Please refer my last post.
Please can anybody help me out???
I'll be thankful to you guys.

<application-policy name="portal">
 <authentication>

 <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
 configure portal identity modules for this-->
 <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>

 <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so
 all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that
 was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to)
 is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will
 try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also
 define one "defaultAssignRole" that will be always assigned to synchronized user.
 It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule
 but it will inject role defined in "additionalRole". For obvious reasons
 this is designed to use with portal identity modules configured with DB and not LDAP-->
 <!--There is also SynchronizingLDAPLoginModule which provide the same set of options on top of JBossSX LdapLoginModule-->
 <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required">
 <module-option name="synchronizeIdentity">true</module-option>
 <module-option name="synchronizeRoles">true</module-option>
 <module-option name="preserveRoles">true</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="defaultAssignedRole">User</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="bindDN">cn=Directory Manager</module-option>
 <module-option name="bindCredential">lolo</module-option>
 <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>
 <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="roleRecursion">-1</module-option>
 <module-option name="searchTimeLimit">10000</module-option>
 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
 <module-option name="allowEmptyPasswords">false</module-option>
 </login-module>-->

 <!--This login module should be placed at the end of authentication stack. It always returns
 true in login() method so it should be always "optional" and exists after other "required" module in the stack.
 It will try to synchronize authenticated user into portal store using portal identity modules. Each subject principal assigned
 by previous modules will be tried to synchronize into portal as a role. -->
 <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
 <module-option name="synchronizeIdentity">true</module-option>
 <module-option name="synchronizeRoles">true</module-option>
 <module-option name="preserveRoles">true</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="defaultAssignedRole">User</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
 </login-module>-->

 <!--Uncomment this if you want to fall down to users kept in DB if LDAP authentication fails
 This may be usefull if you want to use Admin user provided with portal database schema-->
 <!--Note that this may lead to the security risk - with LDAP when storing user profile information
 that are not mapped as attribute you may have LDAP user synchronized into DB with no password set.
 Please see HibernateUserProfileImpl module options "synchronizeNonExistingUsers", "acceptOtherImplementations"
 "defaultSynchronizePassword" or "randomSynchronizePassword" to manage this behaviour-->
 <!--<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient">
 <module-option name="dsJndiName">java:/PortalDS</module-option>
 <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
 <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
 <module-option name="hashAlgorithm">MD5</module-option>
 <module-option name="hashEncoding">HEX</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 </login-module>-->

 </authentication>
 </application-policy>