JBoss AS 7 Ldap authentication fails
I have a configuration that works perfectly in AS6.FINAL, however when I port it to AS7.0.2 it fails authentication.
After following the code in debug mode I found that the error occurs somewhere in ldapextloginmodules rolesSearch method.
It says it cannot follow referal -- I think it complains about a LDAP referal exception. (I did not have this issue in AS6 with the same configuration)
I'm not sure what I'm missing here? as I do have naming.referal set to follow.
Any ideas?
Please see stack trace below.
09:49:38,474 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2) Security checking request GET /testldapwebsite/
09:49:38,474 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-2) Checking constraint 'SecurityConstraint[All Requests]' against GET /index.jsp --> true
09:49:38,475 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-2) Checking constraint 'SecurityConstraint[All Requests]' against GET /index.jsp --> true
09:49:38,475 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2) Calling hasUserDataPermission()
09:49:38,475 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-2) User data constraint has no restrictions
09:49:38,475 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2) Calling authenticate()
09:49:38,496 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) Begin isValid, principal:nsm-developer, cache entry: null
09:49:38,497 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) defaultLogin, principal=nsm-developer
09:49:38,507 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-2) Begin getAppConfigurationEntry(other), size=1
09:49:38,549 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-2) End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(sAMAccountName={0})
name=java.naming.referral, value=follow
name=bindDN, value=myuser@norc.org
name=rolesCtxDN, value=DC=norc,DC=org
name=baseCtxDN, value=DC=norc,DC=org
name=roleRecursion, value=-1
name=java.naming.security.authentication, value=simple
name=allowEmptyPasswords, value=false
name=roleFilter, value=(member={0})
name=java.naming.provider.url, value=ldap://myip:389
name=bindCredential, value=****
name=roleAttributeIsDN, value=false
name=searchScope, value=SUBTREE_SCOPE
name=roleAttributeID, value=cn
09:49:38,560 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) initialize
09:49:38,561 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Security domain: other
09:49:38,561 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) login
09:49:38,562 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Logging into LDAP server, env={baseFilter=(sAMAccountName={0}), allowEmptyPasswords=false, java.naming.referral=follow, java.naming.security.credentials=***, jboss.security.security_domain=other, java.naming.security.authentication=simple, baseCtxDN=DC=norc,DC=org, roleAttributeIsDN=false, rolesCtxDN=DC=norc,DC=org, java.naming.security.principal=myusenorc.org, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(member={0}), java.naming.provider.url=ldap://S081NPAD00509.norc.org:389, roleAttributeID=cn, bindDN=myuser@norc.org, bindCredential=***}
09:49:38,707 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Logging into LDAP server, env={baseFilter=(sAMAccountName={0}), allowEmptyPasswords=false, java.naming.referral=follow, java.naming.security.credentials=***, jboss.security.security_domain=other, java.naming.security.authentication=simple, baseCtxDN=DC=norc,DC=org, roleAttributeIsDN=false, rolesCtxDN=DC=norc,DC=org, java.naming.security.principal=CN=NSM-developer,OU=Project Accounts,OU=Users,OU=Prod,DC=norc,DC=org, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(member={0}), java.naming.provider.url=ldap://S081NPAD00509.norc.org:389, roleAttributeID=cn, bindDN=myuser@norc.org, bindCredential=***}
09:49:38,718 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Bad password for username=nsm-developer
09:49:38,718 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) abort
09:49:38,719 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252) [picketbox-4.0.1.jar:4.0.1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_25]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) [:1.6.0_25]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) [:1.6.0_25]
at java.lang.reflect.Method.invoke(Unknown Source) [:1.6.0_25]
at javax.security.auth.login.LoginContext.invoke(Unknown Source) [:1.6.0_25]
at javax.security.auth.login.LoginContext.access$000(Unknown Source) [:1.6.0_25]
at javax.security.auth.login.LoginContext$4.run(Unknown Source) [:1.6.0_25]
at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_25]
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) [:1.6.0_25]
at javax.security.auth.login.LoginContext.login(Unknown Source) [:1.6.0_25]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-infinispan-4.0.1.jar:4.0.1]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.1.jar:4.0.1]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154) [picketbox-infinispan-4.0.1.jar:4.0.1]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:127) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at java.lang.Thread.run(Unknown Source) [:1.6.0_25]
09:49:38,722 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) End isValid, false
09:49:38,722 TRACE [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testldapwebsite]] (http--127.0.0.1-8080-2) Username nsm-developer NOT successfully authenticated
09:49:38,722 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2) Failed authenticate() test