0 Replies Latest reply on Nov 8, 2011 11:08 AM by Ali Aga

    JBoss AS 7 Ldap authentication fails

    Ali Aga Newbie

      I have a configuration that works perfectly in AS6.FINAL, however when I port it to AS7.0.2 it fails authentication.

      After following the code in debug mode I found that the error occurs somewhere in ldapextloginmodules rolesSearch method.

      It says it cannot follow referal -- I think it complains about a LDAP referal exception. (I did not have this issue in AS6 with the same configuration)

       

      I'm not sure what I'm missing here? as I do have naming.referal set to follow.

       

      Any ideas?

       

      Please see stack trace below.

       

       

      09:49:38,474 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2) Security checking request GET /testldapwebsite/

      09:49:38,474 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[All Requests]' against GET /index.jsp --> true

      09:49:38,475 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[All Requests]' against GET /index.jsp --> true

      09:49:38,475 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2)  Calling hasUserDataPermission()

      09:49:38,475 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-2)   User data constraint has no restrictions

      09:49:38,475 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2)  Calling authenticate()

      09:49:38,496 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) Begin isValid, principal:nsm-developer, cache entry: null

      09:49:38,497 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) defaultLogin, principal=nsm-developer

      09:49:38,507 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-2) Begin getAppConfigurationEntry(other), size=1

      09:49:38,549 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-2) End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=baseFilter, value=(sAMAccountName={0})

      name=java.naming.referral, value=follow

      name=bindDN, value=myuser@norc.org

      name=rolesCtxDN, value=DC=norc,DC=org

      name=baseCtxDN, value=DC=norc,DC=org

      name=roleRecursion, value=-1

      name=java.naming.security.authentication, value=simple

      name=allowEmptyPasswords, value=false

      name=roleFilter, value=(member={0})

      name=java.naming.provider.url, value=ldap://myip:389

      name=bindCredential, value=****

      name=roleAttributeIsDN, value=false

      name=searchScope, value=SUBTREE_SCOPE

      name=roleAttributeID, value=cn

       

      09:49:38,560 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) initialize

      09:49:38,561 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Security domain: other

      09:49:38,561 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) login

      09:49:38,562 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Logging into LDAP server, env={baseFilter=(sAMAccountName={0}), allowEmptyPasswords=false, java.naming.referral=follow, java.naming.security.credentials=***, jboss.security.security_domain=other, java.naming.security.authentication=simple, baseCtxDN=DC=norc,DC=org, roleAttributeIsDN=false, rolesCtxDN=DC=norc,DC=org, java.naming.security.principal=myusenorc.org, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(member={0}), java.naming.provider.url=ldap://S081NPAD00509.norc.org:389, roleAttributeID=cn, bindDN=myuser@norc.org, bindCredential=***}

      09:49:38,707 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Logging into LDAP server, env={baseFilter=(sAMAccountName={0}), allowEmptyPasswords=false, java.naming.referral=follow, java.naming.security.credentials=***, jboss.security.security_domain=other, java.naming.security.authentication=simple, baseCtxDN=DC=norc,DC=org, roleAttributeIsDN=false, rolesCtxDN=DC=norc,DC=org, java.naming.security.principal=CN=NSM-developer,OU=Project Accounts,OU=Users,OU=Prod,DC=norc,DC=org, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(member={0}), java.naming.provider.url=ldap://S081NPAD00509.norc.org:389, roleAttributeID=cn, bindDN=myuser@norc.org, bindCredential=***}

      09:49:38,718 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) Bad password for username=nsm-developer

      09:49:38,718 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-2) abort

      09:49:38,719 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252) [picketbox-4.0.1.jar:4.0.1]

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_25]

          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) [:1.6.0_25]

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) [:1.6.0_25]

          at java.lang.reflect.Method.invoke(Unknown Source) [:1.6.0_25]

          at javax.security.auth.login.LoginContext.invoke(Unknown Source) [:1.6.0_25]

          at javax.security.auth.login.LoginContext.access$000(Unknown Source) [:1.6.0_25]

          at javax.security.auth.login.LoginContext$4.run(Unknown Source) [:1.6.0_25]

          at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_25]

          at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) [:1.6.0_25]

          at javax.security.auth.login.LoginContext.login(Unknown Source) [:1.6.0_25]

          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-infinispan-4.0.1.jar:4.0.1]

          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.1.jar:4.0.1]

          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154) [picketbox-infinispan-4.0.1.jar:4.0.1]

          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:127) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

          at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.2.Final.jar:7.0.2.Final]

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]

          at java.lang.Thread.run(Unknown Source) [:1.6.0_25]

       

      09:49:38,722 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) End isValid, false

      09:49:38,722 TRACE [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/testldapwebsite]] (http--127.0.0.1-8080-2) Username nsm-developer NOT successfully authenticated

      09:49:38,722 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-2)  Failed authenticate() test