1 Reply Latest reply on Jul 25, 2013 11:16 AM by Spyro Gyra

    Ldap configuration

    Spyro Gyra Newbie

      Hello!

       

      I need to configure jboss with ldap but I have some problems.

       

      I tried to do this:

       

      web.xml

       

      <security-constraint>
                          <web-resource-collection>
                                    <web-resource-name>HtmlAuth</web-resource-name>
                                    <description>application security constraints
          </description>
                                    <url-pattern>/*</url-pattern>
                                    <http-method>GET</http-method>
                                    <http-method>POST</http-method>
                          </web-resource-collection>
                          <auth-constraint>
                                    <role-name>admin</role-name>
                          </auth-constraint>
                </security-constraint>
                <login-config>
                          <auth-method>BASIC</auth-method>
                          <realm-name>LDAP Test</realm-name>
                </login-config>
                <security-role>
                          <role-name>admin</role-name>
                </security-role>
      
      

       

      jboss-web.xml

       

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
                <security-domain>java:/jaas/my_ldap_security_domain</security-domain>
      </jboss-web>
      
      

       

      standalone.xml

       

                     <security-domain name="my_ldap_security_domain">
                          <authentication>
                              <login-module code="LdapExtended" flag="required">
                                  <module-option name="java.naming.provider.url" value="ldap://hml-ldap:389"/>
                                  <module-option name="java.naming.security.authentication" value="simple"/>
                                  <module-option name="bindDN" value="cn=admin,dc=company,dc=com,dc=br"/>
                                  <module-option name="bindCredential" value="pass"/>
                                  <module-option name="baseCtxDN" value="ou=users,dc=company,dc=com,dc=br"/>
                                  <module-option name="baseFilter" value="uid={0},dc=company,dc=com,dc=br"/>
                                  <module-option name="rolesCtxDN" value="ou=groups,dc=company,dc=com,dc=br"/>
                                  <module-option name="roleFilter" value="(member={1})"/>
                                  <module-option name="roleAttributeID" value="cn"/>
                                  <module-option name="throwValidateError" value="true"/>
                                  <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      
      
      

       

      When I put username and password occur this exception:

       

       

      11:52:48,535 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

                at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_11]

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_11]

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_11]

                at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_11]

                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_11]

                at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_11]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

                at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]

                at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

                at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11]

      Caused by: javax.naming.NamingException: PB00019: Processing Failed:Search of baseDN(ou=users,dc=company,dc=com,dc=br) found no matches

                at org.jboss.security.auth.spi.LdapExtLoginModule.bindDNAuthentication(LdapExtLoginModule.java:482) [picketbox-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:438) [picketbox-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:312) [picketbox-4.0.7.Final.jar:4.0.7.Final]

                at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]

       

       

      What is going on?

       

      I changed some configurations and tried a lot but I don't achieve.

       

      There are other programs that connect in the same ldap and work fine. However in this case (with jboss) there are some problems, certainly in my configurations.

       

      Thanks!

        • 1. Re: Ldap configuration
          Spyro Gyra Newbie

          I achieved :-)

           

          This article was helpful http://middlewaremagic.com/jboss/?p=378

           

          The jboss tested was jboss-as-7.1.1.Final and authentication occur in Active Directory.

           

          In the web.xml I put * in role-name tag for grant access to all groups.

           

          <security-role>

                              <role-name>*</role-name>

                    </security-role>

           

          And in auth-method tag I put BASIC (user/pass from window's browser) instead of FORM.

           

          <login-config>

                              <auth-method>BASIC</auth-method>

                    </login-config>

           

          In standalone.xml

           

          <subsystem xmlns="urn:jboss:domain:security:1.1">

                      <security-domains>

                          <security-domain name="other" cache-type="default">

                              <authentication>

                                  <login-module code="Disabled" flag="required"/>

                              </authentication>

                          </security-domain>

                          <security-domain name="test_ldap_security_domain">

                              <authentication>

                                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                      <module-option name="java.naming.provider.url" value="ldap://server:389"/>

                                      <module-option name="bindDN" value="cn=company,cn=test,dc=com,dc=br"/>

                                      <module-option name="bindCredential" value="my_ad_pass"/>

                                      <module-option name="baseCtxDN" value="cn=test,dc=com,dc=br"/>

                                      <module-option name="baseFilter" value="(uid={0})"/>

                                      <module-option name="rolesCtxDN" value="cn=Roles,cn=test,dc=com,dc=br"/>

                                      <module-option name="roleFilter" value="(userPrincipalName={0})"/>

                                      <module-option name="roleAttributeID" value="name"/>

                                      <module-option name="roleNameAttributeID" value="cn"/>

                                      <module-option name="roleAttributeIsDN" value="true"/>

                                      <module-option name="allowEmptyPasswords" value="false"/>

                                      <module-option name="Context.REFERRAL" value="follow"/>

                                      <module-option name="throwValidateError" value="true"/>

                                      <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                      <module-option name="allowEmptyPasswords" value="true"/>

                                      <module-option name="throwValidateError" value="true"/>

                                  </login-module>

                                  <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">

                                      <module-option name="rolesProperties" value="../standalone/configuration/test-roles.properties"/>

                                      <module-option name="replaceRole" value="false"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

                      </security-domains>

                  </subsystem>