1 Reply Latest reply on Oct 30, 2013 2:20 PM by Steven Rose

    Need Assistance with LdapExtLoginModule - Using Wildfly Beta 1

    Steven Rose Newbie

      Here is My Configuration

      =====================

        <security-domain name="pw-security-domain" cache-type="default">

                          <authentication>

                                <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                </login-module>

                                <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://10.10.10.232:389"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="bindDN" value="CN=administrator,CN=Users,DC=propworks,DC=airit,DC=com"/>

                                  <module-option name="bindCredential" value="propworks@123"/>

                                  <module-option name="baseCtxDN" value="CN=Users,DC=propworks,DC=airit,DC=com"/>

                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                  <module-option name="allowEmptyPasswords" value="false"/>

                                  <module-option name="throwValidateError" value="true"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

       

      LDIF File

      ========================

      dn: CN=Administrator,CN=Users,DC=propworks,DC=airit,DC=com

      changetype: add

      objectClass: top

      objectClass: person

      objectClass: organizationalPerson

      objectClass: user

      cn: Administrator

      description: Built-in account for administering the computer/domain

      distinguishedName: CN=Administrator,CN=Users,DC=propworks,DC=airit,DC=com

      instanceType: 4

      whenCreated: 20120327161613.0Z

      whenChanged: 20131022154357.0Z

      uSNCreated: 8196

      memberOf: CN=Group Policy Creator Owners,CN=Users,DC=propworks,DC=airit,DC=com

      memberOf: CN=Domain Admins,CN=Users,DC=propworks,DC=airit,DC=com

      memberOf: CN=Enterprise Admins,CN=Users,DC=propworks,DC=airit,DC=com

      memberOf: CN=Schema Admins,CN=Users,DC=propworks,DC=airit,DC=com

      memberOf: CN=Administrators,CN=Builtin,DC=propworks,DC=airit,DC=com

      uSNChanged: 230532

      name: Administrator

      objectGUID:: Hf3aqSIgbUe7wXk/naGhSQ==

      userAccountControl: 512

      badPwdCount: 0

      codePage: 0

      countryCode: 0

      badPasswordTime: 130269500638404934

      lastLogoff: 0

      lastLogon: 130269500731746178

      logonHours:: ////////////////////////////

      pwdLastSet: 130132844187402344

      primaryGroupID: 513

      objectSid:: AQUAAAAAAAUVAAAAHGXwJS0rDPXUGkwx9AEAAA==

      adminCount: 1

      accountExpires: 0

      logonCount: 259

      sAMAccountName: Administrator

      sAMAccountType: 805306368

      objectCategory:

      CN=Person,CN=Schema,CN=Configuration,DC=propworks,DC=airit,DC=com

      isCriticalSystemObject: TRUE

      dSCorePropagationData: 20120327163223.0Z

      dSCorePropagationData: 16010101000000.0Z

      lastLogonTimestamp: 130269302373612662

       

      dn: CN=Users,DC=propworks,DC=airit,DC=com

      changetype: add

      objectClass: top

      objectClass: container

      cn: Users

      description: Default container for upgraded user accounts

      distinguishedName: CN=Users,DC=propworks,DC=airit,DC=com

      instanceType: 4

      whenCreated: 20120327161611.0Z

      whenChanged: 20120327161611.0Z

      uSNCreated: 5696

      uSNChanged: 5696

      showInAdvancedViewOnly: FALSE

      name: Users

      objectGUID:: KWjl31iaQ0aEiGqMiEXz2Q==

      systemFlags: -1946157056

      objectCategory:

      CN=Container,CN=Schema,CN=Configuration,DC=propworks,DC=airit,DC=com

      isCriticalSystemObject: TRUE

      dSCorePropagationData: 16010101000000.0Z

       

      Error

      ================================

      2013-10-22 17:56:35,553 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000200: Begin isValid, principal: PROPWORKS.AIRIT.COM\ADMINISTRATOR, cache entry: null

      2013-10-22 17:56:35,553 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000209: defaultLogin, principal: PROPWORKS.AIRIT.COM\ADMINISTRATOR

      2013-10-22 17:56:35,553 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000221: Begin getAppConfigurationEntry(pw-security-domain), size: 9

      2013-10-22 17:56:35,554 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000224: End getAppConfigurationEntry(pw-security-domain), AuthInfo: AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule

      ControlFlag: LoginModuleControlFlag: optional

      Options:

      name=password-stacking, value=useFirstPass

      [1]

      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=baseFilter, value=(sAMAccountName={0})

      name=java.naming.security.authentication, value=simple

      name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory

      name=allowEmptyPasswords, value=false

      name=bindCredential, value=****

      name=bindDN, value=CN=administrator,CN=Users,DC=propworks,DC=airit,DC=com

      name=java.naming.provider.url, value=ldap://10.10.10.232:389

      name=baseCtxDN, value=CN=Users,DC=propworks,DC=airit,DC=com

      name=searchScope, value=SUBTREE_SCOPE

      name=throwValidateError, value=true

       

       

      2013-10-22 17:56:35,554 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000236: Begin initialize method

      2013-10-22 17:56:35,554 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000240: Begin login method

      2013-10-22 17:56:35,558 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000236: Begin initialize method

      2013-10-22 17:56:35,558 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000240: Begin login method

      2013-10-22 17:56:35,565 DEBUG [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000269: Failed to parse roleRecursion as number, using default value 0

      2013-10-22 17:56:35,567 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, searchScope=SUBTREE_SCOPE, java.naming.security.principal=CN=administrator,CN=Users,DC=propworks,DC=airit,DC=com, baseCtxDN=CN=Users,DC=propworks,DC=airit,DC=com, allowEmptyPasswords=false, baseFilter=(sAMAccountName={0}), throwValidateError=true, jboss.security.security_domain=pw-security-domain, java.naming.provider.url=ldap://10.10.10.232:389, java.naming.security.authentication=simple, bindCredential=propworks@123, bindDN=CN=administrator,CN=Users,DC=propworks,DC=airit,DC=com, java.naming.security.credentials=propworks@123}

      2013-10-22 17:56:35,592 DEBUG [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000283: Bad password for username PROPWORKS.AIRIT.COM\ADMINISTRATOR

      2013-10-22 17:56:35,593 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000244: Begin abort method

      2013-10-22 17:56:35,593 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000244: Begin abort method

      2013-10-22 17:56:35,593 DEBUG [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required

        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.17.SP1.jar:4.0.17.SP1]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_40]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_40]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_40]

        at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_40]

        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_40]

        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_40]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_40]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_40]

        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_40]

        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_40]

        at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_40]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:385) [wildfly-security-8.0.0.Beta1.jar:8.0.0.Beta1]

        at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:349) [wildfly-security-8.0.0.Beta1.jar:8.0.0.Beta1]

        at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:336) [wildfly-security-8.0.0.Beta1.jar:8.0.0.Beta1]

        at org.jboss.as.domain.management.security.JaasCallbackHandler.handle(JaasCallbackHandler.java:164) [wildfly-domain-management-8.0.0.Beta1.jar:8.0.0.Beta1]

        at org.jboss.as.domain.management.security.SecurityRealmService$1.handle(SecurityRealmService.java:169) [wildfly-domain-management-8.0.0.Beta1.jar:8.0.0.Beta1]

        at org.jboss.as.remoting.RealmSecurityProvider$RealmCallbackHandler.handle(RealmSecurityProvider.java:337) [wildfly-remoting-8.0.0.Beta1.jar:8.0.0.Beta1]

        at org.jboss.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:98) [jboss-sasl-1.0.3.Final.jar:1.0.3.Final]

        at org.jboss.sasl.util.AbstractSaslParticipant.handleCallbacks(AbstractSaslParticipant.java:83) [jboss-sasl-1.0.3.Final.jar:1.0.3.Final]

        at org.jboss.sasl.plain.PlainSaslServer.access$000(PlainSaslServer.java:41) [jboss-sasl-1.0.3.Final.jar:1.0.3.Final]

        at org.jboss.sasl.plain.PlainSaslServer$1.evaluateMessage(PlainSaslServer.java:88) [jboss-sasl-1.0.3.Final.jar:1.0.3.Final]

        at org.jboss.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:165) [jboss-sasl-1.0.3.Final.jar:1.0.3.Final]

        at org.jboss.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:56) [jboss-sasl-1.0.3.Final.jar:1.0.3.Final]

        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:238) [xnio-api-3.1.0.CR7.jar:3.1.0.CR7]

        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:210) [xnio-api-3.1.0.CR7.jar:3.1.0.CR7]

        at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:450) [jboss-remoting-4.0.0.Beta1.jar:4.0.0.Beta1]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_40]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_40]

        at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_40]

      Caused by: javax.naming.NamingException: PBOX000037: Search for context CN=Users,DC=propworks,DC=airit,DC=com found no results

        at org.jboss.security.auth.spi.LdapExtLoginModule.bindDNAuthentication(LdapExtLoginModule.java:533) [picketbox-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:465) [picketbox-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:340) [picketbox-4.0.17.SP1.jar:4.0.17.SP1]

        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:281) [picketbox-4.0.17.SP1.jar:4.0.17.SP1]

        ... 33 more

       

       

      2013-10-22 17:56:35,611 TRACE [org.jboss.security] (Remoting "dhkfv2m1" task-1) PBOX000201: End isValid, result = false

      2013-10-22 17:56:35,612 TRACE [org.jboss.security.audit] (Remoting "dhkfv2m1" task-1) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=PROPWORKS.AIRIT.COM\ADMINISTRATOR;

        • 1. Re: Need Assistance with LdapExtLoginModule - Using Wildfly Beta 1
          Steven Rose Newbie

          I figured it out thanks to some assistance from darranl. I had 2 issues

          1. I was using the incorrect username. Make sure you use whatever is defined as sAMAccountName in Active Directory

          2. After using the correct User Name, I was getting a NullPinterExcetion. This was due to missing configuration for Roles.

             Here are the additional entries I added.

             ======================================================================================

                                      <module-option name="rolesCtxDN" value="cn=Users,DC=propworks,DC=airit,DC=com"/>

                                      <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                      <module-option name="roleAttributeID" value="memberOf"/>

                                      <module-option name="roleAttributeIsDN" value="true"/>

                                      <module-option name="roleNameAttributeID" value="cn"/>

                                      <module-option name="roleRecursion" value="1"/>

          Now Everything works great!