2 Replies Latest reply on Mar 25, 2011 10:46 AM by Daryl Hoyt

    Help with JAAS LDAP authentication in Karaf

    Daryl Hoyt Newbie

      I tried to follow the tutorial to enable LDAP authentication, but I am getting errors when I try to connect.  The user I am trying to access is valid (uid=dhoyt,ou=employees,dc=example,dc=com).  I can see that if I have an invalid password or a non-existent user that I get the expected errors stating such.  The problem is that when I try to login to the webconsole using the dhoyt user, I get an error back stating that it can't get the roles for the user (LDAP error code 80).    Below is the ldap-module.xml I put in the deploy directory and the error from the servicemix.log file.  I am using apache-servicemix-4.3.1-fuse-01-09 on Solaris 10 (JDK 1.6_20).  I want to allow logins for anyone in the cn=smxAdmin,ou=roles,dc=example,dc=com role.

       

      Any help with this would be greatly appreciated.

       

       

      ldap-module.xml is:

       

       

       

       

       

       

       

       

       

      Exception is:

       

      javax.security.auth.login.LoginException: Can't get user dhoyt roles: LDAP: error code 80 - An unexpected error was encountered while processing a search in one of the Directory Server backends:  NullPointerException(ConcurrentHashMap.java:768)

              at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin(LDAPLoginModule.java:242)

              at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:132)

              at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.6.0_20]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)[:1.6.0_20]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)[:1.6.0_20]

              at java.lang.reflect.Method.invoke(Method.java:597)[:1.6.0_20]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)[:1.6.0_20]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)[:1.6.0_20]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)[:1.6.0_20]

              at java.security.AccessController.doPrivileged(Native Method)[:1.6.0_20]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.6.0_20]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:579)[:1.6.0_20]

              at org.apache.karaf.webconsole.JaasSecurityProvider.authenticate(JaasSecurityProvider.java:66)[198:org.apache.felix.webconsole:3.1.2]

              at org.apache.felix.webconsole.internal.servlet.OsgiManager$SecurityProvider.authenticate(OsgiManager.java:995)[198:org.apache.felix.webconsole:3.1.2]

              at org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:123)[198:org.apache.felix.webcons

        • 1. Re: Help with JAAS LDAP authentication in Karaf
          Torsten Mielke Apprentice

          Hhhm, its failing to retrieve the roles of the user. So I presume the properties

           

          connection.username = cn=Directory Manager

          connection.password = myPassword

          connection.url = ldap://localhost:1389

          user.base.dn = ou=employees,dc=example,dc=com

          user.filter = (uid=%u)

          user.search.subtree = true

           

          are correct. Its very likely something to do with these properties

           

          role.base.dn = ou=roles,dc=example,dc=com

          role.filter = (member:=uid=%u)

          role.name.attribute = cn

          role.search.subtree = true

           

          I am not an LDAP expert but is the role.filter property syntactically correct?

          • 2. Re: Help with JAAS LDAP authentication in Karaf
            Daryl Hoyt Newbie

            Thanks for the help!  It was the role.filter.  It has to match the entry in my role exactly.  In my case, the correct setting was:

             

            role.filter = (Member of Group:=uid=%u)

             

             

            Thanks for the help!