7 Replies Latest reply on Feb 24, 2015 3:50 PM by Pedro Igor

    Picketlink and Active Directory (ldap store)

    Arthur Gregório Newbie

      I'm using picketlink for safety in my application and now need to plug it in AD (SAMBA 4, not M$ AD). My setup is as follows:

       

      public class SecurityConfiguration {
         
          @Inject
          private EntityManagerContextInitializer contextInitializer;
          
          private static final String BASE_DN = "DC=pti,DC=local";
          private static final String LDAP_URL = "ldap://ptidc0-teste.pti";
          private static final String BIND_DN = "CN=userbind,CN=users,DC=pti,DC=local";
      
          /**
           * 
           * @param event 
           */
          public void configureIdentityManager(@Observes SecurityConfigurationEvent event) {
      
              final SecurityConfigurationBuilder builder = event.getBuilder();
              
              System.setProperty("com.sun.jndi.ldap.connect.pool.authentication", "simple");
              System.setProperty("com.sun.jndi.ldap.connect.pool.maxsize", "10");
              System.setProperty("com.sun.jndi.ldap.connect.pool.prefsize", "5");
              System.setProperty("com.sun.jndi.ldap.connect.pool.timeout", "300000");
              System.setProperty("com.sun.jndi.ldap.connect.pool.debug", "all");
              
              final Properties properties = new Properties();
      
              // ldap properties
              properties.put("com.sun.jndi.ldap.connect.pool", "true");
              
              // ldap properties
              builder.idmConfig()
                      .named("default")
                          .stores()
                          .jpa()
                              .supportCredentials(false)
                              .supportGlobalRelationship(  
                                      Grant.class,  
                                      GroupMembership.class)  
                              .supportType(
                                      Role.class,
                                      Group.class)
                              .addContextInitializer(this.contextInitializer)
                          .ldap()
                              .activeDirectory(true)
                              .connectionProperties(properties)
                              .baseDN(BASE_DN)
                              .bindDN(BIND_DN)
                              .bindCredential("secret")
                              .url(LDAP_URL)
                              .supportCredentials(true)
                              .mapping(User.class)
                                  .objectClasses(
                                          "user",
                                          "person",
                                          "organizationalPerson")
                                  .attribute("userName", "sAMAccountName", true)
                                  .attribute("name", CN)
                                  .attribute("email", EMAIL);
          }
      

       

      However, when I try to authenticate the result is always invalid and the picketlink seems that does not send the user's full name. It does bind correctly, but instead of sending the full name of the user, sends only sAMAccountName=test1 followed by the password. The correct thing to send is: CN=test1,CN=Users,DC=pti,DC=local and then the password.

       

      The way this, the only answer I have is: Simple Bind Failed: NT_STATUS_LOGON_FAILURE


      Any help?

        • 1. Re: Picketlink and Active Directory (ldap store)
          Pedro Igor Master

          Did you try setting the baseDN when configuring your user mapping ?

           

          Something like that:

           

          .mapping(User.class)  
              .baseDN("CN=Users,DC=pti,DC=local")
              .objectClasses("user", "person", "organizationalPerson")  
              .attribute("userName", "sAMAccountName", true)  
              .attribute("name", CN)  
              .attribute("email", EMAIL);  
          

           

          Regards.

          1 of 1 people found this helpful
          • 2. Re: Picketlink and Active Directory (ldap store)
            Arthur Gregório Newbie

            uhmmm

             

            .mapping(User.class)
                .baseDN("CN=users,DC=pti,DC=local")
                .objectClasses(
                        "user",
                        "person")
                .attribute("userName", "CN", true)
                .attribute("name", "name")
                .attribute("email", EMAIL);
            

             

            With this config i can make users from CN=users do login, but when ia change it to DC=pti,DC=local (the entire tree) no user can't do login...

             

            Is there any way to pass to picketlink the base DN of the user dynamically? I say ths because keeping DN static wherein bind is to seek users and his properties, does not seem to make much sense ... Even more because seeking for everything, then I can filter for users of a specific CN that can login on the application.

             

            Bonus:

             

            What the method LDAPMappingConfigurationBuilder#bindingAttribute(String propertyName, String ldapAttributeName) do? The javadoc is not very clear about the use of it ...

            • 3. Re: Picketlink and Active Directory (ldap store)
              Pedro Igor Master

              Hi Arthur,

               

              I've created [2]. This JIRA is about validating credentials for users despite the baseDN configured for a specific account type. However, you must provide the objectClasses for your account types, otherwise PL will not be able to understand which type is associated with an LDAP entry.

               

              Regarding "bindAttribute", take a look at this JIRA [2] for more details. I'm going to update javadoc to get this more clear.

               

              [1] [PLINK-681] LDAP password validation handler should validate based on entry namespace - JBoss Issue Tracker

              [2] https://issues.jboss.org/browse/PLINK-507

               

              Thanks.

              Pedro Igor

              1 of 1 people found this helpful
              • 4. Re: Re: Picketlink and Active Directory (ldap store)
                Arthur Gregório Newbie

                i'm providing...

                 

                .mapping(User.class)
                    .baseDN("OU=Corporativo,DC=pti,DC=local")
                    .objectClasses(
                            "user",
                            "person",
                            "organizationalPerson")
                    .attribute("userName", "sAMAccountName", true)
                    .bindingAttribute("name", "CN")
                    .attribute("email", EMAIL);
                

                 

                In this case, the DN is ok for users inside only Corporativo and on login it looks like CN=Arthur Pereira Gregorio,OU=Corporativo,DC=pti,DC=local. But when the user is out of this DN? Or another OU is part of user DN? For example, users with DN: CN=Lucas Peruchi,OU=TIC,OU=Corporativo,DC=pti,DC=local, this user is from Coportativo, but because OU=TIC he can not login due to the fixed value of baseDN.

                 

                Is there any whay to do something like this:

                 

                <outbound-connections>
                    <ldap name="ad-fpti" url="ldap://host" search-dn="CN=userbind,CN=Users,DC=pti,DC=local" search-credential="secret"/>
                </outbound-connections>
                <ldap connection="ad-fpti" base-dn="DC=pti,DC=local" recursive="true">
                    <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=PORTAL_USER,OU=portalreservas,DC=pti,DC=local))"/>
                </ldap>
                

                 

                I use this configuration to authenticate users when try to access the wildfly web console, by this way, i can login any user from Corporativo member of PORTAL_USER

                 

                Man, I am very confused by it all! ehauahahe If you can transcribe this XML snippet for to a picketlink configuration, it will help me to understand what needs to be done!

                • 5. Re: Re: Picketlink and Active Directory (ldap store)
                  Pedro Igor Master

                  Hey,

                   

                  Now you should be able to authenticate your users by just providing the baseDN (eg.: DC=pti,DC=local) . Can you test this using a SNAPSHOT ?

                   

                  Regards.

                  Pedro Igor

                  • 6. Re: Re: Re: Picketlink and Active Directory (ldap store)
                    Arthur Gregório Newbie

                    PERFECT! Works like a charm!

                     

                    Now, one single question, where can i meke this filter:

                     

                    (&(sAMAccountName={0})(memberOf=CN=PORTAL_USER,OU=portalreservas,DC=pti,DC=local))
                    

                     

                    I need all the users from the entire tree can be foun, now it is ok, but only members of CN=PORTAL_USER can make login.

                     

                    Any advice?

                    • 7. Re: Re: Re: Picketlink and Active Directory (ldap store)
                      Pedro Igor Master

                      We don't support that today. But I believe this is something you can do in your application, no ?

                       

                      I think you can query the groups for the user and check if he is a member of a group before authenticating.

                       

                      Regards.