2 Replies Latest reply on Apr 23, 2015 2:57 AM by Horia Chiorean

    Role mapping using LDAP with Active Directory

    Stefan Nägele Newbie

      I would like to replace the default authentication and authorization "UsersRoles" mechanism by the "LdapExtended" login module (JBoss 6.3, ModeShape 3.8.1).

       

      Active Directory and LDAP is running.

       

      When I try to get access to ModeShape's WebDAV service (using http://localhost:8080/modeshape-webdav/), a LDAP connection is established successfully to my Active Directory. However, it seems that ModeShape cannot match my User's Active Directory roles to ModeShape's hard coded role model (admin, readwrite, readonly and connect, documented in Authentication and authorization - ModeShape 3 - Project Documentation Editor) resulting in an 403 HTTP Response code.

       

       

      My modeshape-security security-domain specification is the following one:

       

      <security-domain name="modeshape-security" cache-type="default">
                          <authentication>
                               <login-module code="LdapExtended" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
      
        <module-option name="java.naming.provider.url" value="ldap://vmserver2015.novaDomain.local:389"/>
                                  <module-option name="java.naming.referral" value="follow"/>
      
                                  <module-option name="bindDN" value="cn=Administrator,cn=Users,dc=novaDomain,dc=local"/>
                                  <module-option name="bindCredential" value="aPassword"/>
                                  <module-option name="baseCtxDN" value="DC=novaDomain,DC=local"/>
                                  <module-option name="baseFilter" value="(cn={0})"/>
      
        <module-option name="rolesCtxDN" value="cn=Users,dc=novaDomain,dc=local"/>
        <module-option name="roleFilter" value="(cn={0})" />
                                  <module-option name="roleAttributeID" value="memberOf"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      
      
      
      
      

       

       

      I created the following properties in my Active Directory:

      • CN=sn (user), distinguished name: CN=sn,CN=Users,DC=novaDomain,DC=local
      • CN=connect (group), distinguished name: CN=connect,CN=Users,DC=novaDomain,DC=local
      • CN=admin (group), distinguished name: CN=admin,CN=Users,DC=novaDomain,DC=local
      • CN=readwrite (group), distinguished name: CN=readwrite,CN=Users,DC=novaDomain,DC=local

       

      A WebDAV login produces the following command prompt output:

      16:05:24,389 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000354: Setting security roles ThreadLocal: null

      16:05:28,528 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: sn, cache entry: null

      16:05:28,529 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: sn

      16:05:28,533 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(modeshape-security), size: 4

      16:05:28,536 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(modeshape-security), AuthInfo: AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=baseFilter, value=(cn={0})

      name=roleFilter, value=(cn={0})

      name=java.naming.referral, value=follow

      name=bindCredential, value=****

      name=bindDN, value=cn=Administrator,cn=Users,dc=novaDomain,dc=local

      name=java.naming.provider.url, value=ldap://vmserver2015.novaDomain.local:389

      name=rolesCtxDN, value=cn=Users,dc=novaDomain,dc=local

      name=baseCtxDN, value=DC=novaDomain,DC=local

      name=roleAttributeID, value=memberOf

      name=password-stacking, value=useFirstPass

       

       

      16:05:28,542 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000236: Begin initialize method

      16:05:28,542 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000240: Begin login method

      16:05:28,549 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000269: Failed to parse roleRecursion as number, using default value 0

      16:05:28,551 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=cn=Administrator,cn=Users,dc=novaDomain,dc=local, password-stacking=useFirstPass, baseCtxDN=DC=novaDomain,DC=local, roleAttributeID=memberOf, roleFilter=(cn={0}), rolesCtxDN=cn=Users,dc=novaDomain,dc=local, baseFilter=(cn={0}), jboss.security.security_domain=modeshape-security, java.naming.provider.url=ldap://vmserver2015.novaDomain.local:389, bindDN=cn=Administrator,cn=Users,dc=novaDomain,dc=local, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}

      16:05:28,573 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=CN=sn,CN=Users,DC=novaDomain,DC=local, password-stacking=useFirstPass, baseCtxDN=DC=novaDomain,DC=local, roleAttributeID=memberOf, roleFilter=(cn={0}), rolesCtxDN=cn=Users,dc=novaDomain,dc=local, baseFilter=(cn={0}), jboss.security.security_domain=modeshape-security, java.naming.provider.url=ldap://vmserver2015.novaDomain.local:389, bindDN=cn=Administrator,cn=Users,dc=novaDomain,dc=local, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}

      16:05:28,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000268: Assigning user to role CN=readwrite,CN=Users,DC=novaDomain,DC=local

      16:05:28,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000268: Assigning user to role CN=connect,CN=Users,DC=novaDomain,DC=local

      16:05:28,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000268: Assigning user to role CN=admin,CN=Users,DC=novaDomain,DC=local

      16:05:28,579 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000241: End login method, isValid: true

      16:05:28,580 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000242: Begin commit method, overall result: true

      16:05:28,584 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@351a852b, subject: Subject(580174546).principals=org.jboss.security.SimplePrincipal@1417837242(sn)org.jboss.security.SimpleGroup@1111979182(Roles(members:CN=readwrite,CN=Users,DC=novaDomain,DC=local,CN=connect,CN=Users,DC=novaDomain,DC=local,CN=admin,CN=Users,DC=novaDomain,DC=local))org.jboss.security.SimpleGroup@1111979182(CallerPrincipal(members:sn))

      16:05:28,586 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000207: updateCache, input subject: Subject(580174546).principals=org.jboss.security.SimplePrincipal@1417837242(sn)org.jboss.security.SimpleGroup@1111979182(Roles(members:CN=readwrite,CN=Users,DC=novaDomain,DC=local,CN=connect,CN=Users,DC=novaDomain,DC=local,CN=admin,CN=Users,DC=novaDomain,DC=local))org.jboss.security.SimpleGroup@1111979182(CallerPrincipal(members:sn)), cached subject: Subject(1730776044).principals=org.jboss.security.SimplePrincipal@1417837242(sn)org.jboss.security.SimpleGroup@1111979182(Roles(members:CN=readwrite,CN=Users,DC=novaDomain,DC=local,CN=connect,CN=Users,DC=novaDomain,DC=local,CN=admin,CN=Users,DC=novaDomain,DC=local))org.jboss.security.SimpleGroup@1111979182(CallerPrincipal(members:sn))

      16:05:28,587 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@4540e5fb

      16:05:28,588 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000201: End isValid, result = true

      16:05:28,594 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000354: Setting security roles ThreadLocal: null

       

      Obviously a connection can be established, my user is validated and my user's roles are found, but the role names cannot be matched to ModeShape which results in an 403 HTTP Response code (Access to the requested resource has been denied, shown in my browser)

        • 1. Re: Role mapping using LDAP with Active Directory
          Stefan Nägele Newbie

          Well, I already solved my issue.

           

          It was a JBoss LdapExtended configuration failure.

           

                           <security-domain name="modeshape-security" cache-type="default">

                              <authentication>

                                   <login-module code="LdapExtended" flag="required">

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                        <module-option name="java.naming.provider.url" value="ldap://vmserver2015.novaDomain.local:389"/>

                                        <module-option name="java.naming.referral" value="follow"/>

                                        <module-option name="bindDN" value="cn=Administrator,cn=Users,dc=novaDomain,dc=local"/>

                                        <module-option name="bindCredential" value="Basel12"/>

                                        <module-option name="baseCtxDN" value="cn=Users,dc=novaDomain,dc=local"/>

                                        <module-option name="baseFilter" value="(cn={0})"/>

                                        <module-option name="rolesCtxDN" value="cn=Users,dc=novaDomain,dc=local"/>

                                        <module-option name="roleFilter" value="(cn={0})" />

                                        <module-option name="roleAttributeID" value="memberOf"/>

                                        <module-option name="roleAttributeIsDN" value="true"/>

                                        <module-option name="roleNameAttributeID" value="cn"/>

                                        <module-option name="searchScope" value="ONELEVEL_SCOPE" />

                                        <module-option name="allowEmptyPasswords" value="false"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

           

           

          Configuration is based on LdapExtLoginModule, ActiveDirectory Configuration.

           

          roleAttributeIsDN, roleNameAttributeID were missing, guess this fixed it

          • 2. Re: Role mapping using LDAP with Active Directory
            Horia Chiorean Master

            Thanks for posting the solution. Hopefully it will help others if they come across the same issue.