2 Replies Latest reply on May 20, 2015 10:27 AM by Karl Sorensen

    wildfly 8 security realm through ldaps

    Karl Sorensen Newbie

      Hi,

       

      I'm trying to get ldap over SSL management authentication working.  It works fine over non SSL traffic but as soon as I change to SSL and try to connect with jboss-cli.sh it fails with:

       

      Caused by: javax.security.sasl.SaslException: Authentication failed: the server presented no authentication mechanisms

       

      My Realm is setup as follows

      <security-realm name="LdapConnection">

                      <server-identities>

                          <ssl>

                              <keystore provider="PKCS12" path="server.p12" relative-to="jboss.server.config.dir" keystore-password="password"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <truststore provider="PKCS12" path="server.p12" relative-to="jboss.server.config.dir" keystore-password="password"/>

                          <ldap connection="remoteLdap" base-dn="ou=People,dc=sssl,dc=company,dc=com" recursive="true">

                              <username-filter attribute="uid"/>

                          </ldap>

                      </authentication>

                      <authorization>

                          <ldap connection="remoteLdap">

                              <username-to-dn force="true">

                                  <username-filter base-dn="ou=People,dc=sssl,dc=company,dc=com" recursive="false" user-dn-attribute="dn" attribute="uid"/>

                              </username-to-dn>

                              <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">

                                  <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,ou=Apps,dc=sssl,dc=company,dc=com">

                                      <membership-filter principal-attribute="member"/>

                                  </group-to-principal>

                              </group-search>

                          </ldap>

                      </authorization>

      </security-realm>

       

      With my LDAP connection as follows;

              <outbound-connections>

                  <ldap name="remoteLdap" url="ldaps://ldap-server:636" security-realm="LdapConnection"/>

              </outbound-connections>

       

      I can't seem to get any actual log information about what is failing even though i've added the below logging tags

                  <logger category="org.jboss.as.security">

                      <level name="TRACE"/>

                  </logger>

                  <logger category="org.jboss.as.cli">

                      <level name="TRACE"/>

                  </logger>

                  <logger category="org.jboss.remoting">

                      <level name="TRACE"/>

                  </logger>

       

      Any help with either the issue or how to get some useful log messages would be greatly appreciated!

        • 1. Re: wildfly 8 security realm through ldaps
          Karl Sorensen Newbie

          I found how to enable extensive debug messages for jboss-cli.sh which provided the following message

          DEBUG [org.jboss.remoting.remote.client] Client received authentication rejected for mechanism PLAIN

           

          After searching for a while for how to adjust the authentication sending mechanism from PLAIN/BASIC to Digest I came across this page @ Detailed Configuration - WildFly 8 - Project Documentation Editor

          Due to the verification approach used this configuration causes the authentication mechanisms selected for the protocol to cause the password to be sent from the client in plain text, the following Jira issue is to investigating proxying a Digest authentication with the LDAP server so no plain text password is needed AS7-4195


          AS7-4195 states that there is no way to change the authentication mechanism and its a lot of work to do so. 


          I'm guessing that there isn't going to be a fix for this anytime soon.


          • 2. Re: wildfly 8 security realm through ldaps
            Karl Sorensen Newbie

            The above error message was a red herring.

             

            It turns out that Java 6 doesn't seem to like PKCS12 trust stores.  Once I changed the truststore provider to jks it worked fine.