10 Replies Latest reply on Oct 5, 2015 8:07 PM by Julie Hansen

    LDAP setup in Wildfly 9

    Julie Hansen Newbie

      Hi,

       

      I am trying to get LDAP working for Basic Auth in Wildfly 9, but am not having much success. Hoping that someone can give suggestions for what I am doing incorrectly.

       

      My setup is as follows :

       

      in my standalone.xml

       

                  <security-realm name="myHTTPSRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="my-plugin-key.jks" relative-to="jboss.server.config.dir" keystore-password="xxxx"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <ldap connection="LocalLdap" base-dn="ou=basicauth,ou=users,ou=axis,o=abc,c=au">

                              <username-filter attribute="cn"/>

                          </ldap>

                      </authentication>

                  </security-realm>

       

              <outbound-connections>

                  <ldap name="LocalLdap" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="xxxx"/>

              </outbound-connections>

       

       

      in the security subsystem I have created

       

                      <security-domain name="myHTTPSRealm" cache-type="default">

                          <authentication>

                              <login-module code="LdapExtended" flag="required">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="bindDN" value="uid=admin,ou=system"/>

                                  <module-option name="bindCredential" value="xxxx"/>

                                  <module-option name="baseCtxDN" value="ou=basicauth,ou=users,ou=axis,o=abc,c=au"/>

                                  <module-option name="baseFilter" value="(uid={0})"/>

                                  <module-option name="rolesCtxDN" value="ou=basicauth,ou=users,ou=axis,o=abc,c=au"/>

                                  <module-option name="roleFilter" value="(member={1})"/>

                                  <module-option name="roleAttributeID" value="cn"/>

                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                  <module-option name="allowEmptyPasswords" value="true"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      and in Undertow subsystem

       

              <subsystem xmlns="urn:jboss:domain:undertow:2.0">

                  <buffer-cache name="default"/>

                  <server name="default-server">

                      <http-listener name="default" socket-binding="http"/>

                      <https-listener name="https" socket-binding="https" security-realm="myHTTPSRealm"/>

       

      in my web.xml

       

            <login-config>

               <auth-method>BASIC</auth-method>

               <realm-name>axisHTTPSRealm</realm-name>

            </login-config>

       

      and in my jboss-web.xml

          <security-domain>java:/jaas/axisHTTPSRealm</security-domain>

       

       

      Not sure if I have done all that is necessary or more than I should have. I have spent a lot of time fiddling around with the standalone.xml using the various tutorials/forums etc that I have come across.

       

      The problem is that I am continually getting a 401 returned to my HTTP client.

      I know that the LDAP server connection is correct, as I am using LDAP to authenticate the Management console logon, and this is working ok.

       

      The security realm I have set up for that is :

                  <security-realm name="ManagementRealm">

                      <authentication>

                          <local default-user="$local"/>

                          <ldap connection="LocalLdap" base-dn="ou=system,ou=users,ou=axis,o=abc,c=au">

                              <username-filter attribute="cn"/>

                          </ldap>

                      </authentication>

                  </security-realm>

       

      I have also triple checked that the username password I am using to connect to my web app is correct as per LDAP entry.

       

      My LDAP setup is that under "users" I have a "system" group which contains userids for the management console login, and a "basicauth" group which contains userids for the http connection, hence the different base-dn for ManagementRealm vs myHTTPSRealm

       

      I should also mention that I am using a HTTP server to server my request down to the App server that has wildfly installed. The request is being served to the correct port as specified in

              <socket-binding name="https" port="${jboss.https.port:9081}"/>

       

      I have also double checked that the request is being received on this port by installing a port listener to verify there is traffic on this port when I send in the HTTP request.

       

      Would appreciate any suggestions for getting this working.

      ta

      Julie

        • 1. Re: LDAP setup in Wildfly 9
          Micheal Delson Nadar Newbie

          Have your tried replacing axisHTTPSRealm to myHTTPSRealm in web.xml & jboss-web.xml?

           

          Anything in server.log?

          • 2. Re: LDAP setup in Wildfly 9
            Julie Hansen Newbie

            Yes - My mistake when I posted. I changed some values but not the others for the post.

            All places have the same realm Name.

             

            I have switched debug logging on and get the following log entries

             

            2015-09-29 07:46:51,696 DEBUG [org.jboss.security] (default task-1) PBOX00269: Failed to parse roleRecursion as number, using default value 0

            2015-09-29 07:46:51,716 DEBUG [org.jboss.security] (default task-1) PBOX00283: Bad password for username B2BTESTSENDER9

            2015-09-29 07:46:51,716 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required

            at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_79]

            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_79]

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_79]

            at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]

            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_79]

            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_79]

            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_79]

            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_79]

            at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]

            at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_79]

            at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_79]

             

            I know the username password I am using is correct as I switched the management realm to use ou=basicauth,ou=users,ou=axis,o=abc,c=au

            and then used the same username and password to log into the management console, and it logged in ok.

             

            I am also sure that the HTTP server is passing through the correct username and password. The same HTTP server passes this info through to another server on which the JBoss6 version of our apps are installed, and this all works ok.

            (I basically have the HTTP server set up to pass requests to /request/inbound/ to the old jboss server, and requests to /request/new/inbound/ to the new wildfly server. I use exactly the same HTTP request with same basic auth username and password to post to the different URLs. The old jboss srver works fine, so I know its getting the username and password ok )

             

            So I'm not sure what else can be causing the issue.

             

            Thanks,

            Julie

            • 3. Re: LDAP setup in Wildfly 9
              Victor Cornejo Newbie

              Julie.

              I think the LDAP module isn't  active.

              Please change your login module declaration to this:

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >

              if this fails, post the entire stacktrace.

               

              Víctor

              • 4. Re: LDAP setup in Wildfly 9
                Julie Hansen Newbie

                Hi Victor.

                Thanks for providing feedback for me.

                I think you are correct.

                I have changed the config as suggested and here is the stacktrace.

                I note that it looks like JAAS is being used instead of LDAP

                 

                2015-09-29 12:01:24,658 DEBUG [org.jboss.security] (default task-1) PBOX00269: Failed to parse roleRecursion as number, using default value 0
                2015-09-29 12:01:24,679 DEBUG [org.jboss.security] (default task-1) PBOX00283: Bad password for username B2BTESTSENDER9
                2015-09-29 12:01:24,679 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
                at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_79]
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_79]
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_79]
                at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_79]
                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_79]
                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_79]
                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_79]
                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]
                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_79]
                at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_79]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
                at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82)
                at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:339) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:356) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:325) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:138) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:113) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:106) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_79]
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_79]
                at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]

                 

                Julie

                • 5. Re: LDAP setup in Wildfly 9
                  Micheal Delson Nadar Newbie

                  Try changing <username-filter attribute="cn"/> TO <username-filter attribute="sAMAccountName" />

                  • 6. Re: LDAP setup in Wildfly 9
                    Julie Hansen Newbie

                    Thanks Michael.

                    Tried this. Same result :-(

                    • 7. Re: LDAP setup in Wildfly 9
                      Julie Hansen Newbie

                      Based on the many articles I have read on this today, I have updated my config as follows :

                       

                      apart from the existing ManagementRealm and ApplicationRealm, I have 1 other configured :

                                  <security-realm name="axisHTTPSRealm">

                                      <server-identities>

                                          <ssl>

                                              <keystore path="plugin-key.jks" relative-to="jboss.server.config.dir" keystore-password="xxx"/>

                                          </ssl>

                                      </server-identities>

                                  </security-realm>

                       

                      I have not specified any LDAP authentication here. My understanding is that the security realm is more relevant to the server that the web application.

                      My web.xml contains

                       

                            <security-constraint>

                               <web-resource-collection>.... </web-resource-collection>

                               <auth-constraint>

                                  <role-name>*</role-name>

                               </auth-constraint>

                            </security-constraint>

                            <login-config>

                               <auth-method>BASIC</auth-method>

                               <realm-name>axisHTTPSRealm</realm-name>

                            </login-config>

                       

                       

                      I have then created the following security domain :

                       

                                      <security-domain name="myHTTPSDomain" cache-type="default">

                                          <authentication>

                                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                                  <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>

                                                  <module-option name="bindDN" value="uid=admin,ou=system"/>

                                                  <module-option name="bindCredential" value="xxxx"/>

                                                  <module-option name="baseCtxDN" value="ou=basicauth,ou=users,ou=axis,o=ventyx,c=au"/>

                                                  <module-option name="baseFilter" value="(uid={0})"/>

                                                  <module-option name="rolesCtxDN" value="ou=basicauth,ou=users,ou=axis,o=ventyx,c=au"/>

                                                  <module-option name="roleFilter" value="(uid={0})"/>

                                                  <module-option name="roleAttributeID" value="cn"/>

                                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                                  <module-option name="allowEmptyPasswords" value="true"/>

                                              </login-module>

                                          </authentication>

                                      </security-domain>

                       

                      Note that we do not use Roles in our LDAP setup, however I have read that if the Roles-related modules-options are not specified, LdapExtLoginModule will search for roles anyway using null values which results in the authentication failing. I read somewhere else that the rolesCtxDN should be the same as the baseCtxDN in this situation. I have no idea if this is true.

                      ps. have also tried                             <module-option name="roleFilter" value="(member={1})"/>

                      with exactly the same result.

                       

                      I have added this security domain into my jboss-web.xml :

                      <security-domain>myHTTPSDomain</security-domain>

                       

                      I have also turned on org.jboss.security logging to trace level and am getting the following output :

                      .

                       

                      2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@905313f, cache entry: null
                      2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@905313f
                      2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00221: Begin getAppConfigurationEntry(myHTTPSDomain), size: 4
                      2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00224: End getAppConfigurationEntry(myHTTPSDomain), AuthInfo: AppConfigurationEntry[]:
                      [0]
                      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
                      ControlFlag: LoginModuleControlFlag: required
                      Options:
                      name=baseFilter, value=(uid={0})
                      name=allowEmptyPasswords, value=true
                      name=roleFilter, value=(uid={0})
                      name=bindCredential, value=****
                      name=bindDN, value=uid=admin,ou=system
                      name=java.naming.provider.url, value=ldap://localhost:10389
                      name=rolesCtxDN, value=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au
                      name=baseCtxDN, value=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au
                      name=searchScope, value=SUBTREE_SCOPE
                      name=roleAttributeID, value=cn

                      2015-09-29 20:29:45,582 TRACE [org.jboss.security] (default task-2) PBOX00236: Begin initialize method
                      2015-09-29 20:29:45,582 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method
                      2015-09-29 20:29:45,582 DEBUG [org.jboss.security] (default task-2) PBOX00269: Failed to parse roleRecursion as number, using default value 0
                      2015-09-29 20:29:45,582 TRACE [org.jboss.security] (default task-2) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, searchScope=SUBTREE_SCOPE, java.naming.security.principal=uid=admin,ou=system, baseCtxDN=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au, roleAttributeID=cn, roleFilter=(uid={0}), allowEmptyPasswords=true, rolesCtxDN=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au, baseFilter=(uid={0}), jboss.security.security_domain=myHTTPSDomain, java.naming.provider.url=ldap://localhost:10389, bindDN=uid=admin,ou=system, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
                      2015-09-29 20:29:45,590 DEBUG [org.jboss.security] (default task-2) PBOX00283: Bad password for username B2BTESTSENDER9
                      2015-09-29 20:29:45,590 TRACE [org.jboss.security] (default task-2) PBOX00244: Begin abort method, overall result: false
                      2015-09-29 20:29:45,590 DEBUG [org.jboss.security] (default task-2) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
                      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]
                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_79]
                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_79]
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_79]
                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
                      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_79]
                      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_79]
                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_79]
                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_79]
                      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]
                      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_79]
                      at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_79]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
                      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
                      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82)
                      at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:339) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:356) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:325) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:138) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:113) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:106) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_79]
                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_79]
                      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]

                      2015-09-29 20:29:45,601 TRACE [org.jboss.security] (default task-2) PBOX00201: End isValid, result = false
                      2015-09-29 20:29:45,602 TRACE [org.jboss.security] (default task-2) PBOX00354: Setting security roles ThreadLocal: null

                       

                       

                       

                      My main concern at the moment is

                      a) Have I set up all that is theoretically required to get this working?

                      b) Since the Roles-related modules-options are so vital to the org.jboss.security.auth.spi.LdapExtLoginModule, are the values I have set in those options correct? Like I said - we don't use roles - I merely need to check whether the username and passwords are valid. But my understanding is that I need to specify something meaningful in these options - I'm just not sure what.

                       

                      It seems from the log that it is connecting to LDAP, but I can't see any tracing from org.jboss.security.auth.spi.LdapExtLoginModule.

                       

                      Any hints or tips welcome.

                      Thanks

                      Julie

                      • 8. Re: LDAP setup in Wildfly 9
                        Victor Cornejo Newbie

                        The problem may be is in your ldap params. To see more log detail, try setting  the throwValidateError option in login-module definition:

                        <module-option name="throwValidateError" value="true" />


                        Víctor.

                        • 9. Re: LDAP setup in Wildfly 9
                          Martin Choma Expert

                          If you dont need roles you can try LdapLoginModule - it is simpler. Are you sure user uid=B2BTESTSENDER9,ou=basicauth,ou=users,ou=axis,o=ventyx,c=au exists? Can you login as B2BTESTSENDER9 with Apache Directory Studio for example?

                          • 10. Re: LDAP setup in Wildfly 9
                            Julie Hansen Newbie

                            Thanks for all the suggestions to get this working.

                            I eventually got it running by doing the following.

                             

                            1. Fixed my LDAP properties.

                            I had the baseFilter set to "(uid={0})" when I should have had it set to "(cn={0})" for our setup.

                             

                            2. I stuck with the LdapExtLoginModule as I found that using LdapLoginModule still didn't work (This may have just been that I didn't have the properties set properly. But I got the LdapExtLoginModule working so I admittedly didn't put too much effort into investigating what LdapLoginModule properties I needed)

                            I updated the 'roles' related options to :

                                                        <module-option name="rolesCtxDN" value="ou=roles,ou=axis,o=ventyx,c=au"/>

                                                        <module-option name="roleFilter" value="(member={1})"/>

                             

                            3. The clincher though, was that I needed to add the following into my web.xml :

                                  <security-role>

                                        <role-name>*</role-name>

                                  </security-role>

                             

                            The above changes got me into the servlet. However I was then getting invalid username password when calling the ejb from the servlet. I fixed this issue by updating the default-security-domain in the ejb subsection of standalone.xml to be the securityDomain that I had created, (myHTTPSDomain).

                             

                            Thanks again for all suggestions and pointers.

                            Julie

                            1 of 1 people found this helpful