5 Replies Latest reply on Oct 14, 2015 6:37 AM by J Prasanna Venkatesan

    Not able to create two LDAP login module with same code in Wildfly8.2.0

    J Prasanna Venkatesan Newbie

      Hi Team

       

      I am using Wildfly8.2.0

       

      This is a JBOS CLI Related stuff.

       

      I am not able to create two LDAP login module with same code say 'org.jboss.security.auth.spi.LdapExtLoginModule' using JBoss CLI

       

      My command is

       

      /subsystem=security/security-domain=SourceForge/authentication=classic:write-attribute(name=login-modules, value=[ { "module-options" => { "searchScope" => "SUBTREE_SCOPE", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "java.naming.provider.url" => "ldap://11.1.1.1", "roleAttributeIsDN" => "true", "roleAttributeID" => "memberOf", "rolesCtxDN" => "DC=domain,DC=local", "roleFilter" => "(member={1})", "searchTimeLimit" => "5000", "java.naming.security.authentication" => "simple", "roleRecursion" => "1", "java.naming.referral" => "follow", "bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local", "bindCredential" => "bindpasswd", "baseCtxDN" => "ou=Users,DC=domain,DC=local", "allowEmptyPasswords" => "false", "throwValidateError" => "true", "baseFilter" => "(uid={0})" }, "code" => "org.jboss.security.auth.spi.LdapExtLoginModule", "flag" => "sufficient" }, { "module-options" => { "searchScope" => "SUBTREE_SCOPE", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "java.naming.provider.url" => "ldap://ldapserver/", "roleAttributeIsDN" => "true", "roleAttributeID" => "memberOf", "rolesCtxDN" => "DC=domain,DC=local", "roleFilter" => "(member={1})", "searchTimeLimit" => "5000", "java.naming.security.authentication" => "simple", "roleRecursion" => "1", "java.naming.referral" => "follow", "bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local", "bindCredential" => "bindpasswd", "baseCtxDN" => "ou=Users,DC=domain,DC=local", "allowEmptyPasswords" => "false", "throwValidateError" => "true", "baseFilter" => "(uid={0})" }, "code" => "org.jboss.security.auth.spi.LdapExtLoginModule", "flag" => "sufficient" } ])

       

      Please throw some light here.

       

      Regards,

      J Prasanna

        • 1. Re: Not able to create two LDAP login module with same code in Wildfly8.2.0
          Ondrej Lukas Newbie

          Hi,

           

          same login modules code can be used in one security domain, but each of them must have an original name. Use following CLI commands:

           

          /subsystem=security/security-domain=SourceForge:add()

           

          /subsystem=security/security-domain=SourceForge/authentication=classic:add()

           

          /subsystem=security/security-domain=SourceForge/authentication=classic/login-module=LdapExtended:add(code="org.jboss.security.auth.spi.LdapExtLoginModule", flag=sufficient, module-options=[("searchScope" => "SUBTREE_SCOPE"), ("java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory"), ("java.naming.provider.url" => "ldap://11.1.1.1"), ("roleAttributeIsDN" => "true"), ("roleAttributeID" => "memberOf"), ("rolesCtxDN" => "DC=domain,DC=local"), ("roleFilter" => "(member={1})"), ("searchTimeLimit" => "5000"), ("java.naming.security.authentication" => "simple"), ("roleRecursion" => "1"), ("java.naming.referral" => "follow"), ("bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local"), ("bindCredential" => "bindpasswd"), ("baseCtxDN" => "ou=Users,DC=domain,DC=local"), ("allowEmptyPasswords" => "false"), ("throwValidateError" => "true"), ("baseFilter" => "(uid={0})")])

           

          /subsystem=security/security-domain=SourceForge/authentication=classic/login-module=LdapExtended2:add(code="org.jboss.security.auth.spi.LdapExtLoginModule", flag=sufficient, module-options=[("searchScope" => "SUBTREE_SCOPE"), ("java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory"), ("java.naming.provider.url" => "ldap://ldapserver/"), ("roleAttributeIsDN" => "true"), ("roleAttributeID" => "memberOf"), ("rolesCtxDN" => "DC=domain,DC=local"), ("roleFilter" => "(member={1})"), ("searchTimeLimit" => "5000"), ("java.naming.security.authentication" => "simple"), ("roleRecursion" => "1"), ("java.naming.referral" => "follow"), ("bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local"), ("bindCredential" => "bindpasswd"), ("baseCtxDN" => "ou=Users,DC=domain,DC=local"), ("allowEmptyPasswords" => "false"), ("throwValidateError" => "true"), ("baseFilter" => "(uid={0})")])

           

          Best regards,

          Ondra

          • 2. Re: Not able to create two LDAP login module with same code in Wildfly8.2.0
            J Prasanna Venkatesan Newbie

            Thanks for your response.

             

            Can we achieve this using a single command may be write-attribute command?

             

            It will be really helpful if you can provide a single command.

            • 3. Re: Not able to create two LDAP login module with same code in Wildfly8.2.0
              J Prasanna Venkatesan Newbie

              I tried the following command (using write-attribute) including name but it didn't work

               

              /subsystem=security/security-domain=SourceForge/authentication=classic:write-attribute(name=login-modules, value=[ { "module-options" => { "searchScope" => "SUBTREE_SCOPE", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "java.naming.provider.url" => "ldap://11.1.1.1", "roleAttributeIsDN" => "true", "roleAttributeID" => "memberOf", "rolesCtxDN" => "DC=domain,DC=local", "roleFilter" => "(member={1})", "searchTimeLimit" => "5000", "java.naming.security.authentication" => "simple", "roleRecursion" => "1", "java.naming.referral" => "follow", "bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local", "bindCredential" => "bindpasswd", "baseCtxDN" => "ou=Users,DC=domain,DC=local", "allowEmptyPasswords" => "false", "throwValidateError" => "true", "baseFilter" => "(uid={0})" }, "code" => "org.jboss.security.auth.spi.LdapExtLoginModule", "flag" => "sufficient", "name" => "Test1" }, { "module-options" => { "searchScope" => "SUBTREE_SCOPE", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "java.naming.provider.url" => "ldap://ldapserver/", "roleAttributeIsDN" => "true", "roleAttributeID" => "memberOf", "rolesCtxDN" => "DC=domain,DC=local", "roleFilter" => "(member={1})", "searchTimeLimit" => "5000", "java.naming.security.authentication" => "simple", "roleRecursion" => "1", "java.naming.referral" => "follow", "bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local", "bindCredential" => "bindpasswd", "baseCtxDN" => "ou=Users,DC=domain,DC=local", "allowEmptyPasswords" => "false", "throwValidateError" => "true", "baseFilter" => "(uid={0})" }, "code" => "org.jboss.security.auth.spi.LdapExtLoginModule", "flag" => "sufficient", "name" => "Test2" } ])

              • 4. Re: Not able to create two LDAP login module with same code in Wildfly8.2.0
                Ondrej Lukas Newbie

                I think using only one command is not possible in this case. Moreover using attribute login-module is deprecated for authentication, it can be removed in the future. Supported way is worked with login-module as sub resource (execute command [1]). However then mentioned above commands are needed.

                 

                If you really need to use single command you can try some workaround:

                1) You can create an own subclass of LdapExtLoginModule which can be added together in one CLI command with original LdapExtLoginModule.

                2) Use different LDAP login module (LdapLoginModule, or AdvancedLdap from JBoss Negotiation).

                 

                [1] /subsystem=security/security-domain=SourceForge/authentication=classic:read-resource-description(recursive=true)

                • 5. Re: Not able to create two LDAP login module with same code in Wildfly8.2.0
                  J Prasanna Venkatesan Newbie

                  Ok I will go with add() instead of write-attribute()

                   

                  I need to execute the add() through Management API i.e. ModelControllerClient

                   

                  I wrote the following code

                   

                                      ModelControllerClient client = ModelControllerClient.Factory.create(InetAddress.getByName(host), port);

                   

                                      int count = 1;

                                      operation = "add";

                   

                                      for( AuthenticationProfile profile : profiles){

                                              JSONArray tempArray = new JSONArray( profile.getLoginModule().getSAReadyJSON());

                                              JSONArray jsonArray = new JSONArray();

                                              jsonArray.put( tempArray.getJSONObject(0) );

                   

                   

                                              inputString = jsonArray.toString();

                                              System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzz : " + inputString);

                                              ModelNode op = new ModelNode();

                                              op.get("operation").set(operation);

                                              //op.get("name").set("login-modules");

                                              op.get("code").set(profile.getLoginModule().getCode());

                                              op.get("flag").set(profile.getLoginModule().getFlag());

                   

                                              //ModelNode value = ModelNode.fromJSONString( inputString );

                                              //System.out.println("xzxzxzxx: "+value.toString());

                                              //op.get("value").set( value );

                                              LinkedHashMap moduleHashMap = profile.getLoginModule().getOptionsMap();

                                              String value = "";

                                              int index = 0;

                                              for (Object k : moduleHashMap.keySet()) {

                                                  String key = (String) k;

                                                  if(index == 0){

                                                          value = "[ " + "\""+key+"\" => \""+moduleHashMap.get(key)+"\"";

                                                  } else {

                                                          value = value + ", \""+key+"\" => \""+moduleHashMap.get(key)+"\"";

                                                  }

                                                  index++;

                                              }

                                              value = value + " ]";

                                              System.out.println("xzxzxzxx value : "+value);

                                              op.get("module-options").set(value);

                   

                                              ModelNode address = op.get("address");

                                              address.add("subsystem", "security");

                                              address.add("security-domain", securityDomain);

                                              address.add("authentication", "classic");

                                              address.add("login-module", profile.getLoginModule().getCode()+count);

                                              count++;

                   

                                              op.get("recursive").set(false);

                                              op.get("operations").set(false);

                   

                                              if ( apply ){

                                                      op.get("operation-headers", "allow-resource-service-restart").set(true);

                                              }

                                              System.out.println("yyyyyyyyyyyyyyy: "+ op.toString());

                   

                                              ModelNode returnVal = client.execute(op);

                   

                                              System.out.println("ccccccccccc : "+ returnVal.toString());

                   

                                              String outcome = returnVal.asString();

                                              System.out.println("outcomeoutcomeoutcomeoutcomeoutcome :"+ outcome);

                                              String failureDesc = returnVal.get("failure-description").toString();

                                              System.out.println("failureDescfailureDescfailureDesc: "+ failureDesc);

                                      }

                   

                   

                                      client.close();

                   

                  But I am getting following error and exception in server.log

                   

                  2015-10-14 07:13:26,576 INFO  [stdout] (default task-2) zzzzzzzzzzzzzzzzzzzzzzzzzz : [{"module-options":{"searchScope":"SUBTREE_SCOPE","java.naming.factory.initial":"com.sun.jndi.ldap.LdapCtxFactory","java.naming.provider.url":"ldap:\/\/ldapserver\/","roleAttributeIsDN":"true","roleAttributeID":"memberOf","rolesCtxDN":"DC=domain,DC=local","roleFilter":"(member={1})","searchTimeLimit":"5000","java.naming.security.authentication":"simple","roleRecursion":"1","java.naming.referral":"follow","bindDN":"cn=binduser,OU=Users,DC=domain,DC=local","bindCredential":"bindpasswd","baseCtxDN":"ou=Users,DC=domain,DC=local","allowEmptyPasswords":"false","throwValidateError":"true","baseFilter":"(uid={0})"},"code":"org.jboss.security.auth.spi.LdapExtLoginModule","flag":"sufficient"}]

                  2015-10-14 07:13:26,576 INFO  [stdout] (default task-2) xzxzxzxx value : [ "java.naming.provider.url" => "ldap://ldapserver/", "java.naming.referral" => "follow", "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory", "java.naming.security.authentication" => "simple", "bindDN" => "cn=binduser,OU=Users,DC=domain,DC=local", "bindCredential" => "bindpasswd", "baseCtxDN" => "ou=Users,DC=domain,DC=local", "baseFilter" => "(uid={0})", "roleAttributeID" => "memberOf", "roleAttributeIsDN" => "true", "rolesCtxDN" => "DC=domain,DC=local", "roleFilter" => "(member={1})", "roleRecursion" => "1", "searchTimeLimit" => "5000", "searchScope" => "SUBTREE_SCOPE", "allowEmptyPasswords" => "false", "throwValidateError" => "true" ]

                  2015-10-14 07:13:26,578 INFO  [stdout] (default task-2) yyyyyyyyyyyyyyy: {

                  2015-10-14 07:13:26,578 INFO  [stdout] (default task-2)     "operation" => "add",

                  2015-10-14 07:13:26,578 INFO  [stdout] (default task-2)     "code" => "org.jboss.security.auth.spi.LdapExtLoginModule",

                  2015-10-14 07:13:26,578 INFO  [stdout] (default task-2)     "flag" => "sufficient",

                  2015-10-14 07:13:26,578 INFO  [stdout] (default task-2)     "module-options" => "[ \"java.naming.provider.url\" => \"ldap://ldapserver/\", \"java.naming.referral\" => \"follow\", \"java.naming.factory.initial\" => \"com.sun.jndi.ldap.LdapCtxFactory\", \"java.naming.security.authentication\" => \"simple\", \"bindDN\" => \"cn=binduser,OU=Users,DC=domain,DC=local\", \"bindCredential\" => \"bindpasswd\", \"baseCtxDN\" => \"ou=Users,DC=domain,DC=local\", \"baseFilter\" => \"(uid={0})\", \"roleAttributeID\" => \"memberOf\", \"roleAttributeIsDN\" => \"true\", \"rolesCtxDN\" => \"DC=domain,DC=local\", \"roleFilter\" => \"(member={1})\", \"roleRecursion\" => \"1\", \"searchTimeLimit\" => \"5000\", \"searchScope\" => \"SUBTREE_SCOPE\", \"allowEmptyPasswords\" => \"false\", \"throwValidateError\" => \"true\" ]",

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)     "address" => [

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)         ("subsystem" => "security"),

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)         ("security-domain" => "SourceForge"),

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)         ("authentication" => "classic"),

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)         ("login-module" => "org.jboss.security.auth.spi.LdapExtLoginModule2")

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)     ],

                  2015-10-14 07:13:26,579 INFO  [stdout] (default task-2)     "recursive" => false,

                  2015-10-14 07:13:26,580 INFO  [stdout] (default task-2)     "operations" => false,

                  2015-10-14 07:13:26,580 INFO  [stdout] (default task-2)     "operation-headers" => {"allow-resource-service-restart" => true}

                  2015-10-14 07:13:26,580 INFO  [stdout] (default task-2) }

                  2015-10-14 07:13:26,601 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) JBAS014612: Operation ("add") failed - address: ([

                      ("subsystem" => "security"),

                      ("security-domain" => "SourceForge"),

                      ("authentication" => "classic"),

                      ("login-module" => "org.jboss.security.auth.spi.LdapExtLoginModule2")

                  ]): java.lang.IllegalArgumentException

                          at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:100)

                          at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:384)

                          at org.jboss.as.controller.MapAttributeDefinition.convertParameterExpressions(MapAttributeDefinition.java:251)

                          at org.jboss.as.controller.AttributeDefinition.validateAndSet(AttributeDefinition.java:438)

                          at org.jboss.as.security.LoginModuleResourceDefinition$LoginModuleAdd.populateModel(LoginModuleResourceDefinition.java:86)

                          at org.jboss.as.controller.AbstractAddStepHandler.populateModel(AbstractAddStepHandler.java:128)

                          at org.jboss.as.controller.AbstractAddStepHandler.populateModel(AbstractAddStepHandler.java:116)

                          at org.jboss.as.controller.AbstractAddStepHandler.execute(AbstractAddStepHandler.java:67)

                          at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:660)

                          at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:501)

                          at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:298)

                          at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:293)

                          at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:276)

                          at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:150)

                          at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:199)

                          at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:130)

                          at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:150)

                          at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:146)

                          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_45]

                          at javax.security.auth.Subject.doAs(Subject.java:422) [rt.jar:1.8.0_45]

                          at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94)

                          at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:146)

                          at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283)

                          at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504)

                          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_45]

                          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_45]

                          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]

                          at org.jboss.threads.JBossThread.run(JBossThread.java:122)

                   

                   

                  2015-10-14 07:13:26,607 INFO  [stdout] (default task-2) ccccccccccc : {

                  2015-10-14 07:13:26,607 INFO  [stdout] (default task-2)     "outcome" => "failed",

                  2015-10-14 07:13:26,607 INFO  [stdout] (default task-2)     "failure-description" => "JBAS014749: Operation handler failed: null",

                  2015-10-14 07:13:26,607 INFO  [stdout] (default task-2)     "rolled-back" => true,

                  2015-10-14 07:13:26,607 INFO  [stdout] (default task-2)     "response-headers" => {"process-state" => "reload-required"}

                  2015-10-14 07:13:26,608 INFO  [stdout] (default task-2) }

                  2015-10-14 07:13:26,608 INFO  [stdout] (default task-2) outcomeoutcomeoutcomeoutcomeoutcome :{"outcome" => "failed","failure-description" => "JBAS014749: Operation handler failed: null","rolled-back" => true,"response-headers" => {"process-state" => "reload-required"}}

                  2015-10-14 07:13:26,608 INFO  [stdout] (default task-2) failureDescfailureDescfailureDesc: "JBAS014749: Operation handler failed: null"

                   

                  Please advise us.