6 Replies Latest reply on Jun 29, 2017 4:29 PM by Jon Royer

    Jboss eap 7.0 Configuration management interfaces with ldap

    roberto perini Newbie

      In installation jboss aep 7.0 running in domain mode, I configured the management console on port 9993 in https, now I would like configure the authentication by an external ldap server without ssl between jboss-->ldap server.

      I executed the following steps in console CLI:

      /host=master/core-service=management/ldap-connection=ldap-connection/:add(search-credential=password,url=ldap://IP_LDAP:389,search-dn="cn=Manager,dc=example,dc=net")

      reload

      /host=master/core-service=management/security-realm=ldap-security-realm:add

      /host=master/core-service=management/security-realm=ldap-security-realm/authentication=ldap:add(connection="ldap-connection",base-dn="dc=example,dc=net",username-attribute="uid"

      reload

      /host=master/core-service=management/management-interface=http-interface/:write-attribute(name=security-realm,value="ldap-security-realm")

      reload

       

      When the server restart there is the follow message in console.log:

      2017-02-17 11:43:47,711 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.serverManagement.controller.management.http: org.jboss.msc.service.StartException in service jboss.serverManagement.controller.management.http: WFLYSRV0083: Failed to start the http-interface service

      ...

      Caused by: java.lang.IllegalArgumentException: WFLYDMHTTP0012: A secure socket has been defined for the HTTP interface, however the referenced security realm is not supplying a SSLContext.

       

      in host-master.xml there is this configuration for management-interface:

          <management-interfaces>
              <native-interface security-realm="CertificateRealm">
                  <socket interface="management" port="${jboss.management.native.port:9999}"/>
              </native-interface>
              <http-interface security-realm="ldap-security-realm" http-upgrade-enabled="true">
                  <socket interface="management" secure-port="9993"/>
              </http-interface>
          </management-interfaces>

       

      Can you help me to find the solution of the problem ?

      Thanks in advance

        • 1. Re: Jboss eap 7.0 Configuration management interfaces with ldap
          Martin Choma Expert

          In ldap-security-realm you have to configure server-identities/ssl as well.

          So that your configuration will look similar to

          <server-identities>

              <ssl>

                  <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server"/>

              </ssl>

          </server-identities>

          • 2. Re: Jboss eap 7.0 Configuration management interfaces with ldap
            roberto perini Newbie

            Thanks,now It connect to ldap server.

            Probably I'm testing to authenticate with an ldap server is not properly configured, but I would like to understand if the user authenticates ldap must also be present in mgmt-users.properties and mgmt-groups.properties files.

            • 3. Re: Jboss eap 7.0 Configuration management interfaces with ldap
              Martin Choma Expert

              User authenticated with LDAP does not need to be in mgmt-users.properties.

              • 4. Re: Jboss eap 7.0 Configuration management interfaces with ldap
                roberto perini Newbie

                When I insert username and password for authentication in CLI management with external ldap server I have only this messages:

                PLAIN: Server rejected authentication without other messages in console.log

                 

                Can I configure a trace log for for view the real parameter send to server ldap ?

                 

                In search-credential I have a password with & that in file host-master.xml becomes &amp; , is this correct ?

                 

                Thanks

                • 5. Re: Jboss eap 7.0 Configuration management interfaces with ldap
                  roberto perini Newbie

                  I would add others informations, I configured the management in htttps on secure port 9993 and after I configured basic ldap.

                  I add also the add in tag <security-realm name="ldap-security-realm" the tag for certificate like this:

                   

                              <server-identities>
                                  <ssl>
                                      <keystore path="/certs/master.keystore.jks" relative-to="jboss.domain.config.dir" keystore-password="secret" alias="master_alias"/>
                                  </ssl>
                              </server-identities>

                   

                  Is it correct ?

                  • 6. Re: Jboss eap 7.0 Configuration management interfaces with ldap
                    Jon Royer Newbie

                    Little late with the answer 5 months, but I just want to put it out there.  Below is what my host-master.xml looks like, and don't forget to update your jboss-cli.sh from port 9990 to 9993 and http-remoting to  https-remoting mchoma Your solution to the first part on this got me moving in the right direction when I hit a road block Thanks!

                     

                    Roberto,

                    Not sure how you setup your LDAP is setup but I will give you segement of mine as an example. 

                            <security-realm>

                              <security-realm name="ldap_security_realm">

                                    <server-identities>

                                        <ssl>

                                            <keystore path="https_CERT.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::keystore::KeyStore::1}" alias="test"/>

                                        </ssl>

                                    </server-identities>

                                    <authentication>

                                        <ldap connection="ldap-connection" base-dn="dc=domain,dc=com" recursive="true">

                                            <username-filter attribute="saMAccountName"/>

                                        </ldap>

                                    </authentication>

                                </security-realm>

                     

                            <outbound-connections>

                                <ldap name="ldap-connection" url="ldap://LDAP.Server.com:389" search-dn="cn=UserID.UserID,ou=Service Accounts,dc=domain,dc=com" search-credential="${VAULT::LDAP::PASSWORD::1}"/>

                            </outbound-connections>

                     

                    <management-interfaces>

                                <native-interface security-realm="ManagementRealm">

                                    <socket interface="management" port="${jboss.management.native.port:9999}"/>

                                </native-interface>

                                <http-interface security-realm="ldap_security_realm" http-upgrade-enabled="true">

                                    <socket interface="management" secure-port="9993"/>

                                </http-interface>

                            </management-interfaces>

                        </management>