1 Reply Latest reply on Mar 9, 2017 10:26 AM by Martin Choma

    LdapExtLoginModule - Filtering for user groups

    B L Newbie

      Hello,

       

      i am using Wildfly 10.1.0-final and LdapExtLoginModule for authentification. It works fine. Just the fact that everyone in our AD can log in disturbs me. I only want users be able to log in that are in the in the memberOf group "CN=specialUserGroup".

      This is what my login module configuration looks like:

       

                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                  <module-option name="java.naming.provider.url" value="ldap://admin-server10:389"/>
                                  <module-option name="java.naming.security.authentication" value="simple"/>
                                  <module-option name="bindDN" value="cn=admin,cn=Users,dc=domain,dc=com"/>
                                  <module-option name="bindCredential" value="xxx"/>
                                  <module-option name="baseCtxDN" value="cn=Users,dc=de-gmbh,dc=com"/>
                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                                  <module-option name="userBaseFilter" value="(memberOf=CN=specialUserGroup)"/>
                                  <module-option name="rolesCtxDN" value="cn=Users,dc=domain,dc=com"/>
                                  <module-option name="roleFilter" value="(member={1})"/>
                                  <module-option name="roleAttributeID" value="memberOf"/>
                                  <module-option name="roleNameAttributeID" value="cn"/>
                                  <module-option name="roleAttributeIsDN" value="true"/>
                                  <module-option name="roleRecursion" value="1"/>
                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                                  <module-option name="defaultRole" value="Administrator"/>
                                  <module-option name="allowEmptyPasswords" value="true"/>
                                  <module-option name="throwValidateError" value="true"/>
                              </login-module>
      

       

      I've found this: How to configure to a role group in LdapExtLoginModule in JBOSS EAP 6.3? (JBoss/WildFly forum at Coderanch)

      <module-option name="baseFilter" value="(&(sAMAccountName={0})(memberOf=CN=ALL_CONTRACTORS,OU=GROUPS,OU=SMO,OU=COSAs,DC=eagle,DC=xxxx,DC=com))"/>
      

       

      But doing it his way is causing an error..

      11:21:10,632 INFO  [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) starting
      11:21:12,257 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
              at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) [wildfly-controller-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.as.server.ServerService.boot(ServerService.java:357) [wildfly-server-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) [wildfly-controller-2.2.0.Final.jar:2.2.0.Final]
              at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_121]
      Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '(' (code 40) (expected a name start character)
       at [row,col {unknown-source}]: [437,50]
              at com.ctc.wstx.sr.StreamScanner.throwUnexpectedChar(StreamScanner.java:647) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.StreamScanner.parseFullName(StreamScanner.java:1933) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.StreamScanner.parseEntityName(StreamScanner.java:2057) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.StreamScanner.fullyResolveEntity(StreamScanner.java:1525) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.BasicStreamReader.parseAttrValue(BasicStreamReader.java:1938) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.BasicStreamReader.handleNsAttrs(BasicStreamReader.java:3065) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.BasicStreamReader.handleStartElem(BasicStreamReader.java:2963) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.BasicStreamReader.nextFromTree(BasicStreamReader.java:2839) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1073) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1154) [woodstox-core-asl-4.4.1.jar:4.4.1]
              at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.nextTag(XMLExtendedStreamReaderImpl.java:152) [staxmapper-1.2.0.Final.jar:1.2.0.Final]
              at org.jboss.as.security.SecuritySubsystemParser.parseProperties(SecuritySubsystemParser.java:791)
              at org.jboss.as.security.SecuritySubsystemParser.parseCommonModule(SecuritySubsystemParser.java:718)
              at org.jboss.as.security.SecuritySubsystemParser.parseLoginModules(SecuritySubsystemParser.java:531)
              at org.jboss.as.security.SecuritySubsystemParser.parseAuthentication(SecuritySubsystemParser.java:520)
              at org.jboss.as.security.SecuritySubsystemParser.parseSecurityDomain(SecuritySubsystemParser.java:474)
              at org.jboss.as.security.SecuritySubsystemParser.parseSecurityDomains(SecuritySubsystemParser.java:417)
              at org.jboss.as.security.SecuritySubsystemParser.readElement(SecuritySubsystemParser.java:130)
              at org.jboss.as.security.SecuritySubsystemParser.readElement(SecuritySubsystemParser.java:95)
              at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.2.0.Final.jar:1.2.0.Final]
              at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1.2.0.Final]
              at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) [wildfly-server-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) [wildfly-server-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) [wildfly-server-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) [wildfly-server-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) [wildfly-server-2.2.0.Final.jar:2.2.0.Final]
              at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.2.0.Final.jar:1.2.0.Final]
              at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.2.0.Final.jar:1.2.0.Final]
              at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123) [wildfly-controller-2.2.0.Final.jar:2.2.0.Final]
              ... 3 more
      

       

      Could you please help me to solve this issue?

      Thanks in advance.