2 Replies Latest reply on Mar 14, 2018 5:39 PM by Benjamin Börngen-Schmidt

    Wildfly 10.1 SPNEGO and Groups from LDAP

    Benjamin Börngen-Schmidt Newbie

      Hello everyone,

       

      first of all, I'd love to use Wildfly 11, but I can not since the application is not yet ported. But it should be possible to build the same in Wildfly 10.1.

      So what I want to archive is the following:

      • User opens Browser and hits the applications URL
      • Application Sends 401 ... User Authentication using Windows integrated Authenication (SPNEGO)
      • After the user is Authenticated fetch his Roles from LDAP
      • Map a specific role to another Role so that it matches the web.xml <role-name>-tag

      I hope you guys can understand what I'm trying to do and I hope I'm on the right track.

       

      What I managed to archive already:

      • Integrated Windows Authentification (IWA) is working
      • Roles are fetched from LDAP
        • but only via LDAP Simple Bind
        • Can not use Kerberos (would be nicer since I already have an authenticated user from IWA)
      • I do have no clue how to Map a RoleA to RoleB

                                                               

      And web.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns="http://java.sun.com/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
               version="3.0">
        <display-name>App-IWA</display-name>
        <security-constraint>
          <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <description>App-IWA security test site</description>
            <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
            <role-name>*</role-name>
          </auth-constraint>
        </security-constraint>
          <security-role>
              <description>User role is needed to login</description>
              <role-name>Users</role-name>
          </security-role>
        <login-config>
          <auth-method>SPNEGO</auth-method>
          <realm-name>SPNEGO</realm-name>
        </login-config>
      </web-app>
      

       

      Until now I have read quite a lot of Blog posts, Red Hat JBoss Manual, Wildfly Manual etc. where a lot of partial Information is posted, mainly on the how to get the ManagementRealm to use LDAP, which I do not really care about BUT at the same time I cannot destinguish if the Information is also vailid for securing Applications.

       

      Things, I just want to note down for anyone who finds this post later, are:

       

      But after I introduced my problem, I'd like to ask some questions:

      Q1: When I try to use the Kerberos "host" configuration for the AdvancedLdap login-module I always get the error that I do not have a bind to the LDAP

      The configuration I tried to use for this looks like

      /subsystem=security/security-domain=SPNEGO/authentication=classic/:write-attribute(
          name=login-modules,
          value=[{
              code="SPNEGOUsers",
              flag="requisite",
              module="org.jboss.security.negotiation",
              module-options={
                  password-stacking="useFirstPass",
                  serverSecurityDomain="host",
                  removeRealmFromPrincipal=true
              }
          },{
              code="org.jboss.security.negotiation.AdvancedADLoginModule",
              flag="required",
              module="org.jboss.security.negotiation",
              module-options={
                  password-stacking="useFirstPass",
                  java.naming.provider.url="ldap://kdc.domain.dev:389",
                  bindAuthentication="GSSAPI",
                  jaasSecurityDomain="host",
                  baseCtxDN="CN=Users,DC=domain,DC=dev",
                  baseFilter="(sAMAccountName={0})",
                  rolesCtxDN="CN=Users,DC=domain,DC=dev",
                  roleFilter="(member={1})",
                  roleAttributeID="cn"
              }
          }]
      ) {allow-resource-service-restart=true}
      

      What confuses me is, that I already must have had a binding in SPNEGOUsers, right? The login always fails on org/jboss/security/negotiation/AdvancedLdapLoginModule.java:536 of the findUser function. It seems that when I reuse the credentials from the SPNEGO the filter attribute will be set to "Administrator" which would be fine, since it will match sAMAccountName.

      The error usually looked like

      2018-02-26 10:50:37,155 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Login failed: javax.security.auth.login.LoginException: Unable to find user DN     at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:581)     at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:385)     at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:971) ... Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; ramining name 'CN=Users,DC=domain,DC=dev'     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3194)     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)     at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)     at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)     at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)     at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)     at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)     at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)     at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:536) ....

       

      Q2: Map LDAP Roles to Application Role

      Since the roles in LDAP will look a lot different, than what will be "Generic" in the web.xml the "Users" is there a way to add the Users Role to the User/Principal (I do not get the difference) based on a specific LDAP Group?

      So for example Administrator is part o the following LDAP Groups:

      • Domain User
      • Remote Desktopusers
      • ApplicationUsers
      • ZeWebApplicationWhichICoded

      My Idea was, that after I fetched the Roles from LDAP and the user is part of "ZeWebApplicationWhichICoded" then I add him also to the Role "Users". But is this even possible with the given Tools of Wildfly or do I need to code something on my own?

       

      Q3: Can I make Elytron work with Wildfly 10.1?

      I read quite a lot about Elytron and it seems to have more of the Stuff I want than the current WFLY10.1 security subsystem. Is there a nice and easy way to get the latest Elytron version and enable it in Wildfly 10.1?

       

      Anyways thanks for reading so far and I hope someone might be able to push me into the right direction.

      Benjamin

        • 2. Re: Wildfly 10.1 SPNEGO and Groups from LDAP
          Benjamin Börngen-Schmidt Newbie

          I had a look at both your references, but it does not help finding the right configuration at all. Sadly.

          Also when looking at the Testcases my config is pretty much the same as the one of SD1 Security Domain so this makes me wonder what else I'm missing. Same problem here JBOSS Negotiate using AdvancedLdapLoginModule throws bind er  from 2009.

          Funny thing is, all the documentation meantions, that AdvancedLdap should be working with Kerberos thus chained with SPNEGO, but yet I've never seen a working example, except in the Testcases

           

          When debugging the code I noticed it always fails to find the User DN at AdvancedLdapLoginModule.java#L536

           

          Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name 'CN=Users,DC=domain,DC=dev'
              at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3194)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
              at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
              at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
              at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
              at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
              at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
              at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
              at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
              at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
              at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:536)

          Judging from the Error and Infomation found on the Internet not binding (authentication) to LDAP has happend before the AdvancedLdap Module tries to search in LDAP or my case Active Directory. I think this is a configuration issue, because I had something similar with our application before. But here we needed Wildfly this way:

          <security-domains>
              <security-domain name="other" cache-type="default">
                  <authentication>
                      <login-module name="Kerberos" code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient">
                          <module-option name="password-stacking" value="useFirstPass"/>
                      </login-module>
                      .....
                  </authentication>
              </security-domain>
          </security-domains>
          

          And then could use our implementation to then let the application authenitcate and authorize the user.