1 Reply Latest reply on Oct 11, 2018 12:22 PM by Martin Choma

    PasswordCredential not propagating when using SASL Authentication with Elytron Security ldap-realm

    Steve Rose Newbie

      Hi I am upgrading from Wildfly 10 to Wildfly 14.01

       

      I was able to login from a standalone EJB Client using SASL  with the following with the following security-realms with  no issue

      1. jdbc-realm

      2. properties-realm

      I am however unable to login from standalone EJB client using ldap-realm with SASL.

       

      I tested my configuration by logging in using the HttpRequest.login method via a servlet and that works with no problem see below:

      2018-10-10 17:07:02,278 TRACE [org.wildfly.security] (default task-2) Principal assigning: [GAUSS], pre-realm rewritten: [GAUSS], realm name: [LdapRealm], post-realm rewritten: [GAUSS], realm rewritten: [GAUSS]
      2018-10-10 17:07:02,278 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [GAUSS]...
      2018-10-10 17:07:02,278 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [GAUSS].
      2018-10-10 17:07:02,298 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
      2018-10-10 17:07:02,298 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [******]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
      2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
      2018-10-10 17:07:02,480 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@493a3a0b] successfully created. Connection established to LDAP server.
      2018-10-10 17:07:02,483 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS].
      2018-10-10 17:07:02,484 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are []. Binary attributes are [].
      2018-10-10 17:07:02,569 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com].
      2018-10-10 17:07:02,569 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com].
      2018-10-10 17:07:02,734 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@493a3a0b] was closed. Connection closed or just returned to the pool.
      2018-10-10 17:07:02,734 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [******]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
      2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
      2018-10-10 17:07:02,916 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@2896a1e0] successfully created. Connection established to LDAP server.
      2018-10-10 17:07:02,917 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS].
      2018-10-10 17:07:02,917 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are [null]. Binary attributes are [null].
      2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com].
      2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com].
      2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@2896a1e0] was closed. Connection closed or just returned to the pool.
      2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
      2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [******]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
      2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
      2018-10-10 17:07:03,185 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@18ccf2] successfully created. Connection established to LDAP server.
      2018-10-10 17:07:03,186 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS].
      2018-10-10 17:07:03,186 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are []. Binary attributes are [null].
      2018-10-10 17:07:03,264 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com].
      2018-10-10 17:07:03,264 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com].
      2018-10-10 17:07:03,266 DEBUG [org.wildfly.security] (default task-2) Executing search [(uniqueMember={1})] in context [ou=mathematicians,dc=example,dc=com] with arguments [GAUSS, uid=gauss,dc=example,dc=com]. Returning attributes are [null, UID, CN]. Binary attributes are [null].
      2018-10-10 17:07:03,346 DEBUG [org.wildfly.security] (default task-2) Found entry [ou=mathematicians,dc=example,dc=com].
      2018-10-10 17:07:03,346 TRACE [org.wildfly.security] (default task-2) Identity iterating - pagination not supported - end of list
      2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Obtaining authorization identity attributes for principal [GAUSS]:
      2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Identity [GAUSS] does not have any attributes.
      2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@18ccf2] was closed. Connection closed or just returned to the pool.
      2018-10-10 17:07:03,349 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [GAUSS] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      2018-10-10 17:07:03,349 TRACE [org.wildfly.security] (default task-2) Authorizing principal GAUSS.
      2018-10-10 17:07:03,350 TRACE [org.wildfly.security] (default task-2) Authorizing against the following attributes: [] => []
      2018-10-10 17:07:03,352 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [GAUSS] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      2018-10-10 17:07:03,352 TRACE [org.wildfly.security] (default task-2) Authorization succeed
      2018-10-10 17:07:03,357 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [GAUSS] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

       

      However when I try to login via the EJB Client using http  remoting and the code below :

       

      AuthenticationConfiguration config = AuthenticationConfiguration
        .empty()
        .setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("DIGEST-MD5").forbidMechanism("JBOSS-LOCAL-USER"))
        .useName(username)
        .usePassword(password)
        .useDefaultProviders();
      final AuthenticationContext authCtx = AuthenticationContext.empty().with(MatchRule.ALL, config);
      ContextManager contextManager = authCtx.getInstanceContextManager();
      contextManager.setGlobalDefault(authCtx);
      Callable vCallable = () -> {
         return   initJNDIContext();;
      };
      try {
         facade = (PWFacade) authCtx.runCallable(vCallable);
      } catch (Exception e) {
        e.printStackTrace();
      }

       

      I get the following error trying to authenticate :

       

      2018-10-10 17:07:04,167 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='pw.test.com' protocol='remote'
      2018-10-10 17:07:04,168 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='pw.test.com' protocol='remote'
      2018-10-10 17:07:04,168 TRACE [org.wildfly.security] (default I/O-5) Handling AvailableRealmsCallback: realms = [LdapRealm]
      2018-10-10 17:07:04,174 TRACE [org.wildfly.security] (default I/O-5) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@151e2d83] for mechanism [DIGEST-MD5] and protocol [remote]
      2018-10-10 17:07:04,176 TRACE [org.wildfly.security] (default I/O-5) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@11dcf178->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@6d00f4d7->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@2ea5f4f1->org.wildfly.security.sasl.digest.DigestSaslServer@151e2d83] for mechanism [DIGEST-MD5]
      2018-10-10 17:07:04,214 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm]
      2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS
      2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Principal assigning: [GAUSS], pre-realm rewritten: [GAUSS], realm name: [LdapRealm], post-realm rewritten: [GAUSS], realm rewritten: [GAUSS]
      2018-10-10 17:07:04,215 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [GAUSS]...
      2018-10-10 17:07:04,215 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [GAUSS].
      2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: failed to obtain credential
      2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm]
      2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS
      2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: failed to obtain credential
      2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm]
      2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS
      2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling PasswordCallback: PasswordCredential may not be supported
      2018-10-10 17:07:04,217 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: fail

       

      My standalone.config is very simple. Here are the relevant portions:

       

              <subsystem xmlns="urn:wildfly:elytron:4.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
                <security-domains>
                    <security-domain name="LdapDomain" default-realm="LdapRealm" permission-mapper="default-permission-mapper">
                          <realm name="LdapRealm" role-decoder="groups-to-roles"/>
                          <realm name="local"/>
                      </security-domain>
                </security-domains>
      
                <security-realms>
              <identity-realm name="local" identity="$local"/>
                <ldap-realm name="LdapRealm" dir-context="ldap-connection" direct-verification="false">
                          <identity-mapping rdn-identifier="uid" search-base-dn="dc=example,dc=com">
                              <attribute-mapping>
                                  <attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=mathematicians,dc=example,dc=com"/>
                              </attribute-mapping>
                          </identity-mapping>
                      </ldap-realm>
          </security-realms>
      
          <sasl>
                    <sasl-authentication-factory name="ldap-sasl-authentication" sasl-server-factory="configured" security-domain="LdapDomain">
                          <mechanism-configuration>
                              <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
                              <mechanism mechanism-name="DIGEST-MD5">
                                  <mechanism-realm realm-name="LdapRealm"/>
                              </mechanism>
                          </mechanism-configuration>
                      </sasl-authentication-factory>
           </sasl>
      
           <dir-contexts>
                      <dir-context name="ldap-connection" url="ldap://ldap.forumsys.com:389" principal="cn=read-only-admin,dc=example,dc=com">
                          <credential-reference clear-text="password"/>
                      </dir-context>
             </dir-contexts>
      </subsystem>
      
              <subsystem xmlns="urn:jboss:domain:remoting:4.0">
                  <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="ldap-sasl-authentication">
                      <sasl/>
                  </http-connector>
              </subsystem>
      
             <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
                <application-security-domains>
                      <application-security-domain name="ldap-security-domain" security-domain="LdapDomain"/>
                  </application-security-domains>
           </subsystem>
      

       

       

      I am using the free online LDAP server found here :Online LDAP Test Server - Forum Systems

       

      Any ideas?

      Thanks

      -Steve