1 Reply Latest reply on Oct 11, 2018 12:22 PM by mchoma

PasswordCredential not propagating when using SASL Authentication with Elytron Security ldap-realm

srose Oct 11, 2018 10:35 AM

Hi I am upgrading from Wildfly 10 to Wildfly 14.01

I was able to login from a standalone EJB Client using SASL with the following with the following security-realms with no issue

1. jdbc-realm

2. properties-realm

I am however unable to login from standalone EJB client using ldap-realm with SASL.

I tested my configuration by logging in using the HttpRequest.login method via a servlet and that works with no problem see below:

2018-10-10 17:07:02,278 TRACE [org.wildfly.security] (default task-2) Principal assigning: [GAUSS], pre-realm rewritten: [GAUSS], realm name: [LdapRealm], post-realm rewritten: [GAUSS], realm rewritten: [GAUSS]
2018-10-10 17:07:02,278 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [GAUSS]...
2018-10-10 17:07:02,278 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [GAUSS].
2018-10-10 17:07:02,298 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2018-10-10 17:07:02,298 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [******]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2018-10-10 17:07:02,480 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@493a3a0b] successfully created. Connection established to LDAP server.
2018-10-10 17:07:02,483 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS].
2018-10-10 17:07:02,484 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are []. Binary attributes are [].
2018-10-10 17:07:02,569 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com].
2018-10-10 17:07:02,569 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com].
2018-10-10 17:07:02,734 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@493a3a0b] was closed. Connection closed or just returned to the pool.
2018-10-10 17:07:02,734 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [******]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2018-10-10 17:07:02,916 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@2896a1e0] successfully created. Connection established to LDAP server.
2018-10-10 17:07:02,917 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS].
2018-10-10 17:07:02,917 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are [null]. Binary attributes are [null].
2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com].
2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com].
2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@2896a1e0] was closed. Connection closed or just returned to the pool.
2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [******]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2018-10-10 17:07:03,185 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@18ccf2] successfully created. Connection established to LDAP server.
2018-10-10 17:07:03,186 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS].
2018-10-10 17:07:03,186 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are []. Binary attributes are [null].
2018-10-10 17:07:03,264 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com].
2018-10-10 17:07:03,264 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com].
2018-10-10 17:07:03,266 DEBUG [org.wildfly.security] (default task-2) Executing search [(uniqueMember={1})] in context [ou=mathematicians,dc=example,dc=com] with arguments [GAUSS, uid=gauss,dc=example,dc=com]. Returning attributes are [null, UID, CN]. Binary attributes are [null].
2018-10-10 17:07:03,346 DEBUG [org.wildfly.security] (default task-2) Found entry [ou=mathematicians,dc=example,dc=com].
2018-10-10 17:07:03,346 TRACE [org.wildfly.security] (default task-2) Identity iterating - pagination not supported - end of list
2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Obtaining authorization identity attributes for principal [GAUSS]:
2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Identity [GAUSS] does not have any attributes.
2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@18ccf2] was closed. Connection closed or just returned to the pool.
2018-10-10 17:07:03,349 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [GAUSS] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2018-10-10 17:07:03,349 TRACE [org.wildfly.security] (default task-2) Authorizing principal GAUSS.
2018-10-10 17:07:03,350 TRACE [org.wildfly.security] (default task-2) Authorizing against the following attributes: [] => []
2018-10-10 17:07:03,352 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [GAUSS] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
2018-10-10 17:07:03,352 TRACE [org.wildfly.security] (default task-2) Authorization succeed
2018-10-10 17:07:03,357 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [GAUSS] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

However when I try to login via the EJB Client using http remoting and the code below :

AuthenticationConfiguration config = AuthenticationConfiguration
  .empty()
  .setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("DIGEST-MD5").forbidMechanism("JBOSS-LOCAL-USER"))
  .useName(username)
  .usePassword(password)
  .useDefaultProviders();
final AuthenticationContext authCtx = AuthenticationContext.empty().with(MatchRule.ALL, config);
ContextManager contextManager = authCtx.getInstanceContextManager();
contextManager.setGlobalDefault(authCtx);
Callable vCallable = () -> {
   return   initJNDIContext();;
};
try {
   facade = (PWFacade) authCtx.runCallable(vCallable);
} catch (Exception e) {
  e.printStackTrace();
}

I get the following error trying to authenticate :

2018-10-10 17:07:04,167 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='pw.test.com' protocol='remote'
2018-10-10 17:07:04,168 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='pw.test.com' protocol='remote'
2018-10-10 17:07:04,168 TRACE [org.wildfly.security] (default I/O-5) Handling AvailableRealmsCallback: realms = [LdapRealm]
2018-10-10 17:07:04,174 TRACE [org.wildfly.security] (default I/O-5) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@151e2d83] for mechanism [DIGEST-MD5] and protocol [remote]
2018-10-10 17:07:04,176 TRACE [org.wildfly.security] (default I/O-5) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@11dcf178->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@6d00f4d7->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@2ea5f4f1->org.wildfly.security.sasl.digest.DigestSaslServer@151e2d83] for mechanism [DIGEST-MD5]
2018-10-10 17:07:04,214 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm]
2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS
2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Principal assigning: [GAUSS], pre-realm rewritten: [GAUSS], realm name: [LdapRealm], post-realm rewritten: [GAUSS], realm rewritten: [GAUSS]
2018-10-10 17:07:04,215 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [GAUSS]...
2018-10-10 17:07:04,215 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [GAUSS].
2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: failed to obtain credential
2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm]
2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS
2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: failed to obtain credential
2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm]
2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS
2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling PasswordCallback: PasswordCredential may not be supported
2018-10-10 17:07:04,217 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: fail

My standalone.config is very simple. Here are the relevant portions:

        <subsystem xmlns="urn:wildfly:elytron:4.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
          <security-domains>
              <security-domain name="LdapDomain" default-realm="LdapRealm" permission-mapper="default-permission-mapper">
                    <realm name="LdapRealm" role-decoder="groups-to-roles"/>
                    <realm name="local"/>
                </security-domain>
          </security-domains>

          <security-realms>
        <identity-realm name="local" identity="$local"/>
          <ldap-realm name="LdapRealm" dir-context="ldap-connection" direct-verification="false">
                    <identity-mapping rdn-identifier="uid" search-base-dn="dc=example,dc=com">
                        <attribute-mapping>
                            <attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=mathematicians,dc=example,dc=com"/>
                        </attribute-mapping>
                    </identity-mapping>
                </ldap-realm>
    </security-realms>

    <sasl>
              <sasl-authentication-factory name="ldap-sasl-authentication" sasl-server-factory="configured" security-domain="LdapDomain">
                    <mechanism-configuration>
                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
                        <mechanism mechanism-name="DIGEST-MD5">
                            <mechanism-realm realm-name="LdapRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </sasl-authentication-factory>
     </sasl>

     <dir-contexts>
                <dir-context name="ldap-connection" url="ldap://ldap.forumsys.com:389" principal="cn=read-only-admin,dc=example,dc=com">
                    <credential-reference clear-text="password"/>
                </dir-context>
       </dir-contexts>
</subsystem>

        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="ldap-sasl-authentication">
                <sasl/>
            </http-connector>
        </subsystem>

       <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
          <application-security-domains>
                <application-security-domain name="ldap-security-domain" security-domain="LdapDomain"/>
            </application-security-domains>
     </subsystem>

I am using the free online LDAP server found here :Online LDAP Test Server - Forum Systems

Any ideas?

Thanks

-Steve

1. Re: PasswordCredential not propagating when using SASL Authentication with Elytron Security ldap-realm

mchoma Oct 11, 2018 12:22 PM (in response to srose)

Try to use PLAIN instead of DIGEST-MD5 SASL mechanism.

I suppose you have passwords in LDAP stored in plaintext.
Actions