4 Replies Latest reply on Feb 4, 2003 4:27 PM by Alan

    JAAS + LDAP

    Brian Newbie

      Hello.
      I am using JBoss 3.0.1 Tomcat 4.0.4 and have an LDAP server configured and running with user and roles object classes. The attributes are the same as listed in the JBoss 3.0.x Book and the server-side setup is the same too.

      When I log in using a FORM based login page I get the following server message:
      13:28:35,397 INFO [STDOUT] [LdapLM] providerURL = ldap://192.5.148.85:3890/
      13:28:35,400 INFO [STDOUT] [LdapLM] userDN = uid=oasis,ou=People,dc=dise,dc=com
      13:28:35,625 INFO [STDOUT] [LdapLM] rolesCtxDN = cn=JBossSX Tests,ou=Roles,dc=dise,dc=com
      13:28:35,628 INFO [STDOUT] [LdapLM] uidAttrName = uid
      13:28:35,630 INFO [STDOUT] [LdapLM] roleAttrName = roleName
      13:28:35,632 INFO [STDOUT] [LdapLM] Searching for Roles.......
      13:28:35,636 INFO [STDOUT] [LdapLM] Using -> roleAttr = roleName
      13:28:35,638 INFO [STDOUT] [LdapLM] Using -> uidAttrName = {uid=uid: oasis}
      13:28:35,640 INFO [STDOUT] [LdapLM] Using -> rolesCtxDN = cn=JBossSX Tests,ou=Roles,dc=dise,dc=com
      13:28:35,697 INFO [STDOUT] [LdapLM] Naming exception thrown--->
      13:28:35,700 ERROR [STDERR] javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=JBossSX Tests,ou=Roles,dc=dise,dc=com'

      The user gets authenticated, because if I enter an incorrect password in the login page, i get a failed to validate password error and the login failed page. I think the LdapLoginModule just can't find the Roles that I assign to users in the Ldap database for some reason.

      my login-config.xml entries are:
      the JBIRealm entry is the realm defined in the web.xml for the form-based login, and the JBIDomain is the name of my security domain defined in jboss and jboss-web.xml.....

      <application-policy name="JBIRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
      <module-option name = "userName">admin</module-option>
      <module-option name = "password">password</module-option>
      </login-module>

      </application-policy>

      <application-policy name="JBIDomain">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://192.5.148.85:3890/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">uid=</module-option>
      <module-option name="uidAttributeID">uid</module-option>
      <module-option name="roleAttributeID">roleName</module-option>
      <module-option name="principalDNSuffix">,ou=People,dc=dise,dc=com</module-option>
      <module-option name="rolesCtxDN">cn=JBossSX Tests,ou=Roles,dc=dise,dc=com</module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      </login-module>

      </application-policy>

      Does anyone have an idea or an example on how to correctly configure the LDAP server and JBoss server so that the Roles stored in the LDAP server get found by the LdapLoginModule?

      Any comments, ideas or examples would be greatly appreciated.
      Thank you,
      Brian

        • 1. Re: JAAS + LDAP
          Brian Newbie

          Well I managed to figure it out finally.
          Pretty easy once you understand LDAP and take the time to think about it.
          Regards,
          tool

          • 2. Re: JAAS + LDAP
            jason poley Newbie

            care to share any notes ?

            • 3. Re: JAAS + LDAP
              Brian Newbie

              You have to define some custom attributes and object classes within your LDAP instance.

              Attributes:
              Name Type Description
              fn IA5STRING Users first name
              ln IA5STRING Users last name
              roleName IA5STRING The role name to assign to a user

              Object Classes:
              Class Name Attributes
              jbossuser uid, userPassword, fn, ln
              jbossuserroles cn, roleName, uid

              I was doing this for a web app so in my web.xml i had to add a security realm. This realm is located in the login-config.xml and contains the username and password for jboss to use to access the LDAP instance. The role name is the role the user must have to be granted access.

              web.xml
              <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>JMXRealm</realm-name>
              </login-config>

              <security-role>
              <role-name>JBossAdmin</role-name>
              </security-role>

              The jboss.xml file defines the security-domain for the web app. It also has a matching entry in the login-config.xml file and in the ejb-jar.xml.

              jboss.xml

              <security-domain>java:/jaas/JBIDomain</security-domain>
              <enterprise-beans>

              <ejb-name>cafmafSession</ejb-name>
              <jndi-name>JMXDomain/jmxSession</jndi-name>

              </enterprise-beans>


              And finally there is the login-config.xml file. This contains the guts of the connection. It has 2 entries, one for the realm and one for the domain. The things to change here would be the URL to your LDAP instance and the username and password you want the JBoss server to use when it logs into it to do the lookup on the app user.

              login-config.xml
              <application-policy name="JMXRealm">

              <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
              <module-option name = "userName">jbossUser</module-option>
              <module-option name = "password">jboss</module-option>
              </login-module>

              </application-policy>

              <application-policy name="JMXDomain">

              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
              <module-option name="java.naming.provider.url">ldap://134.65.109.5:3890/</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="principalDNPrefix">uid=</module-option>
              <module-option name="uidAttributeID">uid</module-option>
              <module-option name="roleAttributeID">roleName</module-option>
              <module-option name="principalDNSuffix">,ou=People,dc=dise,dc=rl,dc=af,dc=mil</module-option>
              <module-option name="rolesCtxDN">ou=Roles,dc=dise,dc=rl,dc=af,dc=mil</module-option>
              </login-module>

              </application-policy>

              Hope this helps,
              Brian

              • 4. Re: JAAS + LDAP
                Alan Newbie

                I tried your idea of the custom object classes for LDAP, but I can't figure out how to use the jbossuserroles object. If I add a single one under Roles, I get:

                16:33:05,314 WARN [jbossweb] WARNING: AUTH FAILURE: role for alanw

                Which makes me think I have the users part working ok, just the roles part is done wrong or something...

                For each role, do you have a single jbossuserroles object with multiple uid values? Is jbossuserroles a child of an ou=Roles (or similar) ?

                Thanks,
                Alan