9 Replies Latest reply on Nov 26, 2004 12:23 PM by Scott Stark

    LdapLoginModule overrides the principal and credentials (BUG

    Claudio Miranda Apprentice

      My login-config.xml needs to access Ldap to do authentication, each user is located under the dn: ou=people,dc=claudius,dc=com and the roles is ou=groups,dc=claudius,dc=com, look the ldif

      # user
      dn: uid=eliane,ou=People,dc=claudius,dc=com
      cn: Eliane Almada Miranda
      givenName: Eliane
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetorgperson
      sn: Miranda
      title: Java Guru
      uid: eliane
      userPassword:: ZWxpYW5l
      
      # group
      dn: cn=JBossAdmin,ou=Groups,dc=claudius,dc=com
      description: Usuarios admin (INTRANET)
      objectClass: top
      objectClass: groupofuniquenames
      uniqueMember: uid=eliane,ou=People, dc=claudius,dc=com
      uniqueMember: uid=rafael,ou=People, dc=claudius,dc=com
      cn: JBossAdmin
      


      login-config.xml
      <application-policy name="ldap_local">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="java.naming.security.principal">cn=Directory Manager,dc=claudius,dc=com</module-option>
       <module-option name="java.naming.security.credentials">admin123</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=People,dc=claudius,dc=com</module-option>
       <module-option name="uidAttributeID">uniqueMember</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="matchOnUserDN">true</module-option>
       <module-option name="rolesCtxDN">ou=Groups,dc=claudius,dc=com</module-option>
       </login-module>
       </authentication>
      </application-policy>
      



      Trying to login into my app, I get permission denied Below is the ldap log

      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:32881 (IP=0.0.0.0:389)
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 RESULT tag=97 err=49 text=
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 fd=10 closed
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 fd=10 ACCEPT from IP=127.0.0.1:32882 (IP=0.0.0.0:389)
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 op=0 RESULT tag=97 err=49 text=
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 fd=10 closed
      


      Persons under "ou=people" don't has permission to login into the ldap, so a service user needs to be used (analog to the database user for datasources). Then "cn=Directory Manager" comes to help. As you can see, the login-config.xml is properly configured. But the ldap log yet shows the same behavior as described above:

      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 RESULT tag=97 err=49 text=
      


      Then looking into LdapLoginModule, the Context.PRINCIPAL and Context.CREDENTIALS are being overriden, as described below:

      255: env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
      256: env.put(Context.SECURITY_CREDENTIALS, credential);
      


      Just comment the lines above, compiled and updated the $JBOSS_HOME/server/default/lib/jbosssx.jar, and everything worked fine. The user entered into the system, and ldap log shows:

      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 fd=10 ACCEPT from IP=127.0.0.1:32883 (IP=0.0.0.0:389)
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 BIND dn="cn=Directory Manager,dc=claudius,dc=com" method=128
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 BIND dn="cn=Directory Manager,dc=claudius,dc=com" mech=simple ssf=0
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 RESULT tag=97 err=0 text=
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=1 SRCH base="ou=Groups,dc=claudius,dc=com" scope=2 filter="(&(uniqueMember=uid=eliane,ou=people,dc=claudius,dc=com))"
      Nov 5 22:22:01 demolidor slapd[2587]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)
      Nov 5 22:22:01 demolidor slapd[2587]: conn=2 op=2 UNBIND
      Nov 5 22:22:01 demolidor slapd[2587]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
      Nov 5 22:22:01 demolidor slapd[2587]: conn=2 fd=10 closed
      


      Is this the expected behavior ? Is this a bug ? At LdapLoginModule, there is 2 Maps instances: "env" and "options", they are redundant. Another question: At my web.xml or application.xml is declared the roles of my app, how can I map the role names to the real groups of ldap ? I already read the chap 8, "Security Guide", but I didn't find a clear way to do that.

      Thanks

      Claudio Miranda