9 Replies Latest reply on Nov 26, 2004 12:23 PM by starksm64

    LdapLoginModule overrides the principal and credentials (BUG

    claudio4j

      My login-config.xml needs to access Ldap to do authentication, each user is located under the dn: ou=people,dc=claudius,dc=com and the roles is ou=groups,dc=claudius,dc=com, look the ldif

      # user
      dn: uid=eliane,ou=People,dc=claudius,dc=com
      cn: Eliane Almada Miranda
      givenName: Eliane
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetorgperson
      sn: Miranda
      title: Java Guru
      uid: eliane
      userPassword:: ZWxpYW5l
      
      # group
      dn: cn=JBossAdmin,ou=Groups,dc=claudius,dc=com
      description: Usuarios admin (INTRANET)
      objectClass: top
      objectClass: groupofuniquenames
      uniqueMember: uid=eliane,ou=People, dc=claudius,dc=com
      uniqueMember: uid=rafael,ou=People, dc=claudius,dc=com
      cn: JBossAdmin
      


      login-config.xml
      <application-policy name="ldap_local">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="java.naming.security.principal">cn=Directory Manager,dc=claudius,dc=com</module-option>
       <module-option name="java.naming.security.credentials">admin123</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=People,dc=claudius,dc=com</module-option>
       <module-option name="uidAttributeID">uniqueMember</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="matchOnUserDN">true</module-option>
       <module-option name="rolesCtxDN">ou=Groups,dc=claudius,dc=com</module-option>
       </login-module>
       </authentication>
      </application-policy>
      



      Trying to login into my app, I get permission denied Below is the ldap log

      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:32881 (IP=0.0.0.0:389)
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 RESULT tag=97 err=49 text=
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 fd=10 closed
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 fd=10 ACCEPT from IP=127.0.0.1:32882 (IP=0.0.0.0:389)
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 op=0 RESULT tag=97 err=49 text=
      Nov 5 22:21:26 demolidor slapd[2587]: conn=1 fd=10 closed
      


      Persons under "ou=people" don't has permission to login into the ldap, so a service user needs to be used (analog to the database user for datasources). Then "cn=Directory Manager" comes to help. As you can see, the login-config.xml is properly configured. But the ldap log yet shows the same behavior as described above:

      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 BIND dn="uid=eliane,ou=people,dc=claudius,dc=com" method=128
      Nov 5 22:21:21 demolidor slapd[2587]: conn=0 op=0 RESULT tag=97 err=49 text=
      


      Then looking into LdapLoginModule, the Context.PRINCIPAL and Context.CREDENTIALS are being overriden, as described below:

      255: env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
      256: env.put(Context.SECURITY_CREDENTIALS, credential);
      


      Just comment the lines above, compiled and updated the $JBOSS_HOME/server/default/lib/jbosssx.jar, and everything worked fine. The user entered into the system, and ldap log shows:

      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 fd=10 ACCEPT from IP=127.0.0.1:32883 (IP=0.0.0.0:389)
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 BIND dn="cn=Directory Manager,dc=claudius,dc=com" method=128
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 BIND dn="cn=Directory Manager,dc=claudius,dc=com" mech=simple ssf=0
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=0 RESULT tag=97 err=0 text=
      Nov 5 22:22:00 demolidor slapd[2587]: conn=2 op=1 SRCH base="ou=Groups,dc=claudius,dc=com" scope=2 filter="(&(uniqueMember=uid=eliane,ou=people,dc=claudius,dc=com))"
      Nov 5 22:22:01 demolidor slapd[2587]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)
      Nov 5 22:22:01 demolidor slapd[2587]: conn=2 op=2 UNBIND
      Nov 5 22:22:01 demolidor slapd[2587]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
      Nov 5 22:22:01 demolidor slapd[2587]: conn=2 fd=10 closed
      


      Is this the expected behavior ? Is this a bug ? At LdapLoginModule, there is 2 Maps instances: "env" and "options", they are redundant. Another question: At my web.xml or application.xml is declared the roles of my app, how can I map the role names to the real groups of ldap ? I already read the chap 8, "Security Guide", but I didn't find a clear way to do that.

      Thanks

      Claudio Miranda

        • 1. Re: LdapLoginModule overrides the principal and credentials
          starksm64

          This the expected behavior. The LdapLoginModule authenticates the caller based on the ability to bind to the ldap server using the username/password passed to the login module, not some static configuration value.

          • 2. Re: LdapLoginModule overrides the principal and credentials
            claudio4j

            Thanks, for your fastest assistance.

            As stated at the JBoss documentation, http://docs.jboss.org/admin-devel/Chap8.html#0_pgfId-920186
            a login and password can be configured to bind to ldap.

            * java.naming.security.principal, The principal for authenticating the caller to the service. This is
             built from other properties as described below.
            * java.naming.security.credentials, The value of the property depends on the authentication scheme.
             For example, it could be a hashed password, clear-text password, key, certificate, and so on.
            


            At our project the users under ou=people cannot have permissions to do a BIND on LDAP.

            Anyway, what do you think in the following fix:

            If a Context.PRINCIPAL is supplied, use the way I specified above and let the Context.PRINCIPAL do a BIND to LDAP.
            If Context.PRINCIPAL is not specified the use the actual code.

            String _principal = env.getProperty(Context.SECURITY_PRINCIPAL);
            if (_principal == null) {
             env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
             env.put(Context.SECURITY_CREDENTIALS, credential);
            }
            


            And the question about role-group mapping ?

            Thank you

            • 3. Re: LdapLoginModule overrides the principal and credentials
              starksm64

              I suppose that could be supported. You are disabling authentication via ldap and only using authorization based on the roles.

              You need to validate that a search against the ou=Groups,dc=claudius,dc=com context for uniqueMember uid=caller,ou=People,dc=claudius,dc=com for attribute cn returns a match where caller is the username passed to the LdapLoginModule.

              • 4. Re: LdapLoginModule overrides the principal and credentials
                claudio4j

                I already did a test, if the caller is found at the DN configured by rolesCtxDN
                the authentication/authorization is done correctly based on user/roles. If the
                user is not found (under the role specified in deployment descriptor) the
                authentication/authorization is not done. If the user exists at ldap, but under
                not the right group, the authorization fails.

                If a Directory Manager (or similar) is specified at login-config.xml, then use it
                to BIND to LDAP. If Directory Manager is not specified, then use the caller to
                BIND to LDAP. I think this is reasonable, and keeps compatibility for previous
                versions.

                • 5. Re: LdapLoginModule overrides the principal and credentials
                  starksm64

                  Then is sounds like the role mapping is working. What is the problem you have with this behavior?

                  • 6. Re: LdapLoginModule overrides the principal and credentials
                    claudio4j

                    Sorry for the delay.

                    LDAP has the following data:

                    # user
                    dn: uid=eliane,ou=People,dc=claudius,dc=com
                    cn: Eliane Almada Miranda
                    givenName: Eliane
                    objectClass: top
                    objectClass: person
                    objectClass: organizationalPerson
                    objectClass: inetorgperson
                    sn: Miranda
                    title: Java Guru
                    uid: eliane
                    userPassword:: ZWxpYW5l
                    
                    # group
                    dn: cn=admin,ou=Groups,dc=claudius,dc=com
                    description: Usuarios admin (INTRANET)
                    objectClass: top
                    objectClass: groupofuniquenames
                    uniqueMember: uid=eliane,ou=People, dc=claudius,dc=com
                    uniqueMember: uid=rafael,ou=People, dc=claudius,dc=com
                    cn: admin
                    
                    # group
                    dn: cn=java,ou=Groups,dc=claudius,dc=com
                    description: Usuarios admin (INTRANET)
                    objectClass: top
                    objectClass: groupofuniquenames
                    uniqueMember: uid=eliane,ou=People, dc=claudius,dc=com
                    uniqueMember: uid=rafael,ou=People, dc=claudius,dc=com
                    cn: java
                    


                    There are the groups: admin and java

                    The web layer has the Role: JBossAdmin

                    I want to map the JBossAdmin role to the admin, java groups. It's not reasonable to put into the LDAP tree the JBossAdmin group, because the JBossAdmin is just a role for the web, not the LDAP organization.

                    • 7. Re: LdapLoginModule overrides the principal and credentials
                      starksm64

                      Then your schema is not matching the expectations of the ldap login module. You can write your own transformation login module that would look for the admin role in the subject populated by the ldap login module and then change this to JBossAdmin for your applications.

                      • 8. Re: LdapLoginModule overrides the principal and credentials
                        claudio4j

                        So, what is the LdapLoginModule expectation ? Sorry to ask this, but I didn't find any specific information
                        about this on JBoss Admin documentation (chapter 8)

                        How can I have ldap group names (eg.: admin, users) mapped to j2ee role names (eg: jboss_admin) ?

                        Thanks

                        • 9. Re: LdapLoginModule overrides the principal and credentials
                          starksm64

                          The expected structure is shown in chap8 in Figure 8.9. An LDAP server configuration compatible with the testLdap sample configuration.