1 Reply Latest reply on Jul 18, 2005 5:30 PM by Patrick Dalla Bernardina

    can't configure JBoss to work with several OUs on Active Dir

    Dmitry Newbie

      I'm trying to configure JBoss AS(3.2.3) to work with windows 2003 active directory.

      I'm having difficulties configuring a "rolesCtxDN" parameter.

      Here is my scenario. I have a large Active directory with >10000 users. These users are divided into several Organization Units.

      I managed to configure that the users from any one (but the only one) OU can access the application.

      Here is my configuration:



      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

      <module-option name="roleNameAttributeID">name</module-option>

      <module-option name="principalDNSuffix">@igorsrv.com</module-option>

      <module-option name="principalDNPrefix"></module-option>

      <module-option name="java.naming.security.authentication">simple</module-option>

      <module-option name="java.naming.provider.url">ldap://192.168.1.11:</module-option>

      <module-option name="roleAttributeID">memberOf</module-option>

      <module-option name="uidAttributeID">sAMAccountName</module-option>

      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

      <module-option name="roleAttributeIsDN">true</module-option>

      <module-option name="userRolesCtxDNAttributeName"></module-option>

      <module-option name="rolesCtxDN">ou=United States,dc=igorsrv,dc=com</module-option>

      <module-option name="matchOnUserDN">false</module-option>

      </login-module>

      Using this configuration only users of "United States" OU can assess fully the portal application.

      If I change the marked configuration string as following :

      <module-option name="rolesCtxDN">ou=United States, ou=ProActivity Portal,dc=igorsrv,dc=com</module-option>

      Then no user can access the portal application.

      The reason for this that I can't get user's Roles in this case

      This is a part of the log file:

      2005-06-16 10:46:30,015 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Failed to locate roles

      javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

      'OU=ProActivity Portal,DC=igorsrv,DC=com'

      remaining name 'ou=United States,ou=ProActivity Portal,dc=igorsrv,dc=com'

      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)

      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)

      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)

      at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)

      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)

      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1726)

      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:344)

      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:293)

      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:277)

      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:220)

      at org.jboss.security.auth.spi.LdapLoginModule.createLdapInitContext(LdapLoginModule.java:310)

      at org.jboss.security.auth.spi.LdapLoginModule.validatePassword(LdapLoginModule.java:206)

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:151)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:324)

      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

      at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:487)

      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:442)

      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)

      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)

      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:281)

      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:198)

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:556)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)

      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)

      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)

      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)

      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)

      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)

      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)

      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211)

      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805)

      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696)

      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)

      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)

      at java.lang.Thread.run(Thread.java:534)

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'vasya' authenticated, loginOk=true

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=false

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=false

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true

      2005-06-16 10:46:30,031 TRACE [org.jboss.security.plugins.JaasSecurityManager.pa-web] updateCache, subject=Subject:

      Principal: vasya

      Principal: Roles(members)



      As a result of it my user doesn't have roles and he cant login into portal application.

      i need the ability that any user from any OU could access my application.