3 Replies Latest reply on Dec 3, 2005 2:57 PM by starksm64

    Using the LdapExtLoginModule in a Web Application

    neillane
    neillane Nov 15, 2005 8:39 AM

      I am trying to get my web app to use a fedora-ds LDAP instance to log me into the app.

      I have the following in the jboss-web.xml

      <security-domain>java:/jaas/LdapLogin</security-domain>


      The entry in the login-config.xml is 

      <application-policy name = "LdapLogin">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name = "java.naming.provider.url">ldap://192.168.1.2:389/</module-option>
 </login-module>
 </authentication>
 </application-policy>


      I have the following LDIF loaded into fds 


      dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

dn: o=org_intel, dc=example,dc=com
objectClass: top
objectClass: organization
o: org_intel

dn: ou=org_intel_people, o=org_intel, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: org_intel_people

dn: uid=neil,ou=org_intel_people, o=org_intel, dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: nsaimpresence
o: org_intel
givenName: Neil
cn: Neil
sn: Lane
ou: org_intel_people


# org_intel local roles - If the user is a member of the organisation org_intel they will posses this role. This role will be used for the authentication. If the user posses this role they are allowed to log into the application.

dn: cn=org_intel_application_login, o=org_intel, dc=example,dc=com
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: org_intel_application_login
nsRoleFilter: o=org_intel
description: Role to allow user login to Intel applications


# GLOBAL ROLES used for access control. All users who have the filtered role cn=org_intel_application_login, o=org_intel, dc=example,dc=com
will posses the access role below. These roles will be used for authorisation in the application.


dn: cn=access_role_intel_application_login,dc=intelliform,dc=co,dc=za
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
cn: access_role_intel_application_login
nsRoleDN: cn=org_intel_application_login, o=org_intel, dc=example,dc=com


      I need some assistance with the other application-poilicy params ie 

      <module-option name = "rolesCtxDN">
<module-option name = "matchOnUserDN">
<module-option name = "uidAttributeID">
<module-option name = "roleAttributeID">
<module-option name = "roleAttributeIsDN">
<module-option name = "roleNameAttributeID">


      At the moment all that happens is that I am forwarded to the login-error page, with no system outputs or exception stacktraces.

      Are my problems due to the use of the filtered and nested roles?

      running the ldapsearch command on the command line returns all the correct nsRole attributes for the user.

      Please can someone assist, as I must be missing some config setting or something, somewhere.

      Thanks

      Neil

      • 2402 Views
      • Tags:
        • 1. Re: Using the LdapExtLoginModule in a Web Application
          neelixx
          neelixx Nov 20, 2005 9:56 AM (in response to neillane)

          Hi Neil,

          Do you need a user to bind to, before querying the LDAP Directory? I left a response on your other thread.

          If you want to know more about what's going on behind the scenes, try turning DEBUG logging on for the security module "org.jboss.security". You should see more information in the server.log.

            • Actions
          • 2. Re: Using the LdapExtLoginModule in a Web Application
            neillane
            neillane Nov 30, 2005 5:58 AM (in response to neillane)

            I get the following with DEBUG on:


            2005-11-30 12:32:56,520 DEBUG [org.apache.catalina.authenticator.AuthenticatorBa
se] Security checking request POST /formmanagement/j_security_check
2005-11-30 12:32:56,520 DEBUG [org.apache.catalina.authenticator.FormAuthenticat
or] Checking for reauthenticate in session StandardSession[37F5F0C7665F387C9157E
6A2BD393E61]
2005-11-30 12:32:56,520 DEBUG [org.apache.catalina.authenticator.FormAuthenticat
or] Authenticating username 'Neil'
2005-11-30 12:32:56,535 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule
] Bad password for username=Neil
2005-11-30 12:32:56,535 DEBUG [org.jboss.security.plugins.JaasSecurityManager.Ld
apLogin] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Requ
ired
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(Usernam
ePasswordLoginModule.java:160)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLog
inModule.java:116)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
29)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java
:607)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)


            I am still not too sure if am actually getting to the LDAP server and why the password would be incorrect as I have validated the password through other LDAP management tools. Would it be caused by having the password encrypted in LDAP??



              • Actions
            • 3. Re: Using the LdapExtLoginModule in a Web Application
              starksm64
              starksm64 Dec 3, 2005 2:57 PM (in response to neillane)

              The ldap login module is mostly likely executing, as the JaasSecurityManager.LdapLogin log statements indicate that the correct security domain is being used. There is not much logging around the password validation as this can be viewed as leaking security info. Either write a basic test of the login config and add additional logging to the LdapExtLoginModule, or use a debugger to figure out what is going on.

              Many things can go wrong in the comparision, encryption, one-way hashing, different string encoding, etc.

                • Actions