3 Replies Latest reply on Dec 3, 2005 2:57 PM by Scott Stark

    Using the LdapExtLoginModule in a Web Application

    Neil Lane Newbie

      I am trying to get my web app to use a fedora-ds LDAP instance to log me into the app.

      I have the following in the jboss-web.xml


      The entry in the login-config.xml is

      <application-policy name = "LdapLogin">
       <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <module-option name = "java.naming.provider.url">ldap://</module-option>

      I have the following LDIF loaded into fds

      dn: dc=example,dc=com
      objectClass: top
      objectClass: domain
      dc: example
      dn: o=org_intel, dc=example,dc=com
      objectClass: top
      objectClass: organization
      o: org_intel
      dn: ou=org_intel_people, o=org_intel, dc=example,dc=com
      objectClass: top
      objectClass: organizationalunit
      ou: org_intel_people
      dn: uid=neil,ou=org_intel_people, o=org_intel, dc=example,dc=com
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: nsaimpresence
      o: org_intel
      givenName: Neil
      cn: Neil
      sn: Lane
      ou: org_intel_people
      # org_intel local roles - If the user is a member of the organisation org_intel they will posses this role. This role will be used for the authentication. If the user posses this role they are allowed to log into the application.
      dn: cn=org_intel_application_login, o=org_intel, dc=example,dc=com
      objectclass: top
      objectclass: LDAPsubentry
      objectclass: nsRoleDefinition
      objectclass: nsComplexRoleDefinition
      objectclass: nsFilteredRoleDefinition
      cn: org_intel_application_login
      nsRoleFilter: o=org_intel
      description: Role to allow user login to Intel applications
      # GLOBAL ROLES used for access control. All users who have the filtered role cn=org_intel_application_login, o=org_intel, dc=example,dc=com
      will posses the access role below. These roles will be used for authorisation in the application.
      dn: cn=access_role_intel_application_login,dc=intelliform,dc=co,dc=za
      objectclass: top
      objectclass: LDAPsubentry
      objectclass: nsRoleDefinition
      objectclass: nsComplexRoleDefinition
      objectclass: nsNestedRoleDefinition
      cn: access_role_intel_application_login
      nsRoleDN: cn=org_intel_application_login, o=org_intel, dc=example,dc=com

      I need some assistance with the other application-poilicy params ie

      <module-option name = "rolesCtxDN">
      <module-option name = "matchOnUserDN">
      <module-option name = "uidAttributeID">
      <module-option name = "roleAttributeID">
      <module-option name = "roleAttributeIsDN">
      <module-option name = "roleNameAttributeID">

      At the moment all that happens is that I am forwarded to the login-error page, with no system outputs or exception stacktraces.

      Are my problems due to the use of the filtered and nested roles?

      running the ldapsearch command on the command line returns all the correct nsRole attributes for the user.

      Please can someone assist, as I must be missing some config setting or something, somewhere.



        • 1. Re: Using the LdapExtLoginModule in a Web Application
          Aaron Novice

          Hi Neil,

          Do you need a user to bind to, before querying the LDAP Directory? I left a response on your other thread.

          If you want to know more about what's going on behind the scenes, try turning DEBUG logging on for the security module "org.jboss.security". You should see more information in the server.log.

          • 2. Re: Using the LdapExtLoginModule in a Web Application
            Neil Lane Newbie

            I get the following with DEBUG on:

            2005-11-30 12:32:56,520 DEBUG [org.apache.catalina.authenticator.AuthenticatorBa
            se] Security checking request POST /formmanagement/j_security_check
            2005-11-30 12:32:56,520 DEBUG [org.apache.catalina.authenticator.FormAuthenticat
            or] Checking for reauthenticate in session StandardSession[37F5F0C7665F387C9157E
            2005-11-30 12:32:56,520 DEBUG [org.apache.catalina.authenticator.FormAuthenticat
            or] Authenticating username 'Neil'
            2005-11-30 12:32:56,535 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule
            ] Bad password for username=Neil
            2005-11-30 12:32:56,535 DEBUG [org.jboss.security.plugins.JaasSecurityManager.Ld
            apLogin] Login failure
            javax.security.auth.login.FailedLoginException: Password Incorrect/Password Requ
             at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(Usernam
             at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLog
             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
             at java.lang.reflect.Method.invoke(Method.java:324)
             at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
             at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
             at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
             at java.security.AccessController.doPrivileged(Native Method)
             at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java
             at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

            I am still not too sure if am actually getting to the LDAP server and why the password would be incorrect as I have validated the password through other LDAP management tools. Would it be caused by having the password encrypted in LDAP??

            • 3. Re: Using the LdapExtLoginModule in a Web Application
              Scott Stark Master

              The ldap login module is mostly likely executing, as the JaasSecurityManager.LdapLogin log statements indicate that the correct security domain is being used. There is not much logging around the password validation as this can be viewed as leaking security info. Either write a basic test of the login config and add additional logging to the LdapExtLoginModule, or use a debugger to figure out what is going on.

              Many things can go wrong in the comparision, encryption, one-way hashing, different string encoding, etc.