2 Replies Latest reply on Oct 17, 2006 5:00 PM by Sarah McGlinchey

    JAAS/LDAP Roles configuration pulls superset instead of filt

    Sarah McGlinchey Newbie

      I am having a strange error with what should be a simple configuration. I am able to authenticate off LDAP, but the role list received is not the one I expect.

      I have the following config (with my actual domain, etc):

      login-config.xml

       <application-policy name="testLDAP">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
       flag="required">
       <module-option name="java.naming.factory.initial">
       com.sun.jndi.ldap.LdapCtxFactory
       </module-option>
       <module-option name="java.naming.provider.url">
       ldap://ldap.mydomain.com/
       </module-option>
       <module-option name="java.naming.security.authentication">
       simple
       </module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">
       ,ou=People,dc=mydomain,dc=com
       </module-option>
       <module-option name="rolesCtxDN">
       ou=Groups,dc=mydomain,dc=com
       </module-option>
       <module-option name="uidAttributeID">memberUid</module-option>
       <module-option name="matchOnUserDN">false</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="roleAttributeIsDN">false</module-option>
       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
       </login-module>
       </authentication>
       </application-policy>


      Example LDAP User:
      dn: uid=sarahm,ou=People,dc=mydomain,dc=com
      objectClass: posixAccount
      objectClass: shadowAccount
      objectClass: inetOrgPerson
      objectClass: sambaSamAccount
      uid: sarahm
      uidNumber: 1040
      gidNumber: 6000


      Example LDAP Group:
      dn: cn=it,ou=Groups,dc=mydomain,dc=com
      cn: it
      displayName: it
      sambaGroupType: 2
      objectClass: top
      objectClass: posixGroup
      objectClass: sambaGroupMapping
      gidNumber: 6008
      memberUid: sarahm
      memberUid: user1
      memberUid: user2


      With this configuration, I expect only the groups for the current user to be used as roles. However, in both JSP (request.isUserInGroup) and the auth-constraint roles in web.xml all of my checks for roles will resolve to true if I have a corresponding group, even if the user is not in the group. For instance, request.isUserInGroup("accounting") is true for any user as the accounting group exists in LDAP.

      It seems for some reason roles are not being filtered properly by user.

      Any suggestions would be appreciated.

        • 1. Re: JAAS/LDAP Roles configuration pulls superset instead of
          Sarah McGlinchey Newbie

          I have tried to use LdapExtLoginModule to see if it pulls my roles correctly, but I cannot even get it to authenticate properly. I am running JBoss [Zion] 4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054).

          I have verfified the search bases and filters via ldapsearch on the command line, and did use the corrent password to authenticate.

          Config:

          <application-policy name="testLDAP">
           <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
           flag="required">
           <module-option name="java.naming.factory.initial">
           com.sun.jndi.ldap.LdapCtxFactory
           </module-option>
           <module-option name="java.naming.provider.url">
           ldap://ldap.mydomain.com/
           </module-option>
           <module-option name="java.naming.security.authentication">
           simple
           </module-option>
           <module-option name="baseCtxDN">ou=People,dc=mydomain,dc=com</module-option>
           <module-option name="baseFilter">(uid={0})</module-option>
           <module-option name="rolesCtxDN">ou=Groups,dc=mydomain,dc=com</module-option>
           <module-option name="roleFilter">(memberUid={0})</module-option>
           <module-option name="roleAttributeIsDN">false</module-option>
           <module-option name="roleAttributeID">cn</module-option>
           </login-module>
           </authentication>
           </application-policy>


          Error:

          13:31:45,766 DEBUG [testLDAP] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@228ba7
          13:31:45,766 DEBUG [JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@1fea0cf
          13:31:45,769 DEBUG [testLDAP] CachePolicy set to: org.jboss.util.TimedCachePolicy@1ef9e0a
          13:31:45,769 DEBUG [JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@1ef9e0a
          13:31:45,770 DEBUG [JaasSecurityManagerService] Added testLDAP, org.jboss.security.plugins.SecurityDomainContext@70a698 to map
          13:31:45,798 DEBUG [LdapExtLoginModule] Failed to validate password
          java.lang.NullPointerException
           at java.util.Hashtable.put(Hashtable.java:396)
           at java.util.Properties.setProperty(Properties.java:128)
           at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:470)
           at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:317)
           at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:215)
           at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:186)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
           at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
           at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
           at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
           at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
           at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
           at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
           at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:391)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
           at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
           at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
           at java.lang.Thread.run(Thread.java:595)
          13:31:45,800 DEBUG [LdapExtLoginModule] Bad password for username=sarahm