2 Replies Latest reply on Oct 28, 2008 8:52 AM by Jamie Johnson

    JAAS and OpenLdap configuration

    Jamie Johnson Newbie

      I am trying to setup a JAAS Domain to authenticate against an LDAP server, but I keep getting [LDAP: error code 49 - Invalid Credentials]. Can anyone help shed some light on this? The googling I did seemed to point to the java.naming.security.principal being wrong, but it is not. Any help would be appreciated.


      # This file was generated on 2008-10-27 at 13:52:13
      # by Softerra LDAP Administrator v4 [ http://www.ldapadministrator.com ]
      dn: dc=test,dc=com
      dc: test
      description: test
      objectClass: dcObject
      objectClass: organization
      o: test
      dn: ou=people,dc=test,dc=com
      ou: people
      description: All the peoples in da hizzouse
      objectClass: organizationalUnit
      dn: description=Mr. Jamie Johnson 2008102372,ou=people,dc=test,dc=com
      description: Mr. Jamie Johnson 2008102372
      sn: Johnson
      ou: test
      objectClass: person
      objectClass: organizationalPerson
      objectClass: uidObject
      uid: jjohnson
      telephoneNumber: 123-456-7890
      title: Software Engineer
      userPassword: jjohnson
      cn: jjohnson
      dn: description=Mr. Test User 2008102313,ou=people,dc=test,dc=com
      telephoneNumber: 123-456-7890
      description: Mr. Test User 2008102313
      sn: User
      objectClass: person
      objectClass: organizationalPerson
      objectClass: uidObject
      uid: tuser
      userPassword: tuser
      cn: tuser
      dn: ou=groups,dc=test,dc=com
      description: All the subservient minions
      objectClass: organizationalUnit
      ou: groups
      dn: cn=Administrators,ou=groups,dc=test,dc=com
      objectClass: top
      objectClass: groupOfNames
      member: cn=jjohnson
      cn: Administrators
      dn: cn=Users,ou=groups,dc=test,dc=com
      objectClass: top
      objectClass: groupOfNames
      member: cn=tuser
      cn: Users

       <application-policy name="testLDAP">
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://LDAPSERVER:389</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="java.naming.security.principal">uid=Manager,dc=test,dc=com</module-option>
       <module-option name="java.naming.security.credentials">secret</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=people,dc=test,dc=com</module-option>
       <module-option name="rolesCtxDN">ou=groups,dc=test,dc=com</module-option>
       <module-option name="uidAttributeID">member</module-option>
       <module-option name="matchOnUserDN">false</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="roleAttributeIsDN">false</module-option>
       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>

        • 1. Re: JAAS and OpenLdap configuration
          Jamie Johnson Newbie

          So I switched to the LdapExtLoginModule and I have this working, but I am seeing some unexpected behavior.

          I have 2 groups, Administrators and Users. I have a user that is a member of only one of those groups, in this case Administrators. If I have a function that has the @RolesAllowed={"Administrators", "Users"} I get a permission denied complaining that the user does not have the RequiredRoles. It seems as if the LdapExtLoginModule is requiring the user to be a member of both groups instead of just 1 which is the opposite of what the UsersRolesLoginModule does which will work if the user is a member of either. Is there a way to force these two Modules to act the same?

          • 2. Re: JAAS and OpenLdap configuration
            Jamie Johnson Newbie

            my mistake, wrong annotation. Works as expected!