6 Replies Latest reply on Feb 13, 2013 12:41 PM by jonescz

    SubjectCNMapping for certificate login

    yves.p

      I'm trying to set up certificate based authentication for a webapp. I want to use the certificate cn to fetch additional roles from ldap but I can't get the mapping from dn to cn to work. Here is my setup so fare:

       

      <subsystem xmlns="urn:jboss:domain:security:1.0">
         <security-domains>
            <security-domain name="trustStore">
            <jsse truststore-url="configuration/mobiJspDynWesTrust_dev.jceks"
               truststore-password="123456" truststore-type="JCEKS" protocols="TLS" />
         </security-domain>
         <security-domain name="other" cache-type="default">
            <authentication>
               <login-module code="UsersRoles" flag="required" />
            </authentication>
         </security-domain>
         <security-domain name="ldap" cache-type="default">
            <authentication>
               <login-module code="Certificate" flag="optional">
                  <module-option name="password-stacking" value="useFirstPass" />
                  <module-option name="securityDomain" value="java:/jaas/trustStore" />
                  <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier" />
                  <!--<module-option name="principalClass" value="org.jboss.security.auth.certs.SubjectCNMapping" /> -->
               </login-module>
            </authentication>
            <mapping>
               <mapping-module code="org.jboss.security.mapping.providers.principal.SubjectCNMapper" type="principal" />
               <mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider">
                  <module-option name="java.naming.provider.url" value="ldap://addc01.mycorp.test:389" type="role" />
                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
                  <module-option name="java.naming.security.authentication" value="simple" />
                  <module-option name="bindDN" value="CN=ADUser,OU=Service-Accounts,OU=My-Acc,DC=mycorp,DC=test" />
                  <module-option name="bindCredential" value="123456" />
                  <module-option name="rolesCtxDN" value="OU=Groups,OU=My-Acc,DC=mycorp,DC=test" />
                  <module-option name="roleAttributeID" value="CN" />
                  <module-option name="roleNameAttributeID" value="CN" />
                  <module-option name="roleAttributeIsDn" value="false" />
                  <module-option name="parseRoleNameFromDN" value="false" />
                  <module-option name="roleRecursion" value="-1" />
               </mapping-module>
               <!-- <mapping-module code="org.jboss.security.mapping.providers.OptionsRoleMappingProvider">
                  <module-option name="replaceRoles" value="false"/>
                  <module-option name="rolesMap" value="asdf=abc"/> </mapping-module> -->
               </mapping>
            </security-domain>
         </security-domains>
      </subsystem>
      

       

      With this setup I get this error:

      10:44:20,755 ERROR [org.jboss.as.web.security.JBossWebRealm] (http-sd0602a.umobi.mobicorp.test-10.32.35.192-8443-1) Error during authenticate(X509Certificate[])

       

      I also enabled TRACE on org.jboss.security and I don't see that the mappers are being called. Who am I supposed to configure this? In JBoss 5 it worked over JBossWeb via Realm:

       

       <Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping"
       allRolesMode="authOnly" />
      

       

      I'm using JBoss 7.0.2.

       

      Thanks for your help!

        • 1. Re: SubjectCNMapping for certificate login
          yves.p

          I tried some other stuff. I seams as if I would not need the Certificate login-module as the user is already in a usable form:

          10:44:20,707 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-sd0602a.umobi.mobicorp.test-10.32.35.192-8443-1) Begin isValid, principal:CN=U112324, OU=Local-Admins, OU=Users, OU=Yellow-Acc, DC=uyellow, DC=yellowcorp, DC=test, cache entry: null
          

           

          All I need to do is to remove the the unneeded stuff so that only U112324 remains and send it to the LDAP to check if the user exists and fetch its roles.

           

          I also tried to use the org.jboss.security.negotiation.AdvancedLdapLoginModule but I get a "unable to find LoginModule class" error:

          15:36:49,995 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-sd0602a.umobi.mobicorp.test-10.32.35.192-8443-1) Login failure: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.AdvancedLdapLoginModule from [Module "deployment.sampleApp_cert.war:main" from Service Module Loader]
          
          • 2. Re: SubjectCNMapping for certificate login
            yves.p

            I have now a configuration that at least works with the dn name (no mapping from dn to cn):

             

            <security-domain name="ldap" cache-type="default">
                    <authentication>
                            <login-module code="Certificate" flag="optional">
                                    <module-option name="password-stacking" value="useFirstPass" />
                                    <module-option name="securityDomain" value="java:/jaas/trustStore" />
                                    <module-option name="verifier"
                                            value="org.jboss.security.auth.certs.AnyCertVerifier" />
                                    <!--<module-option name="principalClass" value="org.jboss.security.auth.certs.SubjectCNMapping" /> -->
                            </login-module>
                    </authentication>
                    <mapping>
                            <mapping-module
                                    code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider"
                                    type="role">
                                    <module-option name="java.naming.provider.url"
                                            value="ldap://addc01.uyellow.yellowcorp.test:389" />
                                    <module-option name="java.naming.factory.initial"
                                            value="com.sun.jndi.ldap.LdapCtxFactory" />
                                    <module-option name="java.naming.security.authentication"
                                            value="simple" />
                                    <module-option name="bindDN"
                                            value="CN=Z100006,OU=Service-Accounts,OU=yellow-Acc,DC=uyellow,DC=yellowcorp,DC=test" />
                                    <module-option name="bindCredential" value="J28hwZ3" />
                                    <module-option name="rolesCtxDN" value="OU=Groups,OU=yellow-Acc,DC=uyellow,DC=yellowcorp,DC=test" />
                                    <module-option name="roleAttributeID" value="CN" />
                                    <module-option name="roleAttributeIsDn" value="false" />
                                    <module-option name="roleNameAttributeID" value="CN" />
                                    <module-option name="parseRoleNameFromDN" value="true" />
                                    <module-option name="roleFilter" value="(member={0})" />
                                    <module-option name="roleRecursion" value="0" />
                                    <module-option name="searchScope"  value="ONELEVEL_SCOPE" />
                            </mapping-module>
                    </mapping>
            </security-domain>
            

             

            However, I'm still looking for a way to map the distinguishing name to the common name, from 'CN=U112324, OU=Local-Admins, OU=Users, OU=yellow-Acc, DC=uyellow, DC=yellowcorp, DC=test'  to just 'U112324' as the user name.

            Basically I'm trying to do this but under jboss 7.

             

            I was also looking through some code and found some interesting things:

            • The LdapExtLoginModule and also in the LdapRolesMappingProvider JBAS-4619 is not really implemented I think. I my tests both modules fetch the roles of a user in one LDAP search but then search for each role again, even though the roles could be parsed from the first LDAP search. In the method rolesSearch of LdapExt you see that it parses the roles from dn on line 542 as log as parseRoleNameFromDN and roleAttributeIsDN is set to true. But on line 563 it then looks up the role again even though the role has been added already...
            • The SubjectCNMapper checks this before it does anything: principal instanceof X500Principal == false, the SubjectDNMapper doesn't check this. As far as I know the principal in my case is a SimplePrincipal and the password is the x509 certificate. This makes the SubjectCNMapper unusable.
            • org.jboss.security.auth.certs.SubjectCNMapping can't be used as an module-option for the Certificate login module, because of this: java.lang.NoSuchMethodException: org.jboss.security.auth.certs.SubjectCNMapping.<init>(java.lang.String). SubjectCNMapping also doesn't implement Principal, it's really not meant to be used like this.

            It would be really nice if I could get certificate -> user mapping feature back. We have a reverse proxy that creates certificates dynamically that don't match the content of the LDAP server. We would also need to stage all the role configuration as the paths in the LDAP are different in each testing environment.

            • 3. Re: SubjectCNMapping for certificate login
              anil.saldhana

              We do not want to configure the mappers on the realm.

               

              Let me figure out a way using the mapping modules.

              • 4. Re: SubjectCNMapping for certificate login
                yves.p

                Any news on this? I'm thinking about implementing a login module that takes a regex or filter as an argument and uses that to map the user. Would that work?

                • 5. Re: SubjectCNMapping for certificate login
                  anil.saldhana

                  You can write a custom login module definitely, to get the additional roles and populate the subject.

                  • 6. Re: SubjectCNMapping for certificate login
                    jonescz

                    Hi, did you manage to fix it? I am now facing the same issue, but still not able to retreive role from LDAP. I checked with wireshark and no request is going to AD with username. Only bind authentication Please help... anybody.