6 Replies Latest reply on Feb 21, 2012 7:14 AM by ilko

username-attribute may not be null in ldap security realm

yves.p Jan 4, 2012 11:12 AM

I tried the new JBoss 7.1 CR1 and get a strange error with this configuration that used to work in Beta1b:

    <management>
        <security-realms>
            <security-realm name="PropertiesMgmtSecurityRealm">
                <authentication>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" />
                </authentication>
            </security-realm>
            <security-realm name="LDAPMgmtSecurityRealm">
                <authentication>
                    <ldap connection="ldap_connection" recursive="true" base-dn="OU=yellow-Acc,DC=uyellow,DC=yellowcorp,DC=test">
                        <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=AJBOSSSUPER,OU=Groups,OU=yellow-Acc,DC=uyellow,DC=yellowcorp,DC=test))" />
                    </ldap>
                </authentication>
            </security-realm>
        </security-realms>
        <outbound-connections>
            <ldap name="ldap_connection" url="ldap://addc01.uyellow.yellowcorp.test" search-dn="CN=User,OU=Service-Accounts,OU=yellow-Acc,DC=uyellow,DC=yellowcorp,DC=test"
                search-credential="pw" />
        </outbound-connections>
        <management-interfaces>
            <native-interface security-realm="PropertiesMgmtSecurityRealm">
                <socket-binding native="management-native" />
            </native-interface>
            <http-interface security-realm="LDAPMgmtSecurityRealm">
                <socket-binding http="management-http" />
            </http-interface>
        </management-interfaces>
    </management>

Error:

16:26:24,923 INFO  [org.jboss.modules] JBoss Modules version 1.1.0.CR6
16:26:25,635 INFO  [org.jboss.msc] JBoss MSC version 1.0.1.GA
16:26:25,719 INFO  [org.jboss.as] JBoss AS 7.1.0.CR1b "Flux Capacitor" starting
16:26:27,402 ERROR [org.jboss.as.controller.management-operation] Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("security-realm" => "LDAPMgmtSecurityRealm"),
    ("authentication" => "ldap")
]) - failure description: "JBAS014746: username-attribute may not be null"
16:26:27,407 INFO  [org.jboss.as] JBoss AS 7.1.0.CR1b "Flux Capacitor" started in 2859ms - Started 19 of 20 services (1 services are passive or on-demand)
16:29:42,092 INFO  [org.jboss.as] JBoss AS 7.1.0.CR1b "Flux Capacitor" stopped in 9ms

It used to work in the 7.1 Beta. I validated my xml and it seams to be valid. Did I miss something or is this a bug?

1. Re: username-attribute may not be null in ldap security realm

dlofthouse Jan 4, 2012 11:39 AM (in response to yves.p)

Can you please raise a Jira with this error and assign it to me? There was some refactoring of the management of the realms before the release and it looks like it has broken making that element optional.
1 of 1 people found this helpful
Actions
2. Re: username-attribute may not be null in ldap security realm

yves.p Jan 5, 2012 2:52 AM (in response to dlofthouse)

I opened a Jira but I have no rights to assign it to you.
Thanks for looking into it.
Yves
Actions
3. Re: username-attribute may not be null in ldap security realm

ilko Feb 15, 2012 4:02 AM (in response to yves.p)

Can you tell me please if AND operation filters (&(racfgroupid=XXXX)(racfuserid={0})) work in jboss 6.1 becouse I have some problems specifying them in login-config.xml.

<module-option name="roleFilter">((&(racfgroupid=XXXX)(racfuserid={0})))</module-option>

Thank you in advancde.
Actions
4. Re: username-attribute may not be null in ldap security realm

dlofthouse Feb 15, 2012 4:10 AM (in response to ilko)

This thread is specifically discussing the security realms added to JBoss AS 7 so unfortunately no this does not apply at all to AS6.
Actions
5. Re: username-attribute may not be null in ldap security realm

ilko Feb 21, 2012 3:35 AM (in response to yves.p)

Thank you for your fast answer. I upgraded to jboss 7.1 but I still have problems. When I enterd the filter (&(racfuserid={0})(racfgroupid=XXXX)) in advanced-filter field, jboss didn't start correctly.

Here is the error report:

09:14:49,623 ERROR [org.jboss.as.controller] JBAS014601: Error booting the container: java.lang.RuntimeException: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration
    at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:161) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
    at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_02]
Caused by: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration
    at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:125) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:187) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.server.ServerService.boot(ServerService.java:261) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:155) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
    ... 1 more
Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '(' (code 40) (expected a name start character)
at [row,col {unknown-source}]: [49,52]
    at com.ctc.wstx.sr.StreamScanner.throwUnexpectedChar(StreamScanner.java:639)
    at com.ctc.wstx.sr.StreamScanner.parseFullName(StreamScanner.java:1920)
    at com.ctc.wstx.sr.StreamScanner.parseEntityName(StreamScanner.java:2044)
    at com.ctc.wstx.sr.StreamScanner.fullyResolveEntity(StreamScanner.java:1511)
    at com.ctc.wstx.sr.BasicStreamReader.parseAttrValue(BasicStreamReader.java:1902)
    at com.ctc.wstx.sr.BasicStreamReader.handleNsAttrs(BasicStreamReader.java:3028)
    at com.ctc.wstx.sr.BasicStreamReader.handleStartElem(BasicStreamReader.java:2926)
    at com.ctc.wstx.sr.BasicStreamReader.nextFromTree(BasicStreamReader.java:2802)
    at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1050)
    at com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1125)
    at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.nextTag(XMLExtendedStreamReaderImpl.java:152) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
    at org.jboss.as.domain.management.parsing.ManagementXml.parseLdapAuthentication_1_1(ManagementXml.java:665) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.domain.management.parsing.ManagementXml.parseAuthentication_1_1(ManagementXml.java:497) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealm_1_1(ManagementXml.java:312) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealms(ManagementXml.java:247) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement(ManagementXml.java:130) [jboss-as-domain-management-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_1(StandaloneXml.java:324) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:126) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:100) [jboss-as-server-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
    at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
    at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:117) [jboss-as-controller-7.1.0.Final.jar:7.1.0.Final]
    ... 4 more

and here is my standaone.xml:

<security-realm name="LDAPMgmtSecurityRealm">
                <authentication>
                    <ldap connection="ldap_connection" base-dn="profiletype=********,secAuthority=*******" recursive="true">
                        <advanced-filter filter="(&(racfuserid={0})(racfgroupid=XXXX))"/>
                    </ldap>
                </authentication>
            </security-realm>
        </security-realms>
        <outbound-connections>
            <ldap name="ldap_connection" url="ldaps://******:636" search-dn="racfid=******,profiletype=******,secAuthority=******" search-credential="*********"/>
        </outbound-connections>
        <management-interfaces>
            <native-interface security-realm="LDAPMgmtSecurityRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            <http-interface security-realm="LDAPMgmtSecurityRealm">
                <socket-binding http="management-http"/>
            </http-interface>

Everything else seems to be correct, because it works with diferent filters. I need this because I want only the users of 'admin' group to be able to connect to admin console.
Thank you very much.

PS: the Unexpected character '(' at raw,col [49,52] is the second '(' in the advanced-filter. (&(racfuserid={0})(racfgroupid=XXXX))
Actions
6. Re: username-attribute may not be null in ldap security realm

ilko Feb 21, 2012 7:14 AM (in response to ilko)

I found the error. The filter now looks like this (&(racfuserid={0})(racfgroupid=XXXX)). I hope this will work. Thank you.
Actions

Go to original post