14 Replies Latest reply on Nov 21, 2012 7:41 PM by garcimouche

    Jboss 7 JAAS Security Realm - Ldap server configuration

    gerry.matte

      I've been using a JAAS LdapRealm for user authentication and authorisation.  In Jboss 6 and lower the conf/login-config.xml file contained the necessary configuration tags:

         <application-policy name="LdapRealm">

          <authentication>

            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                <module-option name="java.naming.provider.url">ldap://XXXXX.ca:389/</module-option>

                <module-option name="java.naming.security.authentication">simple</module-option>

                <module-option name="bindDN">cn=XXXXX</module-option>

                <module-option name="bindCredential">XXXXX</module-option>

                    <module-option name="baseCtxDN">ou=People,dc=XXXX,dc=ca</module-option>

                    <module-option name="baseFilter">(cn={0})</module-option>

                <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=XXXX,dc=ca</module-option>

                <module-option name="roleFilter">(member={1})</module-option>

                <module-option name="uidAttributeID">member</module-option>

                <module-option name="roleAttributeID">cn</module-option>

                <module-option name="roleNameAttributeID">cn</module-option>

                    <module-option name="roleAttributeIsDN">true</module-option>

                    <module-option name="allowEmptyPasswords">false</module-option>

            </login-module>

            </authentication>

          </application-policy>

       

      I've been looking through the JBoss 7 standalone.xml as the likeliest location to configure my LdapRealm but there's no documentation (at least not yet) on how to do so.  Unfortunately this xml file does not reference a schema so I can't even guess how to proceed.

       

      Does anyone have any information about how to configure an Ldap Realm for Jboss 7 ?

       

       

       

        • 1. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
          dekiz

          Its configured in standalone.xml, in section

          <management>
              <security-realms>

           

          add something like this:

           

          <security-realm name="myrealm">

                 <authentication>

                    <ldap connection="ldap://192.168.x.x:389" base-dn="dc=it,dc=jboss" username-attribute="sAMAccountName"/>

                 </authentication>

          </security-realm>

          • 2. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
            gerry.matte

            Thanks for the response.

            However, your suggestion doesn't address which login module (standard Ldap or Extended Ldap) is to be used.

            More importantly, there's no definition of how to search for authorisation - roles.

            My Ldap server requires the extended login module because roles(groups) are not in the same dierctory branch as inetOrgPerson.

            Where did you obtain your information from so that I can look it over myself ?

            • 3. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
              dekiz

              Doubt ldap auth module is usable at this stage, I ve just looked into parser class that parses standalone.xml, and checked what exactly it looks for in xml, you can take a look at this (protected void parseLdapConnection method):

               

              https://github.com/jbossas/jboss-as/blob/master/controller/src/main/java/org/jboss/as/controller/parsing/CommonXml.java

               

              and go from there, until we get more documentation.

              Cheers,

              D

              • 4. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                dekiz

                Seems I was wrong about the current state of AS7, anyway, you can configure ldap authentication this way in standalone.xml

                ...

                <subsystem xmlns="urn:jboss:domain:sar:1.0"/>

                        <subsystem xmlns="urn:jboss:domain:security:1.0">

                            <security-domains>

                                <security-domain name="other" cache-type="default">

                                    <authentication>

                                        <login-module code="UsersRoles" flag="required"/>

                                    </authentication>

                                </security-domain>

                                <security-domain name="myldapdomain">

                                    <authentication>

                                       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                         <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                                         <module-option name="java.naming.provider.url">ldap://XXXXX.ca:389/</module-option>

                                         <module-option name="java.naming.security.authentication">simple</module-option>

                                         <module-option name="bindDN">cn=XXXXX</module-option>

                                         <module-option name="bindCredential">XXXXX</module-option>

                                         <module-option name="baseCtxDN">ou=People,dc=XXXX,dc=ca</module-option>

                                         <module-option name="baseFilter">(cn={0})</module-option>

                                         <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=XXXX,dc=ca</module-option>

                                         <module-option name="roleFilter">(member={1})</module-option>

                                         <module-option name="uidAttributeID">member</module-option>

                                         <module-option name="roleAttributeID">cn</module-option>

                                         <module-option name="roleNameAttributeID">cn</module-option>

                                         <module-option name="roleAttributeIsDN">true</module-option>

                                        <module-option name="allowEmptyPasswords">false</module-option>

                                     </login-module>

                                    </authentication>

                                </security-domain>

                            </security-domains>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:threads:1.0"/>

                ...

                also

                <subsystem xmlns="urn:jboss:domain:ee:1.0"/> needs to be changed to

                <subsystem xmlns="urn:jboss:domain:ee:1.0">

                            <global-modules>

                                <module name="com.sun.jndi.ldap" slot="main"/>

                            </global-modules>

                </subsystem>

                 

                else ModuleClassLoader won't load the com.sun.jndi.ldap.LdapCtxFactory which is needed in ldap auth modules, and obviously you ll need org.jboss.security.auth.spi.LdapExtLoginModule on classpath.

                Cheers,

                D

                1 of 1 people found this helpful
                • 5. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                  gerry.matte

                  Thanks for the additional note Dejan.

                  I followed your suggestions and I'm almost working correctly now.

                  It looks like the Xml Parser has changed - I was required to convert every module-option tag so that the lowest level data element for the module-option tag was replaced by the attribute value= and the tag was converted to a self-closing tag:

                                      <module-option name="allowEmptyPasswords">false</module-option>

                  became

                                      <module-option name="allowEmptyPasswords" value="false"/>

                  After doing that and also inserting the global-modules element jboss 7 now starts with no errors.

                   

                  I replaced my eclipse webapp project reference for JBoss 6 runtime library to jboss 7 runtime library.

                   

                  The web application deployed with no error or warning messages.

                   

                  Now, when I attempt to access a protected html resource I am correctly challenged to enter a user name and password. After I submit those items the browser pauses a long time (15-20 sec) and eventually the server connection is reset.

                   

                  I was unable to determine how I could ensure that org.jboss.security.auth.spi.LdapExtLoginModule is on my classpath.  With Jboss 6 I was not required to take any action like this.  I presumed that the JBoss Server runtime library included this module and any others that might be required. 

                  Perhaps this assumption is incorrect for JBoss 7 ? 

                   

                  This web app also attempts to perform JNDI lookups.  With JBoss AS 7 the jndi.properties file is now not being loaded correctly so perhaps some additional tags are needed in standalone.xml.

                   

                  I very much appreciate the time you spent digging into this issue.  However, I can wait for the next release and some official documentation rather than ask you to spend any more time debugging this.

                  • 6. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                    dlofthouse

                    Hello Gerry, I have just caught up on this thread - I am just about to start work on the initial documentation for this so will add some details for the LDAP modules and also some logging categories to get to the bottom of underlying failures.

                    • 7. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                      gerry.matte

                      Thanks Darran.

                      If I can help at all, let me know.

                      Gerry

                      • 8. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                        badr

                        Hi Gerry,

                         

                        I've followed the same steps but i get the error

                         

                        Login failure: javax.security.auth.login.LoginException: classe LoginModule introuvable : org.jboss.security.auth.spi.LodapLoginModule

                         

                        I think l need org.jboss.security.auth.spi.LdapExtLoginModule on classpath of my application even if i've already added

                         

                        <subsystem xmlns="urn:jboss:domain:ee:1.0">

                                    <global-modules>

                                        <module name="sun.jdk" slot="main"/>

                                    </global-modules>

                                </subsystem>

                         

                        insted of :

                         

                        <subsystem xmlns="urn:jboss:domain:ee:1.0">

                                    <global-modules>

                                        <module name="com.sun.jndi.ldap" slot="main"/>

                                    </global-modules>

                        </subsystem> because this configuration didn't work for me

                         

                        Regards

                        • 9. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                          dlofthouse

                          Looking at the error message there appears to be an error in how the class name is specified for the LoginModule.

                           

                          The message shows org.jboss.security.auth.spi.LodapLoginModule but it should be org.jboss.security.auth.spi.LdapLoginModule

                           

                          You should however be able to specify LdapExtended instead of the fully qualified class name of the module.

                          1 of 1 people found this helpful
                          • 10. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                            badr

                            Thanks Darran,

                             

                            i didn't pay attention ! it works fine now

                            • 11. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                              gerry.matte

                              You are correct - for JBoss 7.1.0.Final (standalone-full-xml) I was able to configure LdapExtLoginModule. 

                              I also used the suggestion at https://community.jboss.org/thread/174590 to add another module-option <module-option name="throwValidateError" value="true"/>  although it wasn't needed because my login worked first time.  Not my normal experience but I'm sure not complaining.

                               

                              I deliberately delayed working on this until the fully certified version of JBoss7 was available.  That may have saved me some grief too.

                               

                              I didn't define a global subsystem as badr described earlier.  JBoss 7 found the module with no problems and my webapp worked unchanged from the JBoss6 version.

                               

                              Updated Feb 25:  It was too good to be true.  It turns out that I tested with a username/password which I had previously defined in the ManagementRealm so my Ldap server never saw the request.  When I tried it subsequently with a username/password unique to the Ldap server, it all fell apart.

                               

                              For my testing I try to browse to a protected web page and the security framework intercepts and demands a username and password.  After I enter them and submit the form, the browser remains at the page ending with j_security_check and never does forward to the protected page.  A blank page with no HTML is what the browser sees.  The server gives no warning or error messages in it's console log.

                               

                              I am giving up using Ldap with Jboss.  I reported the Ldap problems in 2008 at https://issues.jboss.org/browse/SEAMSECURITY-6.  I've been waiting for a resolution since then.

                               

                              Well, I'm now retired so I do not need to authenticate against a corporate directory any longer.

                               

                              As you can guess I'm pretty disillusioned.  I guess there must not be too many people trying to use LdapExtLoginModule ......

                               

                              One more update:

                              It looks like the userid and password were actually being accepted by the security system.  If I open another tab and try to access the protected page, I immediately see the protected page.  In my case that page is a jsp page that tests for the roles that the authenticated user is in - so I am able to also verify that the extended search capabilities of LdapExtLoginModule are working correctly.

                               

                              There must be a minor bug somewhere within the Jboss security framework that is not forwarding the browser to a protected page after authentication succeeds using LdapExtLogin Module.

                               

                              So close to a working framework ..... unfortunately I can't use this in production - users would laugh at the work around.

                              • 12. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                                gerry.matte

                                See https://community.jboss.org/message/723342#723342 and jira https://issues.jboss.org/browse/AS7-4149

                                It appears that the blank page after authentication is a problem with Jboss 7 support for the ajp protocal used by mod_jk.

                                If this concerns you, please vote for the jira.

                                • 13. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                                  davidj

                                  What were you guys putting in your web.xml file or jboss-web.xml to tell your web-app to use your custom ldap realm?

                                   

                                  Something like:


                                  <login-config>
                                      <auth-method>FORM</auth-method>

                                  <auth-name>myldapdomain</auth-name>
                                      <form-login-config>
                                          <form-login-page>/pages/login.jsf</form-login-page>
                                          <form-error-page>/pages/core/loginError.xhtml</form-error-page>
                                      </form-login-config>

                                  </login-config>
                                  • 14. Re: Jboss 7 JAAS Security Realm - Ldap server configuration
                                    garcimouche

                                    If anyone interested I've created a post where I explained how to configure the LdapExtended module on JBoss AS 7.