1 2 Previous Next 23 Replies Latest reply: Apr 29, 2011 5:00 PM by Damon Fensterman RSS

LdapLoginModule - almost working

Asif Rahman Newbie

Hello,

 

Sorry if this is in the wrong place - I'm new to the forum so please direct me to the right space if you think this thread shouldn't be here.

 

I have been playing around with the LdapLoginModule and trying to secure my web app by authenticating users against LDAP. I was able to do it against a local LDAP server that I had set up, with the following configurations in my login-config.xml file within my JBOSS server:

 

<application-policy name="XXX">
         <authentication>
             <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                 <module-option name="java.naming.provider.url">ldap://LetsSayMyLocalMachineName:389/</module-option>
                 <module-option name="java.naming.security.authentication">simple</module-option>
                 <module-option name="principalDNPrefix">uid=</module-option>
                 <module-option name="principalDNSuffix">,ou=People,dc=example,dc=com</module-option>
                 <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
                 <module-option name="uidAttributeID">member</module-option>
                 <module-option name="matchOnUserDN">true</module-option>
                 <module-option name="roleAttributeID">cn</module-option>
                 <module-option name="roleAttributeIsDN">false</module-option>
             </login-module>
         </authentication>
     </application-policy>

 

 

However, the problem arises when I try to configure this against an external ldap server with a slightly different directory structure. Here are my configurations for that:

 

 

 

<application-policy name="XXX">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                <module-option name="java.naming.provider.url">ldap://LetsSayTheRemoteServerName:389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="principalDNPrefix">sAMAccountName=</module-option>
                <module-option name="principalDNSuffix">,ou=Admin Users,ou=HQ,ou=Administration,dc=XXX,dc=XXX</module-option>
                <module-option name="rolesCtxDN">dc=XXX,dc=XXX</module-option>
                <module-option name="uidAttributeID">sAMAccountName</module-option>
                <module-option name="matchOnUserDN">true</module-option>
                <module-option name="roleAttributeID">cn</module-option>
                <module-option name="roleAttributeIsDN">false</module-option>
            </login-module>
        </authentication>
    </application-policy>

There is no uid attribute for users in this server and I need to authenticate by sAMAccountName. I'm thinking I'm misreading the LdapLoginModule specs on the JBOSS community and am very close to making this work - just not sure exactly where my mistake is, probably because I've been looking at this for too long and need a second pair of eyes.

 

Here's what the user I'm trying to test with looks like in my LDAP directory:

 

distinguishedName: CN=Fname Sname,OU=Admin Users,OU=HQ,OU=Administration,DC=XXX,DC=XXX

sAMAccountName: the_user_id_i_need_to_authenticate_against

memberOf: CN=SomeName,OU=Groups,DC=XXX,DC=XXX

 

Please let me know if you need any more information. Any help would be greatly appreciated. Thanks!

  • 1. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Sorry, looking at my LDAP directory, just realized the uidAttributeID should be "member".

     

    Also, the rolesCtxDN value should be prepended with "ou=Groups,".

     

    Made the changes, but still no luck.

  • 2. Re: LdapLoginModule - almost working
    Peter Johnson Master

    Looks like you are accessing Active Directory. I used the LdapExtLoginModule instead. Here is what I used, note the 'baseFilter' and 'roleFilter' options used to validate the account and extract the roles:

     

    <application-policy name="ldapLogin">
    <authentication>
      <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://jbia-fs1:389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="bindDN">domain-name\valid-account-name</module-option>
       <module-option name="bindCredential">password-for-the-account</module-option>
       <module-option name="baseCtxDN">dc=jbia,dc=org</module-option>
       <module-option name="baseFilter">(sAMAccountName={0})</module-option>
       <module-option name="rolesCtxDN">dc=jbia,dc=org</module-option>
       <module-option name="roleFilter">(member={1})</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">name</module-option>
      </login-module>
    </authentication>
    </application-policy>

     

    I have a complete description of how to query LDAP, and from the query results, how to determine how to set up the login module, but it is not free. I can provide a link if you like.

  • 3. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Thank you for your response Peter.

     

    I was going through the LdapExtLoginModule article on the JBOSS community wiki (http://community.jboss.org/wiki/LdapExtLoginModule) and came across this:


    An initial bind to the ldap server is done using the bindDN and bindCredential options. The bindDN is some user with the ability to search both the baseCtxDN and rolesCtxDN trees for the user and roles. The user DN to authenticate against is queried using the filter specified by the baseFilter attribute (see the baseFilter option description for its syntax).

     

    So if I'm reading this right, the "bindDN" attribute represents, let's say, user A who can search the baseCtxDN and rolesCtxDN trees and is used to look up user B (corressponding to the user id and password that are entered on the login prompt when the web app is accessed). So the bindCredential is essentially the password for user A.

     

    If this is correct, can A and B be the same user? Am I making any sense or completely off track here?

  • 4. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Ok, so this is what I have in my login-config.xml:

     

    <application-policy name="XXX">
             <authentication>
                 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                     <module-option name="java.naming.provider.url">ldap://serverName:3268</module-option>
                     <module-option name="bindDN">CN=TheCNOfValidAccount,OU=Admin  Users,OU=HQ,OU=Administration,DC=xxx,DC=xxx</module-option>
                     <module-option name="bindCredential">password</module-option>
                     <module-option name="baseCtxDN">DC=xxx,DC=xxx</module-option>
                     <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                     <module-option name="rolesCtxDN">DC=xxx,DC=xxx</module-option>
                     <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                     <module-option name="roleAttributeID">memberOf</module-option>
                     <module-option name="roleAttributeIsDN">true</module-option>
                     <module-option name="roleNameAttributeID">cn</module-option>
                 </login-module>
             </authentication>
         </application-policy>

     

    Then I'm trying to log in as the same user as the one in my bindDN (I tried with domain\useraccount for the bindDN as well). I guess at this point I don't care much about roles, which is why the relevant portion in my web.xml looks like this:

     

    <security-role>
            <role-name>*</role-name>
        </security-role>

     

    But I will eventually need to put a particular role in there.

     

    I still can't get past the login prompt screen. Any pointers? And Peter, please send me the link you were talking about.

     

    Thanks again.

  • 5. Re: LdapLoginModule - almost working
    Peter Johnson Master

    JBoss in Action, chapter 4, has a section (7 pages) on configuring the LDAP login module.

     

    I don't have time right now to look at your latest config, but I will look at it later (might not be until Monday).

  • 6. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Thanks, appreciate the help.

  • 7. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    So after looking at JBoss in Action, I've had one more crack at this. Here's what my login-config.xml looks like now:

     

    <application-policy name="xxx">
            <authentication>
               <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>   
                    <module-option name="java.naming.provider.url">ldap://xxx:389</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                    <module-option name="bindDN">domain\user</module-option>
                    <module-option name="bindCredential">password</module-option>
                    <module-option name="baseCtxDN">DC=xxx,DC=xxx</module-option>
                    <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                    <module-option name="rolesCtxDN">DC=xxx,DC=xxx</module-option>
                    <module-option name="roleFilter">(member={1})</module-option>
                    <module-option name="roleAttributeIsDN">true</module-option>
                    <module-option name="roleNameAttributeID">name</module-option>
                </login-module>       
            </authentication>
        </application-policy>

     

    The user I'm using in the bindDN attribute is the one that I'm using to login through LDAP Browser to view/search my Active Directory tree, so it does have read/search access to my AD.

     

    All my AD settings seem to match the ones you have in the book, except for one difference - the name attribute for a group is actually not a DN, but a simple name. Otherwise, everything is the same.

     

    Again, I don't care much about roles at this point (but will have to as soon as I can get the general authentication working), which is why I'm using

     

    <auth-constraint>
                <role-name>*</role-name>
    </auth-constraint>

     

    in my web.xml. I have also gotten rid of the <security-role> attribute in my web.xml.

     

    When accessing my web app, I still can't seem to log in with the same user name and password that I'm using in my login-config.xml to bind to my AD server. A bit dumbfounded here, I'm sure I'm doing something really stupid and just not seeing it.

  • 8. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Hmm...after enabling logging of the security layer in my JBOSS server, I get the following:

     

    javax.security.auth.login.LoginException: No LoginModules configured for xxx
        at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:367)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:444)
        at org.jboss.security.plugins.SubjectActions$LoginContextAction.run(SubjectActions.java:162)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.jboss.security.plugins.SubjectActions.createLoginContext(SubjectActions.java:277)
        at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:602)
        at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
        at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
        at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:619)

     

    Where xxx = my application-policy name in my login-config. I get this when I invoke my web app, even before I've entered a user name/password to log in. Any pointers?

     

    Thanks

  • 9. Re: LdapLoginModule - almost working
    Peter Johnson Master

    What have you set in WEB-INF/jboss-web.xml? See section 6.1 in JBoss in Action.

  • 10. Re: LdapLoginModule - almost working
    Peter Johnson Master

    Also, did you enable logging for org.jboss.security.auth.spi at the TRACE level? That level will show you what is going on in the login module.

  • 11. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Yes sir, it's set at the Trace level. The jboss-web.xml in my app's WEB-INF folder is as follows:

     

    <?xml version="1.0" encoding="UTF-8"?>
        <jboss-web>
           <security-domain>java:/jaas/xxx</security-domain>
        </jboss-web>

     

    Where xxx = my application policy name from my login-config.

  • 12. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Sorry, here's the entire stack trace for a single login attempt:

     

    2010-10-04 14:53:25,111 TRACE [org.jboss.security.plugins.JaasSecurityManager.xxx] Begin isValid, principal:yyy, cache info: null
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.plugins.JaasSecurityManager.xxx] defaultLogin, principal=yyy
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(xxx), size=0
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(xxx), no entry in appConfigs, tyring parentCont: null
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(xxx), no entry in parentConfig, trying: other
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(xxx), failed to find entry
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=0
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(other), no entry in appConfigs, tyring parentCont: null
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(other), no entry in parentConfig, trying: other
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), failed to find entry
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.plugins.JaasSecurityManager.xxx] Login failure
    javax.security.auth.login.LoginException: No LoginModules configured for xxx
        at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:367)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:444)
        at org.jboss.security.plugins.SubjectActions$LoginContextAction.run(SubjectActions.java:162)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.jboss.security.plugins.SubjectActions.createLoginContext(SubjectActions.java:277)
        at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:602)
        at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
        at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
        at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:619)
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.plugins.JaasSecurityManager.xxx] End isValid, false
    2010-10-04 14:53:25,111 TRACE [org.jboss.security.SecurityAssociation] clear, server=true

  • 13. Re: LdapLoginModule - almost working
    Fabio Schmitz Tani Newbie

    Asif,

     

    Just throwing my two cents in the mix, but, your trace shows that JAAS is not finding your configured login module, basically it wasn't able to find your configured JAAS module in the login-config.xml file inside the <server_name>/conf dir.

     

    Sometimes mispelling of the module can happen, maybe if you re-checked your jboss-web.xml. One other thing, in order for it to use the jboss-web.xml the application needs to be packaged as a war file, otherwise, you might need the jboss-app.xml if you are deploying it in an ear structure.

     

    Might be worth a try to checkout.

  • 14. Re: LdapLoginModule - almost working
    Asif Rahman Newbie

    Thank you for your input fstani. I've checked for typoes but that doesn't seem to be the case.

     

    I am packaging my app as a war, not an ear.

     

    What is strange is that when I use my LdapLoginModule configuration in the first post to connect to a local LDAP server, I don't get the same issue. But when I'm using my LdapExtLoginModule configurations to connect to the external server, I'm getting the stack trace mentioned above. I checked the server name and it looks right as well, as I can log into it through an LDAP browser, with the same credentials as in my login-config.xml file.

1 2 Previous Next