[jboss-security-discuss] JBOSS Negotiate using AdvancedLdapLoginModule throws "In order to perform this operatio n a successful bind must be completed on the connection." error

[g f]

Hello all,
I am using Negotiate and have successfully gotten all three auth tests to
work using the jboss-negotiate-toolkit after some trials.

Now I am attempting to search the Active Directory rather than the
user-roles.properties file.
I am using chained configuration from the docs.

Here is a snip from the login-config.xml file:

  <application-policy name="host">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
          <module-option name="storeKey">true</module-option>
          <module-option name="useKeyTab">true</module-option>
          <module-option name="principal">host/jportal at MYCO.COM
</module-option>
          <module-option
name="keyTab">/home/admin/jportal.keytab</module-option>
          <module-option name="doNotPrompt">true</module-option>
          <module-option name="debug">true</module-option>
        </login-module>
    </authentication>
  </application-policy>


<application-policy name="SPNEGO">
  <authentication>
    <login-module
code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
flag="requisite">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="serverSecurityDomain">host</module-option>
    </login-module>
    <login-module
code="org.jboss.security.negotiation.AdvancedLdapLoginModule"
flag="required">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="bindAuthentication">GSSAPI</module-option>
      <module-option name="jaasSecurityDomain">host</module-option>
      <module-option
name="java.naming.provider.url">ldap://dc:389</module-option>
      <module-option
name="baseCtxDN">CN=Users,DC=dc,DC=myco,DC=com</module-option>
      <module-option
name="baseFilter">(userPrincipalName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="recurseRoles">true</module-option>
    </login-module>
  </authentication>
</application-policy>

Do I need the first application policy (host)?

My error is as follows:

/error
...skipping
    at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000:
LdapErr: DSID-0C090627, comment: In order to perform this operatio
n a successful bind must be completed on the connection., data 0, vece];
remaining name 'OU=Users,DC=myco,DC=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown
Source)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown
Source)
    at javax.naming.directory.InitialDirContext.search(Unknown Source)
    at
org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:505)
    ... 34 more

Any ideas what may be wrong?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-security-discuss/attachments/20090701/aa1d71e6/attachment.html