[jboss-user] [Security & JAAS/JBoss] - Re: Active Directory and LdapExtLoginModule?

ksiva_rajesh do-not-reply at jboss.com
Thu Mar 8 12:52:04 EST 2007


Hi,

Thanks a lot for the quick response.

I have created a Security Group in AD with name "AuthUserRole" and assigned few users, whom I want to authenticate.
anonymous wrote : 
  | distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
  | 

Yes, I'm using LdapExtLoginModule. The Configuration for the same is as given below:


  | login-config.xml
  | ----------------
  | <?xml version='1.0'?>
  | <!DOCTYPE policy PUBLIC
  |       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
  |       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
  | <policy>
  | 
  | 	<application-policy name="HMActiveDirecotry">
  | 		<authentication>
  | 			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
  | 				<module-option name="java.naming.provider.url">ldap://company.com:389/</module-option>
  | 				<module-option name="java.naming.security.authentication">simple</module-option>
  | 				<module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option> 
  | 				<module-option name="bindCredential">password</module-option> 
  | 				<module-option name="baseCtxDN">cn=Users,DC=company,DC=com</module-option>
  | 				<module-option name="baseFilter">(userPrincipalName={0})</module-option>
  | 				<module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
  | 				<module-option name="roleFilter">(member={1})</module-option>
  | 				<module-option name="roleAttributeID">memberOf</module-option>
  | 				<module-option name="roleAttributeIsDN">true</module-option>
  | 				<module-option name="roleNameAttributeID">name</module-option> 
  | 				<module-option name="roleRecursion">0</module-option>
  | 				<module-option name="defaultRole">AuthUserRole</module-option>
  | 			</login-module>
  | 		</authentication>
  | 	</application-policy>
  | </policy>
  | 

The error I have received:
anonymous wrote : 
  | Error on Console of JBoss from DEBUG level on Security Manager using log4j.xml:
  | ------------------------------------------------------------------------------
  | 
  | 11:13:56,999 DEBUG [AuthenticatorBase] Security checking request POST /ldaptest/j_security_check
  | 11:13:56,999 DEBUG [FormAuthenticator] Authenticating username 'xxxxxx'
  | 11:13:57,046 DEBUG [LdapExtLoginModule] Bad password for username=App.eapp
  | javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comme
  | nt: AcceptSecurityContext error, data 525, vece ]
  |         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
  |         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
  |         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
  |         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
  |         at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)
  |         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  |         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  |         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  |         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  |         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
  |         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
  |         at javax.naming.InitialContext.init(InitialContext.java:223)
  |         at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
  |         at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginMo
  | dule.java:524)
  |         at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.j
  | ava:334)
  |         at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:2
  | 29)
  |         at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule
  | .java:210)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:585)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
  | 
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
  | 
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.ja
  | va:491)
  |         at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:2
  | 57)
  |         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
  |         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
  |         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
  |         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
  |         at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
  | 
  |         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
  |         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
  |         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
  |         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Htt
  | p11BaseProtocol.java:664)
  |         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
  |         at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
  |         at java.lang.Thread.run(Thread.java:595)
  | 11:13:57,452 DEBUG [ApplicationDispatcher] servletPath=/login_error.jsp, pathInfo=null, queryString=
  | null, name=null
  | 11:13:57,468 DEBUG [ApplicationDispatcher]  Path Based Forward
  | 11:13:57,468 DEBUG [ApplicationDispatcher]  Disabling the response for futher output
  | 11:13:57,468 DEBUG [AuthenticatorBase]  Failed authenticate() test ??/ldaptest/j_security_check
  | 
I'm really not sure, why the LdapExtLoginModule is reporting it as "Bad password for username=App.eapp".

But When I use some LDAP Utility to validate the AuthUserGroup and the user name, it is working fine. The result given by LDAP Search Utility is as follows: 

anonymous wrote : 
  | LDAP Utility Inputs Parameters: 
  | 
  | Host : company.com
  | Port : 389
  | Base DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
  | Filter :(&(objectClass=*)(CN=*))
  | Scope : Subtree
  | 

Result displayed by the LDAP Search utility:
anonymous wrote : 
  | Enumerating attributes for DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com 
  | objectClass = top
  | objectClass = group
  | cn = AuthUserRole
  | member = CN=App.eapp,OU=IC - Applications and Computers,DC=company,DC=com
  | member = CN=xxxxxxxxxx,OU=IC - Applications and Computers,DC=company,DC=com
  | member = CN=xxxxxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
  | member = CN=xxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
  | member = CN=xxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
  | distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
  | instanceType = 4
  | whenCreated = xxxxxxx
  | whenChanged = xxxxxxxx
  | uSNCreated = xxxxxxxx
  | uSNChanged = xxxxxxx
  | name = AuthUserRole
  | objectGUID = xxxxxxxx
  | objectSid = xxxxxxxx
  | sAMAccountName = AuthUserRole
  | sAMAccountType = xxxxxxxxx
  | groupType = xxxxxxxxx
  | objectCategory = CN=Group,CN=Schema,CN=Configuration,DC=company,DC=com
  | 
  | LDAP search completed
  | 

Please go thru the configuration and other details I have mentioned and suggest me, where I have gone wrong. I'm fairly new to LDAP and Active Directory.

Please reply me ASAP.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026349#4026349

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026349



More information about the jboss-user mailing list