[jboss-user] [Security & JAAS/JBoss] - Re: Active Directory and LdapExtLoginModule?
ksiva_rajesh
do-not-reply at jboss.com
Thu Mar 8 12:52:04 EST 2007
Hi,
Thanks a lot for the quick response.
I have created a Security Group in AD with name "AuthUserRole" and assigned few users, whom I want to authenticate.
anonymous wrote :
| distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
|
Yes, I'm using LdapExtLoginModule. The Configuration for the same is as given below:
| login-config.xml
| ----------------
| <?xml version='1.0'?>
| <!DOCTYPE policy PUBLIC
| "-//JBoss//DTD JBOSS Security Config 3.0//EN"
| "http://www.jboss.org/j2ee/dtd/security_config.dtd">
| <policy>
|
| <application-policy name="HMActiveDirecotry">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
| <module-option name="java.naming.provider.url">ldap://company.com:389/</module-option>
| <module-option name="java.naming.security.authentication">simple</module-option>
| <module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option>
| <module-option name="bindCredential">password</module-option>
| <module-option name="baseCtxDN">cn=Users,DC=company,DC=com</module-option>
| <module-option name="baseFilter">(userPrincipalName={0})</module-option>
| <module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
| <module-option name="roleFilter">(member={1})</module-option>
| <module-option name="roleAttributeID">memberOf</module-option>
| <module-option name="roleAttributeIsDN">true</module-option>
| <module-option name="roleNameAttributeID">name</module-option>
| <module-option name="roleRecursion">0</module-option>
| <module-option name="defaultRole">AuthUserRole</module-option>
| </login-module>
| </authentication>
| </application-policy>
| </policy>
|
The error I have received:
anonymous wrote :
| Error on Console of JBoss from DEBUG level on Security Manager using log4j.xml:
| ------------------------------------------------------------------------------
|
| 11:13:56,999 DEBUG [AuthenticatorBase] Security checking request POST /ldaptest/j_security_check
| 11:13:56,999 DEBUG [FormAuthenticator] Authenticating username 'xxxxxx'
| 11:13:57,046 DEBUG [LdapExtLoginModule] Bad password for username=App.eapp
| javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comme
| nt: AcceptSecurityContext error, data 525, vece ]
| at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
| at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
| at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
| at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
| at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)
| at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
| at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
| at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
| at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
| at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
| at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
| at javax.naming.InitialContext.init(InitialContext.java:223)
| at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
| at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginMo
| dule.java:524)
| at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.j
| ava:334)
| at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:2
| 29)
| at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule
| .java:210)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
| at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
|
| at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
|
| at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
| at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.ja
| va:491)
| at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:2
| 57)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
| at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
|
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
| at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Htt
| p11BaseProtocol.java:664)
| at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
| at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
| at java.lang.Thread.run(Thread.java:595)
| 11:13:57,452 DEBUG [ApplicationDispatcher] servletPath=/login_error.jsp, pathInfo=null, queryString=
| null, name=null
| 11:13:57,468 DEBUG [ApplicationDispatcher] Path Based Forward
| 11:13:57,468 DEBUG [ApplicationDispatcher] Disabling the response for futher output
| 11:13:57,468 DEBUG [AuthenticatorBase] Failed authenticate() test ??/ldaptest/j_security_check
|
I'm really not sure, why the LdapExtLoginModule is reporting it as "Bad password for username=App.eapp".
But When I use some LDAP Utility to validate the AuthUserGroup and the user name, it is working fine. The result given by LDAP Search Utility is as follows:
anonymous wrote :
| LDAP Utility Inputs Parameters:
|
| Host : company.com
| Port : 389
| Base DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
| Filter :(&(objectClass=*)(CN=*))
| Scope : Subtree
|
Result displayed by the LDAP Search utility:
anonymous wrote :
| Enumerating attributes for DN : CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
| objectClass = top
| objectClass = group
| cn = AuthUserRole
| member = CN=App.eapp,OU=IC - Applications and Computers,DC=company,DC=com
| member = CN=xxxxxxxxxx,OU=IC - Applications and Computers,DC=company,DC=com
| member = CN=xxxxxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
| member = CN=xxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
| member = CN=xxxxxxxxxx,OU=Users,OU=Application Solutions Team,OU=IC - Users,DC=company,DC=com
| distinguishedName = CN=AuthUserRole,OU=Security Groups,OU=DPI,OU=IC - Applications and Computers,DC=company,DC=com
| instanceType = 4
| whenCreated = xxxxxxx
| whenChanged = xxxxxxxx
| uSNCreated = xxxxxxxx
| uSNChanged = xxxxxxx
| name = AuthUserRole
| objectGUID = xxxxxxxx
| objectSid = xxxxxxxx
| sAMAccountName = AuthUserRole
| sAMAccountType = xxxxxxxxx
| groupType = xxxxxxxxx
| objectCategory = CN=Group,CN=Schema,CN=Configuration,DC=company,DC=com
|
| LDAP search completed
|
Please go thru the configuration and other details I have mentioned and suggest me, where I have gone wrong. I'm fairly new to LDAP and Active Directory.
Please reply me ASAP.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026349#4026349
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026349
More information about the jboss-user
mailing list