[jboss-user] [Security & JAAS/JBoss] - Re: JAAS - LDAPExtLoginModule
shetty2k
do-not-reply at jboss.com
Sat Jan 24 05:22:02 EST 2009
Thanks Wolfgang. The logging helped a little. Some update:
I configured JAAS Authentication and Authorization successfully using Active Directory. This is how AD is different from other LDAPs:
Two linked multivalued attributes, called member and memberOf, control group membership. The group object always holds the member attribute. The memberOf attribute is a calculated back link held on the group member object itself. As such, group membership is always managed from the group object side (the forward link) of the relationship and the back link is updated by the system automatically. That is, we can read the memberOf attribute, but we cannot modify it directly.
Here is the login-config.xml for AD:
| <application-policy name = "mySecurityDomain">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
| <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
| <module-option name="java.naming.provider.url">ldap://10.200.243.34:389</module-option>
| <module-option name="java.naming.security.authentication">simple</module-option>
| <module-option name="java.naming.security.principal">CN=Domainmaster,CN=Users,DC=COQA,DC=CORoot,DC=local</module-option>
| <module-option name="java.naming.security.credentials">password1</module-option>
| <module-option name="bindDN">CN=Domainmaster,CN=Users,DC=COQA,DC=CORoot,DC=local</module-option>
| <module-option name="bindCredential">password1</module-option>
| <module-option name="baseCtxDN">OU=Users,OU=City,DC=COQA,DC=CORoot,DC=local</module-option>
| <module-option name="baseFilter">(sAMAccountName={0})</module-option>
| <module-option name="rolesCtxDN">CN=Builtin,DC=COQA,DC=CORoot,DC=local</module-option>
| <module-option name="roleFilter">(member={1})</module-option>
| <module-option name="roleAttributeID">memberOf</module-option>
| <module-option name="roleAttributeIsDN">true</module-option>
| <module-option name="roleNameAttributeID">cn</module-option>
| <module-option name="roleRecursion">0</module-option>
| <module-option name="searchTimeLimit">10000</module-option>
| <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
| <module-option name="allowEmptyPasswords">false</module-option>
| <module-option name="debug">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
My LDAP is OID or OVD. This does not have a member or memberOf attribute generation. So, I created my own custom arrangement:: uniquemember(default schema) and myRole(custom schema) to link to each other, based on what happens in AD. The authorization part still does not work. Following is the login-config.xml:
| <application-policy name = "mySecurityDomain">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
| <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
| <module-option name="java.naming.provider.url">ldap://machine1:9389</module-option>
| <module-option name="java.naming.security.authentication">simple</module-option>
| <module-option name="java.naming.security.principal">cn=ovdadmin</module-option>
| <module-option name="java.naming.security.credentials">password1</module-option>
| <module-option name="bindDN">cn=ovdadmin</module-option>
| <module-option name="bindCredential">password1</module-option>
| <module-option name="baseCtxDN">ou=Users,dc=company,dc=com</module-option>
| <module-option name="baseFilter">(uid={0})</module-option>
| <module-option name="rolesCtxDN">ou=Groups,dc=company,dc=com</module-option>
| <module-option name="roleFilter">(uniquemember={1})</module-option>
| <module-option name="roleAttributeID">myRole</module-option>
| <module-option name="roleAttributeIsDN">true</module-option>
| <module-option name="roleNameAttributeID">cn</module-option>
| <module-option name="roleRecursion">0</module-option>
| <module-option name="searchTimeLimit">10000</module-option>
| <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
| <module-option name="allowEmptyPasswords">false</module-option>
| <module-option name="debug">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
Following are the logs generated (username is shetty2k, rolename is not visible):
2009-01-23 16:41:16,468 TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler at 1e84244
2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager at 156b7c1
2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] CachePolicy set to: org.jboss.util.TimedCachePolicy at 3a1e23
2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy at 3a1e23
2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added mySecurityDomain, org.jboss.security.plugins.SecurityDomainContext at 190a284 to map
2009-01-23 16:41:16,468 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] Begin isValid, principal:shetty2k, cache info: null
2009-01-23 16:41:16,468 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] defaultLogin, principal=shetty2k
2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(mySecurityDomain), size=9
2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(mySecurityDomain), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=allowEmptyPasswords, value=false
name=roleRecursion, value=0
name=java.naming.security.principal, value=cn=ovdadmin
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=rolesCtxDN, value=ou=Groups,dc=company,dc=com
name=java.naming.security.credentials, value=password1
name=debug, value=true
name=roleNameAttributeID, value=cn
name=baseFilter, value=(uid={0})
name=roleFilter, value=(uniquemember={1})
name=java.naming.security.authentication, value=simple
name=bindDN, value=cn=ovdadmin
name=bindCredential, value=password1
name=java.naming.provider.url, value=ldap://machine1:9389
name=roleAttributeID, value=myRole
name=baseCtxDN, value=ou=Users,dc=company,dc=com
name=roleAttributeIsDN, value=true
name=searchScope, value=ONELEVEL_SCOPE
name=searchTimeLimit, value=10000
2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] initialize, instance=@8682641
2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] Security domain: mySecurityDomain
2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] login
2009-01-23 16:41:17,437 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] User 'shetty2k' authenticated, loginOk=true
2009-01-23 16:41:17,437 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] commit, loginOk=true
2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] defaultLogin, lc=javax.security.auth.login.LoginContext at ce374a, subject=Subject(9432614).principals=org.jboss.security.SimplePrincipal at 13409648(shetty2k)org.jboss.security.SimpleGroup at 24164496(Roles(members))
2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] updateCache, inputSubject=Subject(9432614).principals=org.jboss.security.SimplePrincipal at 13409648(shetty2k)org.jboss.security.SimpleGroup at 24164496(Roles(members)), cacheSubject=Subject(22819146).principals=org.jboss.security.SimplePrincipal at 13409648(shetty2k)org.jboss.security.SimpleGroup at 24164496(Roles(members))
2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 1a80fb8[Subject(22819146).principals=org.jboss.security.SimplePrincipal at 13409648(shetty2k)org.jboss.security.SimpleGroup at 24164496(Roles(members)),credential.class=java.lang.String at 31054905,expirationTime=1232759476468]
2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] End isValid, true
2009-01-23 16:41:17,437 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: shetty2k
Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext at bade60{principal=shetty2k,subject=6129815}
2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 1a80fb8[Subject(22819146).principals=org.jboss.security.SimplePrincipal at 13409648(shetty2k)org.jboss.security.SimpleGroup at 24164496(Roles(members)),credential.class=java.lang.String at 31054905,expirationTime=1232759476468]
2009-01-23 16:41:17,437 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext at bade60{principal=shetty2k,subject=6129815}
2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] getUserRoles, subject: Subject:
Principal: shetty2k
Principal: Roles(members)
Any clues?
Thanks,
shetty2k
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4204507#4204507
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4204507
More information about the jboss-user
mailing list