[jboss-user] [Security & JAAS/JBoss] - Re: JBOSS Negotiate using AdvancedLdapLoginModule throws bin
dufferdo25
do-not-reply at jboss.com
Thu Jul 2 12:07:47 EDT 2009
OK I solved the bind issue by setting a value in adsiedit dcHeuristics 0000002 which allows anonymous access to read or list AD. I would have thought that the UPN would be reading the AD and not an anonymous conn.
I now have a new error:
2009-07-02 15:56:29,763 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] (http-0.0.0.0-8080-1) Obtained LdapContext
| 2009-07-02 15:56:29,768 INFO [STDOUT] (http-0.0.0.0-8080-1) [Krb5LoginModule]: Entering logout
| 2009-07-02 15:56:29,768 INFO [STDOUT] (http-0.0.0.0-8080-1) [Krb5LoginModule]: logged out Subject
| 2009-07-02 15:56:29,768 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8080-1) abort
| 2009-07-02 15:56:29,768 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] (http-0.0.0.0-8080-1) abort
| 2009-07-02 15:56:29,768 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8080-1) Login failure
| javax.security.auth.login.LoginException: Unable to find user DN
| at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:528)
| at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:343)
| at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:734)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.Subject.doAs(Unknown Source)
| at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:279)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
| at java.lang.reflect.Method.invoke(Unknown Source)
| at javax.security.auth.login.LoginContext.invoke(Unknown Source)
| at javax.security.auth.login.LoginContext.access$000(Unknown Source)
| at javax.security.auth.login.LoginContext$4.run(Unknown Source)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
| at javax.security.auth.login.LoginContext.login(Unknown Source)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
| at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
| at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
| at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
| at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
| at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
| at java.lang.Thread.run(Unknown Source)
| Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, b
| est match of:
| 'DC=base,DC=myco,DC=com'
| ]; remaining name 'OU=Clients,DC=base,DC=myco,DC=com'
| at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
| at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
| at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
| at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
| at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
| at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
| at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
| at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
| at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
| at javax.naming.directory.InitialDirContext.search(Unknown Source)
| at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:505)
| ... 34 more
|
In the logs I see that I get an Identity
| TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] (http-0.0.0.0-8080-1) Identity - test01 at BASE.MYCO.COM
|
I am using the nested config:
| <application-policy name="SPNEGO">
| <authentication>
| <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
| <module-option name="password-stacking">useFirstPass</module-option>
| <module-option name="serverSecurityDomain">host</module-option>
| </login-module>
|
| <login-module code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule" flag="required">
| <module-option name="password-stacking">useFirstPass</module-option>
| <module-option name="bindAuthentication">GSSAPI</module-option>
| <module-option name="jaasSecurityDomain">host</module-option>
| <module-option name="java.naming.provider.url">ldap://dc.base.myco.com:389</module-option>
| <module-option name="baseCtxDN">CN=Clients,DC=base,DC=myco,DC=com</module-option>
| <module-option name="baseFilter">(userPrincipalName={0})</module-option>
| <module-option name="roleAttributeID">memberOf</module-option>
| <module-option name="roleAttributeIsDN">true</module-option>
| <module-option name="roleNameAttributeID">cn</module-option>
| <module-option name="recurseRoles">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
Anybody see anything wrong? I tried CN=Clients and CN=Users I also left out the CN to do a full search of the entire domain. Still no luck.
Thanks!
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4241544#4241544
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4241544
More information about the jboss-user
mailing list