[jboss-user] [Beginner's Corner] - LdapExtLoginModule Bad Password causing AD accounts to lock out
Drew Koenig
do-not-reply at jboss.com
Thu Jan 3 16:13:22 EST 2013
Drew Koenig [https://community.jboss.org/people/binaryblogger] created the discussion
"LdapExtLoginModule Bad Password causing AD accounts to lock out"
To view the discussion, visit: https://community.jboss.org/message/787420#787420
--------------------------------------------------------------
I have 4 JBOSS servers all showing the same behavior. For an unknows reason, and from the user perspective it's random, the JBOSS app server will try to auth the user to AD, fail three times in about a second and lock the user's account. But once we unlock and never touch JBOSS it may be a few hours or days before it happens to the same user again. I see the lockouts happening on both the primary and seconday AD domains controllers. No matter what we try it still happens and we can't figure out why since there is no pattern or clear reason/trigger to this happening. But it happens regularly just not to the same users.
Here's the error in the log.
2013-01-03 06:32:13,869 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=username111
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
The I see the lockout reason
2013-01-03 06:32:14,955 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=username111
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1
Here's my login-config.xml for the AD connection.
<application-policy name="AppName">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="unauthenticatedIdentity">anonymous</module-option>
<module-option name="java.naming.provider.url">ldap://AD-Corp-Primary.domain.com:389 ldap://AD-Corp-Secondary.domain.com:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">AppUserLDAP</module-option>
<module-option name="bindCredential">hlnYulDMZaK77Cxq4VvHY</module-option>
<module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>
<module-option name="baseCtxDN">dc=corporate,dc=domain,dc=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">ou=Resources,ou=Users and Groups,dc=corporate,dc=domain,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="searchTimeLimit">30000</module-option>
<module-option name="defaultRole">HttpInvoker</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/787420#787420]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20130103/46a50a60/attachment-0001.html
More information about the jboss-user
mailing list