guillaume cornet created SECURITY-712:
-----------------------------------------
Summary: Variable expansion and Vault are not supported in the module-option
of the LdapRolesMappingProvider mapping-module
Key: SECURITY-712
URL:
https://issues.jboss.org/browse/SECURITY-712
Project: PicketBox
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: PicketBox_v4_0_9.Final
Environment: RHEL 6.3
Reporter: guillaume cornet
Assignee: Anil Saldhana
When using LdapRolesMappingProviders mapping-module, I don't want to put the
bindCredential/password in clear in the configuration file.
So I'm trying to use vault, this way :
<mapping-module
code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider"
type="role">
<module-option name="java.naming.provider.url"
value="ldap://192.168.122.101:389" />
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication"
value="simple" />
<module-option name="bindDN"
value="CN=Administrator,CN=users,DC=cloud,DC=local" />
<module-option name="bindCredential"
value="${VAULT::AD::addspass::YTgyMDI0ZjUtOWQwZi00MWZlLTkzMjMtMTM0YzRjZTY3ZWZmTElORV9CUkVBS3ZhdWx0}"
/>
<module-option name="rolesCtxDN"
value="CN=users,DC=cloud,DC=local" />
<module-option name="roleFilter"
value="(userPrincipalName={0})" />
<module-option name="roleAttributeID" value="memberOf" />
<module-option name="roleNameAttributeID" value="CN" />
<module-option name="roleAttributeIsDN" value="true" />
<module-option name="parseRoleNameFromDN" value="false" />
<module-option name="roleRecursion" value="0" />
<module-option name="searchScope" value="ONELEVEL_SCOPE"
/>
</mapping-module>
Unfortunatly, with this configuration, I cannot connect anymore to my Active Directory
Directory Service....
I get the following error message in the jboss log :
14:59:35,019 ERROR [org.jboss.security.mapping.providers.role.LdapRolesMappingProvider]
(http-/0.0.0.0:8080-1) Error connecting to LDAP server:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) [rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
[rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
[rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) [rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
[rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
[rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
[rt.jar:1.7.0_09-icedtea]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
[rt.jar:1.7.0_09-icedtea]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
[rt.jar:1.7.0_09-icedtea]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
[rt.jar:1.7.0_09-icedtea]
at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_09-icedtea]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
[rt.jar:1.7.0_09-icedtea]
at
org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.constructInitialLdapContext(LdapRolesMappingProvider.java:256)
at
org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:192)
at
org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:53)
at org.jboss.security.mapping.MappingContext.performMapping(MappingContext.java:54)
at
org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:397)
at
org.jboss.security.plugins.JBossAuthorizationManager.getSubjectRoles(JBossAuthorizationManager.java:324)
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:230)
at
org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931)
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]
I do some remote debug and I beleive that the vault expression is not resolved ....
package org.jboss.security.mapping.providers.role, class LdapRolesMappingProvider, method
init(Map<String, Object> options).
This method don't perform any Variable expansion and nor Vault expansion.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira