[JBoss JIRA] (WFCORE-3041) Cannot add policy resource with no parameter
by Michal Petrov (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3041?page=com.atlassian.jira.plugi... ]
Michal Petrov commented on WFCORE-3041:
---------------------------------------
[~dlofthouse], from what I can see {{default-policy}} should be a required attribute, currently I can simply undefine it and that breaks the subsystem. And given that there can only be one {{<policy>}} in the configuration it should be a singleton resource. Would there be an issue with changing this? It kinda goes against WFCORE-3137 and the way {{default-policy}} is handled.
> Cannot add policy resource with no parameter
> --------------------------------------------
>
> Key: WFCORE-3041
> URL: https://issues.jboss.org/browse/WFCORE-3041
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Claudio Miranda
> Assignee: Michal Petrov
>
> subsystem=elytron/policy resources has no required attributes, but it fails to add a resource with no parameters.
> {code}
> /profile=full/subsystem=elytron/policy=policy_test:add
> {
> "outcome" => "failed",
> "result" => undefined,
> "failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"main-server-group" => {"host" => {"master" => {"server-one" => "Could find policy provider with name [policy_test]"}}}}}},
> "rolled-back" => true,
> "server-groups" => {"main-server-group" => {"host" => {"master" => {"server-one" => {"response" => {
> "outcome" => "failed",
> "failure-description" => "Could find policy provider with name [policy_test]",
> "rolled-back" => true
> }}}}}}
> }
> {code}
> To add is necessary to inform either custom-policy or jacc-policy
> {code}
> /profile=full/subsystem=elytron/policy=policy2:add(jacc-policy=[{name=policy2}])
> {
> "outcome" => "success",
> "result" => undefined,
> "server-groups" => {"main-server-group" => {"host" => {"master" => {"server-one" => {"response" => {
> "outcome" => "success",
> "response-headers" => {
> "operation-requires-reload" => true,
> "process-state" => "reload-required"
> }
> }}}}}}
> }
> {code}
> There is also a problem related to "default-policy" being set to a non existent policy.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (ELY-1395) Incorrect type on <set-port /> element within authentication-configuration-type
by Darran Lofthouse (JIRA)
Darran Lofthouse created ELY-1395:
-------------------------------------
Summary: Incorrect type on <set-port /> element within authentication-configuration-type
Key: ELY-1395
URL: https://issues.jboss.org/browse/ELY-1395
Project: WildFly Elytron
Issue Type: Bug
Components: Authentication Client
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 1.2.0.Beta6
Presently it is defined as: -
{code}
<xsd:element name="set-port" type="port-number-simple-type" minOccurs="0"/>
{code}
It should be 'port-number-type' i.e.
{code}
<xsd:complexType name="port-number-type">
<xsd:attribute name="number" type="port-number-simple-type" use="required"/>
</xsd:complexType>
<xsd:simpleType name="port-number-simple-type">
<xsd:restriction base="xsd:positiveInteger">
<xsd:minInclusive value="1"/>
<xsd:maxInclusive value="65535"/>
</xsd:restriction>
</xsd:simpleType>
{code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (WFLY-9427) JDBC_PING gets a NameNotFoundException when using jndi resource
by Alessandro Moscatelli (JIRA)
[ https://issues.jboss.org/browse/WFLY-9427?page=com.atlassian.jira.plugin.... ]
Alessandro Moscatelli commented on WFLY-9427:
---------------------------------------------
This is the last configuration I am now using :
<stack name="jdbc">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<jdbc-protocol type="JDBC_PING" data-source="db_optoplus"/>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
Always the same error (with the datasource bound just after that) :
[0m[31m16:38:34,933 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.jgroups.channel.ee: org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: java.security.PrivilegedActionException: java.lang.IllegalArgumentException: Could not lookup datasource java:/jdbc/db_optoplus
at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.PrivilegedActionException: java.lang.IllegalArgumentException: Could not lookup datasource java:/jdbc/db_optoplus
at org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:869)
at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:106)
at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78)
... 5 more
Caused by: java.lang.IllegalArgumentException: Could not lookup datasource java:/jdbc/db_optoplus
at org.jgroups.protocols.JDBC_PING.getDataSourceFromJNDI(JDBC_PING.java:436)
at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:129)
at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:861)
at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:480)
at org.jgroups.JChannel.init(JChannel.java:852)
at org.jgroups.JChannel.<init>(JChannel.java:159)
at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:100)
at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92)
at org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:867)
... 7 more
Caused by: javax.naming.NameNotFoundException: jdbc/db_optoplus [Root exception is java.lang.IllegalStateException]
at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:235)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at org.jgroups.protocols.JDBC_PING.getDataSourceFromJNDI(JDBC_PING.java:423)
... 15 more
Caused by: java.lang.IllegalStateException
at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:142)
at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
... 23 more
[0m[0m16:38:34,969 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:/jdbc/db_optoplus]
[0m[0m16:38:34,970 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> JDBC_PING gets a NameNotFoundException when using jndi resource
> ---------------------------------------------------------------
>
> Key: WFLY-9427
> URL: https://issues.jboss.org/browse/WFLY-9427
> Project: WildFly
> Issue Type: Bug
> Components: Clustering
> Affects Versions: 11.0.0.CR1
> Reporter: Alessandro Moscatelli
> Assignee: Radoslav Husar
> Fix For: 11.0.0.Final
>
>
> JDBC_PING if configured with jndi resources will cause :
> IllegalArgumentException: Could not lookup datasource
> NameNotFoundException
> IllegalStateException
> The same jndi resource is correctly found and used by a deployed application.
> It seems the jndi resouce is not ready, yet, when JGROUPS needs it.
> {quote}2017-10-09 17:32:48,695 INFO [org.jboss.modules] (main) JBoss Modules version 1.6.0.Final
> 2017-10-09 17:32:49,479 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
> 2017-10-09 17:32:49,724 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: {color:#14892c}WildFly Full 11.0.0.CR1{color} (WildFly Core 3.0.1.Final) starting
> 2017-10-09 17:32:54,695 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-i
> nterface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 2017-10-09 17:32:54,758 INFO [org.wildfly.security] (ServerService Thread Pool -- 10) ELY00001: WildFly Elytron version 1.1.1.Final
> 2017-10-09 17:32:54,824 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 33) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=d
> efault-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecat
> ion.
> 2017-10-09 17:32:54,891 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute 'socket-binding' in the resource at address '/subsystem=jgroups/stack=jdbc
> /protocol=FD_SOCK' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 2017-10-09 17:32:55,665 INFO [org.jboss.as.repository] (ServerService Thread Pool -- 27) WFLYDR0001: Content added at location /opt/wildfly/standalone/data/content/93/8e4c4a161a44fd84a305161a786cc43453d82b/c
> ontent
> 2017-10-09 17:32:55,727 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
> 2017-10-09 17:32:55,803 INFO [org.xnio] (MSC service thread 1-2) XNIO version 3.5.1.Final
> 2017-10-09 17:32:55,829 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO Implementation Version 3.5.1.Final
> 2017-10-09 17:32:55,952 INFO [org.jboss.as.security] (ServerService Thread Pool -- 68) WFLYSEC0002: Activating Security Subsystem
> 2017-10-09 17:32:55,985 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 61) WFLYNAM0001: Activating Naming Subsystem
> 2017-10-09 17:32:56,008 INFO [org.wildfly.iiop.openjdk] (ServerService Thread Pool -- 49) WFLYIIOP0001: Activating IIOP Subsystem
> 2017-10-09 17:32:56,011 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 53) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 3.6.13
> 2017-10-09 17:32:56,017 INFO [org.jboss.as.webservices] (ServerService Thread Pool -- 72) WFLYWS0002: Activating WebServices Extension
> 2017-10-09 17:32:55,948 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 70) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for en
> vironments running multiple servers. Please make sure the attribute value is unique.
> 2017-10-09 17:32:55,965 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 56) WFLYJSF0007: Activated the following JSF Implementations: [main]
> 2017-10-09 17:32:56,029 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0001: Activating Infinispan subsystem.
> 2017-10-09 17:32:55,980 INFO [org.jboss.as.jaxrs] (ServerService Thread Pool -- 50) WFLYRS0016: RESTEasy version 3.0.24.Final
> 2017-10-09 17:32:56,063 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 47) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with 16 task threads based on your 1 available proc
> essors
> 2017-10-09 17:32:56,350 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 5.0.0.Final
> 2017-10-09 17:32:56,456 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0003: Undertow 1.4.18.Final starting
> 2017-10-09 17:32:56,489 INFO [org.jboss.as.security] (MSC service thread 1-2) WFLYSEC0001: Current PicketBox version=5.0.2.Final
> 2017-10-09 17:32:56,552 INFO [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.6.Final)
> 2017-10-09 17:32:56,806 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 42) WFLYJCA0004: Deploying JDBC-compliant driver class oracle.jdbc.OracleDriver (version 12.1)
> 2017-10-09 17:32:56,794 INFO [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003: Starting Naming Service
> 2017-10-09 17:32:56,844 INFO [org.jboss.as.mail.extension] (MSC service thread 1-2) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 2017-10-09 17:32:56,935 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 42) WFLYJCA0005: Deploying non-JDBC-compliant driver class com.mysql.cj.jdbc.Driver (version 6.0)
> 2017-10-09 17:32:56,962 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 42) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4)
> 2017-10-09 17:32:57,452 INFO [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 4 (per class), which is derived from the number of CPUs
> on this host.
> 2017-10-09 17:32:57,467 INFO [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 16 (per class), which is derived from thread worker poo
> l sizing.
> 2017-10-09 17:32:57,556 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 71) WFLYUT0014: Creating file handler for path '/opt/wildfly/welcome-content' with options [directory-listing: 'fal
> se', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]']
> 2017-10-09 17:32:57,732 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = oracle
> 2017-10-09 17:32:58,002 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = mysql
> 2017-10-09 17:32:58,020 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> 2017-10-09 17:32:59,265 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0012: Started server default-server.
> 2017-10-09 17:32:59,495 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0018: Host default-host starting
> 2017-10-09 17:32:59,609 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8180
> 2017-10-09 17:32:59,623 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow AJP listener ajp listening on 0.0.0.0:8109
> 2017-10-09 17:32:59,682 INFO [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: WildFly Full cumulative patch ID is: base, one-off patches include: none
> 2017-10-09 17:32:59,703 INFO [org.wildfly.iiop.openjdk] (MSC service thread 1-1) WFLYIIOP0009: CORBA ORB Service started
> 2017-10-09 17:32:59,716 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 74) MODCLUSTER000001: Initializing mod_cluster version 1.3.7.Final
> 2017-10-09 17:32:59,738 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 74) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
> 2017-10-09 17:32:59,749 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/wildfly/standalone/configuration/application.keystore not found, it will be auto gene
> rated on first use with a self signed certificate for host localhost
> 2017-10-09 17:32:59,775 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/wildfly/standalone/deployments
> 2017-10-09 17:32:59,801 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "OptoPlusServices-ear-1.0.0.ear" (runtime-name: "OptoPlusServices-ear-1.0.0.ear")
> 2017-10-09 17:32:59,825 INFO [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0493: EJB subsystem suspension complete
> 2017-10-09 17:33:00,546 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8543
> 2017-10-09 17:33:01,121 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 74) MSC000001: Failed to start service org.wildfly.clustering.jgroups.channel.ee: org.jboss.msc.service.StartException
> in service org.wildfly.clustering.jgroups.channel.ee: java.lang.IllegalArgumentException: Could not lookup datasource java:/jdbc/db_optoplus
> at org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:104)
> at org.wildfly.clustering.service.AsynchronousServiceBuilder.lambda$start$0(AsynchronousServiceBuilder.java:99)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.IllegalArgumentException: Could not lookup datasource java:/jdbc/db_optoplus
> at org.jgroups.protocols.JDBC_PING.getDataSourceFromJNDI(JDBC_PING.java:436)
> at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:129)
> at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:861)
> at org.jgroups.stack.ProtocolStack.init(ProtocolStack.java:831)
> at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:108)
> at org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:102)
> ... 5 more
> Caused by: {color:#d04437}javax.naming.NameNotFoundException: jdbc/db_optoplus [Root exception is java.lang.IllegalStateException]
> {color} at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
> at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
> at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
> at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
> at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
> at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
> at javax.naming.InitialContext.lookup(InitialContext.java:417)
> at javax.naming.InitialContext.lookup(InitialContext.java:417)
> at org.jgroups.protocols.JDBC_PING.getDataSourceFromJNDI(JDBC_PING.java:423)
> ... 10 more
> Caused by: java.lang.IllegalStateException
> at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
> at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:142)
> at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
> at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
> at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
> ... 18 more
> 2017-10-09 17:33:01,294 INFO [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBossWS 5.1.9.Final (Apache CXF 3.1.12)
> 2017-10-09 17:33:01,303 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 2017-10-09 17:33:01,304 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: {color:#d04437}Bound data source [java:/jdbc/db_optoplus{color}]
> {quote}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (SECURITY-980) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
by Jiri Ondrusek (JIRA)
[ https://issues.jboss.org/browse/SECURITY-980?page=com.atlassian.jira.plug... ]
Jiri Ondrusek closed SECURITY-980.
----------------------------------
Resolution: Duplicate Issue
Duplicate of https://issues.jboss.org/browse/SECURITY-979
> Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
> -------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-980
> URL: https://issues.jboss.org/browse/SECURITY-980
> Project: PicketBox
> Issue Type: Bug
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B:
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP LdapExtLoginModule is configured:
> {code:xml}
> <security-domain name="LdapExtReferrals">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (SECURITY-980) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
by Jiri Ondrusek (JIRA)
[ https://issues.jboss.org/browse/SECURITY-980?page=com.atlassian.jira.plug... ]
Jiri Ondrusek moved WFLY-9429 to SECURITY-980:
----------------------------------------------
Project: PicketBox (was: WildFly)
Key: SECURITY-980 (was: WFLY-9429)
Workflow: classic default workflow (was: GIT Pull Request workflow )
Component/s: (was: Security)
Affects Version/s: (was: 11.0.0.Final)
> Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
> -------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-980
> URL: https://issues.jboss.org/browse/SECURITY-980
> Project: PicketBox
> Issue Type: Bug
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B:
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP LdapExtLoginModule is configured:
> {code:xml}
> <security-domain name="LdapExtReferrals">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (WFLY-9429) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-9429?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse commented on WFLY-9429:
----------------------------------------
This issue should really be moved over to the PicketBox project in Jira, as a component pulled into WildFly the PicketBox issues don't need to be duplicated within the WFLY project.
> Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
> -------------------------------------------------------------------------------------------------------
>
> Key: WFLY-9429
> URL: https://issues.jboss.org/browse/WFLY-9429
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Final
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B:
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP LdapExtLoginModule is configured:
> {code:xml}
> <security-domain name="LdapExtReferrals">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (WFLY-9429) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
by Jiri Ondrusek (JIRA)
[ https://issues.jboss.org/browse/WFLY-9429?page=com.atlassian.jira.plugin.... ]
Jiri Ondrusek moved JBEAP-13443 to WFLY-9429:
---------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-9429 (was: JBEAP-13443)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 11.0.0.Final
(was: 7.0.0.ER4)
> Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
> -------------------------------------------------------------------------------------------------------
>
> Key: WFLY-9429
> URL: https://issues.jboss.org/browse/WFLY-9429
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Final
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B:
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP LdapExtLoginModule is configured:
> {code:xml}
> <security-domain name="LdapExtReferrals">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (SECURITY-979) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
by Jiri Ondrusek (JIRA)
[ https://issues.jboss.org/browse/SECURITY-979?page=com.atlassian.jira.plug... ]
Jiri Ondrusek updated SECURITY-979:
-----------------------------------
Git Pull Request: https://github.com/picketbox/picketbox/pull/73
> Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
> -------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-979
> URL: https://issues.jboss.org/browse/SECURITY-979
> Project: PicketBox
> Issue Type: Bug
> Affects Versions: PicketBox_5_0_2.Final
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B:
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP LdapExtLoginModule is configured:
> {code:xml}
> <security-domain name="LdapExtReferrals">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months
[JBoss JIRA] (SECURITY-979) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
by Jiri Ondrusek (JIRA)
[ https://issues.jboss.org/browse/SECURITY-979?page=com.atlassian.jira.plug... ]
Jiri Ondrusek moved JBEAP-13442 to SECURITY-979:
------------------------------------------------
Project: PicketBox (was: JBoss Enterprise Application Platform)
Key: SECURITY-979 (was: JBEAP-13442)
Workflow: classic default workflow (was: CDW with loose statuses v1)
Component/s: (was: Security)
Affects Version/s: PicketBox_5_0_2.Final
(was: 7.0.0.ER4)
> Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory
> -------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-979
> URL: https://issues.jboss.org/browse/SECURITY-979
> Project: PicketBox
> Issue Type: Bug
> Affects Versions: PicketBox_5_0_2.Final
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B:
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP LdapExtLoginModule is configured:
> {code:xml}
> <security-domain name="LdapExtReferrals">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 9 months