[jboss-user] [Security & JAAS/JBoss] - LDAPExtLoginModule binds with credentials from webauth (user
Hi at all,
this problem I now want to describe you already exists for a long time and I had no idea
how to fix it.
My job was to create a LDAP-using authentication for a JEE-project with
'LdapExtLoginModule', so I used the page
http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule to get some information about
this module.
Then I set up an OpenLDAP-server on my vServer.
suffix "dc=jonischkat,dc=de"
| rootdn "cn=root,dc=jonischkat,dc=de"
| rootpw XXXmyPasswordXXX
I populated the server with these entries (remark: capsys-user is the authenticated
security role):
The application policy in 'login-config.xml' looks like this:
| <application-policy name="testLDAP">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
| <module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
| <module-option
name="java.naming.provider.url">ldap://my.vserver.ip.address/</module-option>
| <module-option
name="java.naming.security.authentication">simple</module-option>
| <!--<module-option
name="principalDNPrefix">uid=</module-option>
| <module-option
name="principalDNSuffix">,ou=People,dc=tjhome,dc=de</module-option>-->
| <module-option
name="bindDN">cn=root,dc=jonischkat,dc=de</module-option>
| <module-option
name="bindCredential">XXXmyPasswordXXX</module-option>
| <module-option
name="baseCtxDN">ou=People,dc=jonischkat,dc=de</module-option>
| <module-option name="baseFilter">(uid={0})</module-option>
| <module-option
name="rolesCtxDN">ou=Roles,dc=jonischkat,dc=de</module-option>
| <module-option
name="roleFilter">(member={1})</module-option>
| <module-option
name="roleAttributeID">cn</module-option>
| <module-option
name="roleRecursion">-1</module-option>
| <!--<module-option
name="uidAttributeID">member</module-option>
| <module-option name="matchOnUserDN">true</module-option>
| <module-option name="roleAttributeID">cn</module-option>
| <module-option
name="roleAttributeIsDN">false</module-option>-->
| </login-module>
| </authentication>
| </application-policy>
|
When accessing the webapp, I typed the credentials username: 'tjonisch' and
password: 'XXXpasswordOfTjonischInLdapEntryXXX', but the dialog popped up a second
time.
The logfile of the LDAP server said:
Jun 5 14:46:53 uhweb25094 slapd[28244]: daemon: read active on 11
| Jun 5 14:46:53 uhweb25094 slapd[28244]: connection_get(11): got connid=1
| Jun 5 14:46:53 uhweb25094 slapd[28244]: connection_read(11): checking for input on
id=1
| Jun 5 14:46:53 uhweb25094 slapd[28244]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
| Jun 5 14:46:53 uhweb25094 slapd[28244]: do_bind
| Jun 5 14:46:53 uhweb25094 slapd[28244]: >>> dnPrettyNormal:
<tjonisch>
| Jun 5 14:46:53 uhweb25094 slapd[28244]: bind: invalid dn (tjonisch)
| Jun 5 14:46:53 uhweb25094 slapd[28244]: send_ldap_result: conn=1 op=0 p=3
| Jun 5 14:46:53 uhweb25094 slapd[28244]: send_ldap_response: msgid=1 tag=97 err=34
| Jun 5 14:46:53 uhweb25094 slapd[28244]: conn=1 op=0 RESULT tag=97 err=34 text=invalid
DN
| Jun 5 14:46:53 uhweb25094 slapd[28244]: daemon: activity on 1 descriptor
| Jun 5 14:46:53 uhweb25094 slapd[28244]: daemon: activity on:
| Jun 5 14:46:53 uhweb25094 slapd[28244]: 11r
So JBoss tried to bind with the credentials given by the user, not with 'bindDN'
and 'bindCredential' from the config file.
It would be really cool if someone had an idea how to fix this problem.
Greetings from Germany
Tim J.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4053970#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...