[jboss-jira] [JBoss JIRA] Reopened: (JBAS-2681) Add real support for password-stacking (useFirstPass) in LDAPExtLoginModule

Andrew Oliver (JIRA) jira-events at lists.jboss.org
Tue Dec 1 17:37:30 EST 2009 

     [ https://jira.jboss.org/jira/browse/JBAS-2681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Oliver reopened JBAS-2681:
---------------------------------

      Assignee: Andrew Oliver


There were configs of LdapExtLoginModule that didn't require binding in stacking.  Attached is a patch that restores that and adds other features useful for using client certificates with Active directory (oddly Microsoft's certificates have DNs that don't match AD).  

		      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional" >
			      <module-option name="java.naming.provider.url">ldap://REDACTED-servername:389</module-option>
			      <module-option name="java.naming.security.authentication">simple</module-option>
			      <module-option name="bindDN">CN=REACTED-username,OU=Standard,OU=Users,OU=Corporate,DC=REDACTED-company,DC=REDACTED-sub,DC=com</module-option> 
			       <module-option name="bindCredential">REDACTED-password</module-option>
				   <module-option name="removePrincipalElements">EMAILADDRESS</module-option>
			       <module-option name="rolesCtxDN">OU=REDACTED-base,OU=Standard,OU=Groups,OU=Corporate,DC=REDACTED-company,DC=REDACTED-sub,DC=com</module-option>
			       <module-option name="roleFilter">(member={1})</module-option>
			       <module-option name="roleAttributeID">CN</module-option>
			       <module-option name="roleRecursion">-1</module-option>
                   <module-option name="authorizeOnly">true</module-option>				   
                   <module-option name="principalIsDN">true</module-option>				   
			    </login-module>
THIS PATCH ADDS:
principalIsDN - says that the passed in password (generally from the stack) is an actual DN not a username
authorizeOnly - don't bind as the user, bind as only the bindDN.  
removePrincipalElements - also requires principalIsDN.  if the principal is a DN but contains elements that are NOT part of LDAP then we remove those parts.  (I.e. microsoft certificate server prefixes "EMAILADDRESS=user at company.com," to the principal in the certificate but it ISNT part of the user's DN in ActiveDirectory).  This is a comma delemeted list of just the keys, but both the key and value are removed from the principal (which is really a DN as specified)

the total config for MS client certs with LdapExt against ActiveDirectory would be:

 <application-policy name = "jmx-console">
    <authentication>
       <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
          flag = "optional">
          <module-option name="password-stacking">useFirstPass</module-option>
          <module-option name="securityDomain">java:/jaas/jmx-console</module-option>
          <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option> <!--anything signed that Tomcat likes, we like too and thus you're authenticated -->	
       </login-module>
		      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional" >
			      <module-option name="java.naming.provider.url">ldap://REDACTED-servername:389</module-option>
			      <module-option name="java.naming.security.authentication">simple</module-option>
			      <module-option name="bindDN">CN=REACTED-username,OU=Standard,OU=Users,OU=Corporate,DC=REDACTED-company,DC=REDACTED-sub,DC=com</module-option> 

			       <module-option name="bindCredential">REDACTED-password</module-option>
				   <module-option name="removePrincipalElements">EMAILADDRESS</module-option>

			       <module-option name="rolesCtxDN">OU=REDACTED-base,OU=Standard,OU=Groups,OU=Corporate,DC=REDACTED-company,DC=REDACTED-sub,DC=com</module-option>
			       <module-option name="roleFilter">(member={1})</module-option>
			       <module-option name="roleAttributeID">CN</module-option>
			       <module-option name="roleRecursion">-1</module-option>
                   <module-option name="authorizeOnly">true</module-option>				   
                   <module-option name="principalIsDN">true</module-option>				   
			    </login-module>
    </authentication>
 </application-policy>

with conf/jboss-service.xml having:

   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=SecurityDomain">
      <constructor>
         <arg type="java.lang.String" value="jmx-console"></arg>
      </constructor>
      <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/mystore.keysto
re</attribute>
      <attribute name="KeyStorePass">changeit</attribute>
      <depends>jboss.security:service=JaasSecurityManager</depends>
   </mbean>

and tomcat having:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
           keystoreFile="${jboss.server.home.dir}/conf/mystore.keystore"
                   truststoreFile="${jboss.server.home.dir}/conf/mystore.keystor
e"
               clientAuth="true" sslProtocol="TLS" />

Thus you have MS client-certs authentication, active directory auth via LDAP.  A dedicated LDAP user is used for the bind (not same as userid)

This version is against 4.3.  After discussed in the forum I'll commit against the active branch.

> Add real support for password-stacking (useFirstPass) in LDAPExtLoginModule
> ---------------------------------------------------------------------------
>
>                 Key: JBAS-2681
>                 URL: https://jira.jboss.org/jira/browse/JBAS-2681
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.3 SP1
>         Environment: All
>            Reporter: Didier Kreutter
>            Assignee: Andrew Oliver
>         Attachments: LDAPAuth.patch, ldapextpatch
>
>
> It would be nice, we could use the "useFirstPass" option of this login-module, like it can be done with the DatabaseServerLoginModule.
> With the construct of the LDAPExtLoginModule, it is not possible to use the LDAP-Directory to search for Roles without having to validate the Password, if this has been done by an precedent LoginModule (DB or SSO).
> I think the problem is in the fact, that the effective Role-Search is done in the overridden "validatePassword" function... witch will never been called when the "useFirstPass" option is set. Is it Possible to fulfill the roles in the getRoleSets() function?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list