[jboss-user] [Security & JAAS/JBoss] - Re: Not able to authenticate against ActiveDirectory using L
rknechtel
do-not-reply at jboss.com
Thu Sep 7 13:43:41 EDT 2006
I'm having similar issues trying to connect to Active Directory using LDAP with JBoss.
The username is valid in AD I can login to a windows box that authenticates against the AD server.
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain flushOnSessionInvalidation="false">java:/jaas/MyApp-ldap</security-domain>
<context-root>/MyApp</context-root>
</jboss-web>
web.xml
<security-constraint>
<display-name>Restrict SEAM pages</display-name>
<web-resource-collection>
<web-resource-name>SEAM</web-resource-name>
<url-pattern>*.seam</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>system</role-name>
<role-name>purch-buyer</role-name>
<role-name>purch-iss</role-name>
<role-name>purch-dataentry</role-name>
<role-name>purch-tech</role-name>
<role-name>accounting</role-name>
<role-name>asd</role-name>
<role-name>ccc_ops</role-name>
<role-name>warehouse</role-name>
<role-name>liquidation</role-name>
</auth-constraint>
</security-constraint><?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain flushOnSessionInvalidation="false">java:/jaas/MyApp-ldap</security-domain>
<context-root>/MyApp</context-root>
</jboss-web>
<security-role>
<role-name>system</role-name>
</security-role>
<security-role>
<role-name>purch-buyer</role-name>
</security-role>
<security-role>
<role-name>purch-iss</role-name>
</security-role>
<security-role>
<role-name>purch-dataentry</role-name>
</security-role>
<security-role>
<role-name>purch-tech</role-name>
</security-role>
<security-role>
<role-name>accounting</role-name>
</security-role>
<security-role>
<role-name>asd</role-name>
</security-role>
<security-role>
<role-name>ccc_ops</role-name>
</security-role>
<security-role>
<role-name>warehouse</role-name>
</security-role>
<security-role>
<role-name>liquidation</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyApp-ldap</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
login-config.xml
<application-policy name="MyApp-ldap">
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<!--
Some AD configurations may require searching against
the Global Catalog on port 3268 instead of the usual
port 389. This is most likely when the AD forest
includes multiple domains.
-->
<module-option name="java.naming.provider.url">ldap://server:389</module-option>
<module-option name="bindDN">administrator</module-option>
<module-option name="bindCredential">[PASSWORD]</module-option>
<module-option name="baseCtxDN">cn=users,dc=domain1.domain2,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=domain1.domain2,dc=local</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
</application-policy>
ERROR when Logging in:
2006-09-07 08:41:15,051 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyApp-ldap] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler at 1669e7f
2006-09-07 08:41:15,051 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager at 2fc45d
2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyApp-ldap] CachePolicy set to: org.jboss.util.TimedCachePolicy at 4ec21
2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy at 4ec21
2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added MyApp-ldap, org.jboss.security.plugins.SecurityDomainContext at 12a9eda to map
2006-09-07 08:41:15,136 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=johndoe
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:487)
at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:331)
at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:229)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
Anyone have any ideas or run into this error? If so how did you fix it?
Thanks,
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3970147#3970147
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3970147
More information about the jboss-user
mailing list