[jboss-user] [Security & JAAS/JBoss] - Re: Not able to authenticate against ActiveDirectory using L

rknechtel do-not-reply at jboss.com
Thu Sep 7 13:43:41 EDT 2006


I'm having similar issues trying to connect to Active Directory using LDAP with JBoss.
The username is valid in AD I can login to a windows box that authenticates against the AD server.

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain flushOnSessionInvalidation="false">java:/jaas/MyApp-ldap</security-domain>
  <context-root>/MyApp</context-root>
</jboss-web>


web.xml

	<security-constraint>
		<display-name>Restrict SEAM pages</display-name>
		<web-resource-collection>
			<web-resource-name>SEAM</web-resource-name>
			<url-pattern>*.seam</url-pattern>
		</web-resource-collection>
        <auth-constraint> 
        <role-name>system</role-name>
          <role-name>purch-buyer</role-name> 
          <role-name>purch-iss</role-name> 
          <role-name>purch-dataentry</role-name> 
          <role-name>purch-tech</role-name> 
          <role-name>accounting</role-name> 
          <role-name>asd</role-name> 
          <role-name>ccc_ops</role-name> 
          <role-name>warehouse</role-name> 
          <role-name>liquidation</role-name> 
        </auth-constraint> 	
	</security-constraint><?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain flushOnSessionInvalidation="false">java:/jaas/MyApp-ldap</security-domain>
  <context-root>/MyApp</context-root>
</jboss-web>

    <security-role> 
      <role-name>system</role-name> 
    </security-role> 
    <security-role> 
      <role-name>purch-buyer</role-name> 
    </security-role> 
    <security-role> 
      <role-name>purch-iss</role-name> 
    </security-role> 
    <security-role> 
      <role-name>purch-dataentry</role-name> 
    </security-role> 
    <security-role> 
      <role-name>purch-tech</role-name> 
    </security-role> 
    <security-role> 
      <role-name>accounting</role-name> 
    </security-role> 
    <security-role> 
      <role-name>asd</role-name> 
    </security-role> 
    <security-role> 
      <role-name>ccc_ops</role-name> 
    </security-role> 
    <security-role> 
      <role-name>warehouse</role-name> 
    </security-role> 
    <security-role> 
      <role-name>liquidation</role-name> 
   </security-role> 

	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>MyApp-ldap</realm-name>
		<form-login-config>
			<form-login-page>/login.html</form-login-page>
			<form-error-page>/loginError.html</form-error-page>
		</form-login-config>
	</login-config>

login-config.xml


    <application-policy name="MyApp-ldap">
      
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                <!--
                        Some AD configurations may require searching against
                        the Global Catalog on port 3268 instead of the usual
                        port 389.  This is most likely when the AD forest
                        includes multiple domains.
                -->
                <module-option name="java.naming.provider.url">ldap://server:389</module-option>
                <module-option name="bindDN">administrator</module-option>
                <module-option name="bindCredential">[PASSWORD]</module-option>
                <module-option name="baseCtxDN">cn=users,dc=domain1.domain2,dc=local</module-option>
                <module-option name="baseFilter">(sAMAccountName={0})</module-option>

                <module-option name="rolesCtxDN">cn=users,dc=domain1.domain2,dc=local</module-option>
                <module-option name="roleFilter">(sAMAccountName={0})</module-option>
                <module-option name="roleAttributeID">memberOf</module-option>
                <module-option name="roleAttributeIsDN">true</module-option>
                <module-option name="roleNameAttributeID">cn</module-option>

                <module-option name="roleRecursion">-1</module-option>
                <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        </login-module>
      
    </application-policy>




ERROR when Logging in:
2006-09-07 08:41:15,051 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyApp-ldap] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler at 1669e7f
2006-09-07 08:41:15,051 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager at 2fc45d
2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyApp-ldap] CachePolicy set to: org.jboss.util.TimedCachePolicy at 4ec21
2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy at 4ec21
2006-09-07 08:41:15,052 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added MyApp-ldap, org.jboss.security.plugins.SecurityDomainContext at 12a9eda to map
2006-09-07 08:41:15,136 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=johndoe
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
        at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
        at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:487)
        at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:331)
        at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:229)
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
        at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
        at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
        at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
        at java.lang.Thread.run(Thread.java:595)
 

Anyone have any ideas or run into this error? If so how did you fix it?

Thanks,



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3970147#3970147

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3970147



More information about the jboss-user mailing list