Hello, I have a web application which Im trying to secure via an Active Directory server. I have a Unit Test (configuration at end of post) derived from org.jboss.test.LoginModulesTestCase which connects and retrieves attributes (proving the login module can be poked to work). When I try and configure the webapp to connect to AD I always get a stack and a bad password comment. This happened in 4.0.3.sp1, and still with 4.0.4.sp1, can anyone spot something wrong with the login-config.xml?
I've reviewed the recently changed http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule page but I seem to be doing what is expected, here's my ticklist: 1. modified deploy/jbossweb-tomcat55.sar/server/xml to setup a SSL connector (see end for config). 2. have matched the WEB-INF/jboss-web.xml security-domain element to an entry in the server/conf/login-config.xml file 3. configured web-app to be secured, such that accesing its context triggers redirection to a login form, via SSL, and submits to j_security_check. So In theory j_security_check is receiving the login user/pass and is passing them onto the ExtLdapLoginModule, but I keep geeting an invalid password (which it isnt!). I have some thoughts I may have to specify an Iniital context provider in the ExtLdapModules jboss config, could this be the issue? (I happen to be running inside IBM 1.5 VM so com.sun wouldnd work if it were hard coded anywhere...) Pointers? Ideas? thanks in advance. Andy. ========= ::jbossweb-tomcat55.sar/server.xml:: | <Connector port="8443" address="${jboss.bind.address}" | maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" | emptySessionPath="true" algorithm="IbmX509" | scheme="https" secure="true" clientAuth="false" | keystoreFile="${jboss.server.home.dir}/conf/server.keystore" | keystorePass="password" sslProtocol = "TLS" /> | ::login-config.xml:: | <application-policy name="webapp"> | <authentication> | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > | <module-option name="java.naming.provider.url">ldap://myserver.net:389/</module-option> | <module-option name="java.naming.security.authentication">simple</module-option> | <module-option name="bindDN">[EMAIL PROTECTED]</module-option> | <module-option name="bindCredential">password</module-option> | <module-option name="baseCtxDN">DC=mydomain,DC=net</module-option> | <module-option name="baseFilter">(sAMAccountName={0})</module-option> | <module-option name="roleFilter">(member={1})</module-option> | <module-option name="rolesCtxDN">DC=mycompany,DC=net</module-option> | <module-option name="roleAttributeID">memberOf</module-option> | <module-option name="roleAttributeIsDN">true</module-option> | <module-option name="roleNameAttributeID">cn</module-option> | <module-option name="roleRecursion">-1</module-option> | <module-option name="searchScope">ONELEVEL_SCOPE</module-option> | </login-module> | </authentication> | </application-policy> | ::Configuration:: | AppConfigurationEntry[] testLdapExtLoginToActiveDirectory() | { | String name = "org.jboss.security.auth.spi.LdapExtLoginModule"; | HashMap options = new HashMap(); | options.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); | options.put("java.naming.provider.url", "ldap://myserver.net:389";); | options.put("java.naming.security.authentication", "simple"); | | options.put(BIND_DN, ACCESS_UID); | options.put(BIND_CREDENTIAL, ACCESS_PASS); | options.put(BASE_CTX_DN, "dc=mycompnay,dc=net"); | options.put(BASE_FILTER_OPT, "(sAMAccountName={0})"); | | options.put("rolesCtxDN", "dc=mycompany,dc=net"); | options.put("roleFilter", "(member={1})"); | options.put("roleAttributeID", "memberOf"); | options.put("roleAttributeIsDN", "true"); | options.put("roleNameAttributeID", "name"); | options.put("roleRecursion", "-1"); | options.put("searchTimeLimit","15000"); | | | options.put("java.naming.referral","follow"); | options.put(SEARCH_SCOPE_OPT,"SUBTREE_SCOPE"); | | AppConfigurationEntry ace = new AppConfigurationEntry(name, | AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); | AppConfigurationEntry[] entry = { ace }; | return entry; | } | ::server.log Stacktrace:: | 2006-02-09 16:58:37,051 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Failed to validate password | javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=mycompany,DC=net' | at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2778) | at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752) | at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1823) | at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1746) | at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1763) | at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:409) | at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:391) | at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:373) | at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:278) | at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:403) | at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:340) | at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:229) | at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:201) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) | at java.lang.reflect.Method.invoke(Method.java:615) | at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) | at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709) | at java.security.AccessController.doPrivileged(AccessController.java:241) | at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706) | at javax.security.auth.login.LoginContext.login(LoginContext.java:603) | at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587) | at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521) | at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330) | at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306) | at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256) | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868) | at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663) | at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) | at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) | at java.lang.Thread.run(Thread.java:788) | 2006-02-09 16:58:37,061 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=myuser | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3923940#3923940 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3923940 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
