connection.url is correct as the user has been authenticated. There is an issue with roles checking
On Thu, Oct 6, 2011 at 11:21 AM, Kuhtz, Andreas <[email protected]> wrote: > Hi, > > It could be that the connection.url is not correct (we had this in our > project). We had to add the /dc=.... . > See https://cwiki.apache.org/DIRxSRVx11/enablesearchforallusers.html > > Regards > Andi > > -----Original Message----- > From: Charles Moulliard [mailto:[email protected]] > Sent: Donnerstag, 6. Oktober 2011 10:57 > To: user > Subject: LDAP Authentication - karaf 2.1.6 fail > > Hi, > > I try to use LDAP authentication with Karaf 2.1.6 but the it fails > with roles based verification. > > 10:49:50,518 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Create > the LDAP initial context. > 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bound > access requested. > 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the > user DN. > 10:49:50,519 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | > Initialize the JNDI LDAP Dir Context. > 10:49:50,771 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Define > the subtree scope search control. > 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking > for the user in LDAP with > 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | base > DN: ou=users,ou=system > 10:49:50,772 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | > filter: (uid=jdoe) > 10:49:50,789 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the > user DN. > 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bind > user (authentication). > 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Set the > security principal for uid=jdoe,ou=users,ou=system > 10:49:50,790 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Binding > the user. > 10:49:50,808 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | User > jdoe successfully bound. > 10:49:50,810 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get user > roles. > 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking > for the user roles in LDAP with > 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | base > DN: ou=roles,ou=system > 10:49:50,834 | DEBUG | NioProcessor-1 | LDAPLoginModule > | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | > filter: (member:=uid=jdoe) > > Is the following syntax correct ? > > <?xml version="1.0" encoding="UTF-8"?> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; > xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; > > xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"; >> > > <jaas:config name="karaf" rank="1"> > <jaas:module > className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" > flags="required"> > > initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory > connection.username=uid=admin,ou=system > connection.password=secret > connection.protocol= > connection.url = ldap://localhost:10389 > user.base.dn = ou=users,ou=system > user.filter = (uid=%u) > user.search.subtree = true > role.base.dn = ou=roles,ou=system > role.filter = (member:=uid=%u) > role.name.attribute = cn > role.search.subtree = true > authentication = simple > </jaas:module> > </jaas:config> > </blueprint> > > ApacheDS > ========= > version: 1 > > dn: ou=system > objectClass: organizationalUnit > objectClass: extensibleObject > objectClass: top > ou: system > > dn: uid=admin,ou=system > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: tlsKeyInfo > objectClass: top > cn: system administrator > keyAlgorithm: RSA > privateKey:: xxxxxxx > privateKeyFormat: PKCS#8 > publicKey:: xxxxx > publicKeyFormat: X.509 > sn: administrator > displayName: Directory Superuser > uid: admin > userCertificate:: xxxxxx > userPassword:: c2VjcmV0 > > dn: ou=users,ou=system > objectClass: organizationalUnit > objectClass: top > ou: users > > dn: ou=roles,ou=system > objectClass: organizationalUnit > objectClass: top > ou: roles > > dn: cn=admin,ou=roles,ou=system > objectClass: groupOfNames > objectClass: top > cn: admin > member: uid=jdoe > > dn: uid=jdoe,ou=users,ou=system > objectClass: organizationalPerson > objectClass: person > objectClass: inetOrgPerson > objectClass: top > cn: John Doe > sn: Doe > uid: jdoe > userPassword:: c2VjcmV0 > > Charles Moulliard > > Apache Committer > > Blog : http://cmoulliard.blogspot.com > Twitter : http://twitter.com/cmoulliard > Linkedin : http://www.linkedin.com/in/charlesmoulliard > Skype: cmoulliard >
