Re: LDAP Authentication - karaf 2.1.6 fail

Thu, 06 Oct 2011 03:05:28 -0700 

OK, got it :)

role.filter should contain (member=uid=%u) and not (member:=uid=%u).

Let me check how I construct the role search filter.

Regards
JB

On 10/06/2011 12:01 PM, Charles Moulliard wrote:

member is not a OU

DN: cn=admin, ou=roles,ou=system
where member=uid=jdoe is a attribute of cn=admin

My query works fine in ApacheDS Studio with

search base = ou=roles,ou=system
filter = (member=uid=jdoe)

and return
cn=admin, ou=roles,ou=system
containing member=uid=jdoe

On Thu, Oct 6, 2011 at 11:48 AM, Jean-Baptiste Onofré<[email protected]>  wrote:

Hi Charles,

the role.filter doesn't look correct to me. The "member" is an ou ?
In that case the filter should be (&(ou=member)(uid=%s)).

Regards
JB

On 10/06/2011 11:32 AM, Charles Moulliard wrote:


connection.url is correct as the user has been authenticated. There is
an issue with roles checking

On Thu, Oct 6, 2011 at 11:21 AM, Kuhtz, Andreas<[email protected]>
  wrote:


Hi,

It could be that the connection.url is not correct (we had this in our
project). We had to add the /dc=.... .
See https://cwiki.apache.org/DIRxSRVx11/enablesearchforallusers.html

Regards
Andi

-----Original Message-----
From: Charles Moulliard [mailto:[email protected]]
Sent: Donnerstag, 6. Oktober 2011 10:57
To: user
Subject: LDAP Authentication - karaf 2.1.6 fail

Hi,

I try to use LDAP authentication with Karaf 2.1.6 but the it fails
with roles based verification.

10:49:50,518 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Create
the LDAP initial context.
10:49:50,519 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bound
access requested.
10:49:50,519 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the
user DN.
10:49:50,519 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |
Initialize the JNDI LDAP Dir Context.
10:49:50,771 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Define
the subtree scope search control.
10:49:50,772 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking
for the user in LDAP with
10:49:50,772 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |   base
DN: ou=users,ou=system
10:49:50,772 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |
filter: (uid=jdoe)
10:49:50,789 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get the
user DN.
10:49:50,790 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bind
user (authentication).
10:49:50,790 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Set the
security principal for uid=jdoe,ou=users,ou=system
10:49:50,790 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Binding
the user.
10:49:50,808 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | User
jdoe successfully bound.
10:49:50,810 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get user
roles.
10:49:50,834 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking
for the user roles in LDAP with
10:49:50,834 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |   base
DN: ou=roles,ou=system
10:49:50,834 | DEBUG | NioProcessor-1   | LDAPLoginModule
    | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |
filter: (member:=uid=jdoe)

Is the following syntax correct ?

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";
  xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0";

xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";




  <jaas:config name="karaf" rank="1">
    <jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
                 flags="required">

initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
                      connection.username=uid=admin,ou=system
                      connection.password=secret
                      connection.protocol=
                      connection.url = ldap://localhost:10389
                      user.base.dn = ou=users,ou=system
                      user.filter = (uid=%u)
                      user.search.subtree = true
                      role.base.dn = ou=roles,ou=system
                  role.filter = (member:=uid=%u)
                  role.name.attribute = cn
                  role.search.subtree = true
                      authentication = simple
    </jaas:module>
  </jaas:config>
</blueprint>

ApacheDS
=========
version: 1

dn: ou=system
objectClass: organizationalUnit
objectClass: extensibleObject
objectClass: top
ou: system

dn: uid=admin,ou=system
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: tlsKeyInfo
objectClass: top
cn: system administrator
keyAlgorithm: RSA
privateKey:: xxxxxxx
privateKeyFormat: PKCS#8
publicKey:: xxxxx
publicKeyFormat: X.509
sn: administrator
displayName: Directory Superuser
uid: admin
userCertificate:: xxxxxx
userPassword:: c2VjcmV0

dn: ou=users,ou=system
objectClass: organizationalUnit
objectClass: top
ou: users

dn: ou=roles,ou=system
objectClass: organizationalUnit
objectClass: top
ou: roles

dn: cn=admin,ou=roles,ou=system
objectClass: groupOfNames
objectClass: top
cn: admin
member: uid=jdoe

dn: uid=jdoe,ou=users,ou=system
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: John Doe
sn: Doe
uid: jdoe
userPassword:: c2VjcmV0

Charles Moulliard

Apache Committer

Blog : http://cmoulliard.blogspot.com
Twitter : http://twitter.com/cmoulliard
Linkedin : http://www.linkedin.com/in/charlesmoulliard
Skype: cmoulliard



--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com



--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com

Reply via email to