Hi JB I haven't found infomration "native/core" in the context of JAAS except for the sun web server. I've tried now to create a jaas:config like this:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";> <!-- Bean that allows the $[karaf.base] property to be resolved --> <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> connection.url = ldap://ldap.example.com:389 connection.username = CN=... connection.password = .... user.base.dn = OU=... user.filter = (saMAccountName=%u) user.search.subtree = true authentication = simple role.base.dn = ... role.filter = (member:=uid=%u) role.name.attribute = cn role.search.subtree = true detailedLoginExcepion = true </jaas:module> <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" flags="required"> users = $[karaf.base]/etc/users.properties detailedLoginExcepion = true debug = true </jaas:module> </jaas:config> </blueprint> I've configured the LDAP user and its role in users.properties as well (but without password, as authentication is done by LDAP). I can successfully authenticate but get a login error in PropertiesLoginModule: 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 162 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Create the LDAP initial context. 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 166 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Bound access requested. 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 174 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN. 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 178 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Initialize the JNDI LDAP Dir Context. 11:24:16,629 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 180 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Define the subtree scope search control. 11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 187 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user in LDAP with 11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 188 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | base DN: OU=<removed> 11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 190 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | filter: (saMAccountName=owulff) 11:24:16,640 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 196 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN. 11:24:16,641 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 214 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Bind user (authentication). 11:24:16,641 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 216 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Set the security principal for CN=owulff,<removed> 11:24:16,642 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 219 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Binding the user. 11:24:16,653 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 221 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | User owulff successfully bound. 11:24:16,654 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 239 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get user roles. 11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 250 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user roles in LDAP with 11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 251 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | base DN: OU=<removed> 11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 253 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | filter: (member:=uid=owulff) 11:24:16,668 | DEBUG | NioProcessor-2 | properties.PropertiesLoginModule 53 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Initialized debug=true usersFile=/projects/talend/Talend-ESB-V5.3.1/container/etc/users.properties 11:24:16,669 | DEBUG | NioProcessor-2 | les.encryption.EncryptionSupport 64 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled. 11:24:16,670 | DEBUG | NioProcessor-2 | les.encryption.EncryptionSupport 64 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled. 11:24:16,670 | DEBUG | NioProcessor-2 | properties.PropertiesLoginModule 164 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | abort 11:24:16,670 | DEBUG | NioProcessor-2 | shell.ssh.KarafJaasAuthenticator 106 | 29 - org.apache.karaf.shell.ssh - 2.3.1 | User authentication failed with login failed javax.security.auth.login.FailedLoginException: login failed at org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:141) at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:] at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.7.0_21] at java.lang.reflect.Method.invoke(Method.java:601)[:1.7.0_21] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)[:1.7.0_21] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)[:1.7.0_21] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)[:1.7.0_21] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)[:1.7.0_21] at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_21] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)[:1.7.0_21] at javax.security.auth.login.LoginContext.login(LoginContext.java:594)[:1.7.0_21] at org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate(KarafJaasAuthenticator.java:82)[29:org.apache.karaf.shell.ssh:2.3.1] As a test, I've configured the password of the ldap user in users.properties. Then it works but it's not my extected behaviour. Maybe I'm missing something here? If not, we could enhance the PropertiesLoginModule to support authentication against LDAP but roles are managed locally. Thanks Oli ________________________________________ From: Jean-Baptiste Onofré [[email protected]] Sent: 22 August 2013 19:37 To: [email protected] Subject: Re: LDAP authentication must role management in properties file Hi, like in JAAS "core/native": it depends of the realm (a realm has a dedicated function: authentication/authorization). Regards JB On 08/22/2013 11:34 AM, Oliver Wulff wrote: > Hi JB > > How can I tell which login module is used for authentication (LDAP) and which > for authorization (PropertiesFile)? If I configure a list of login modules, I > thought JAAS will login with username/password in each login module. > > Thanks > Oli > ________________________________________ > From: Jean-Baptiste Onofré [[email protected]] > Sent: 22 August 2013 10:20 > To: [email protected] > Subject: Re: LDAP authentication must role management in properties file > > Hi, > > yes, the same realm (let say Karaf) can use several login module. It's > leverage JAAS. > > You can do that directly with the jaas:* commands. > > Or you can define both login modules in the same blueprint and define a > rank for the login module: > > <jaas:config name="myrealm"> > <jaas:module > className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" > flags="required"> > users = $[karaf.base]/etc/users.properties > </jaas:module> > <jaas:module > className="org.apache.karaf.jaas.modules.ldap.LdapLoginModule ...."/> > </jaas:config> > > You have more details here: > http://karaf.apache.org/manual/latest-2.3.x/developers-guide/security-framework.html > > Regards > JB > > On 08/22/2013 10:14 AM, Oliver Wulff wrote: >> Hi there >> >> I'm looking for a solution to use the LDAP Login Module only for >> authentication and another module (ex. PropertiesLoginModule) to manage >> the roles? >> >> Thanks >> >> Oli >> > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com > -- Jean-Baptiste Onofré [email protected] http://blog.nanthrax.net Talend - http://www.talend.com
