Hi JB Maybe there is a misunderstanding but authentication in the LDAP Login Module already worked: 11:24:16,653 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 221 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | User owulff successfully bound.
(I just removed the customer specific configuration settings) After authentication, I want to use the PropertiesLoginModule to read the roles of this user, but the PropertiesLoginModule always does an authentication again. Thanks Oli ________________________________________ From: Jean-Baptiste Onofré [[email protected]] Sent: 23 August 2013 13:52 To: [email protected] Subject: Re: LDAP authentication must role management in properties file Hi Oli, the LDAP Login Module can use double bind: - first bind as LDAP "admin" to lookup user - second bind as LDAP user to validate credentials The connection.username/connection.password is for "admin" user who performs the lookup. The user auth is done using the retrieved DN: logger.debug("Bind user (authentication)."); env.put(Context.SECURITY_AUTHENTICATION, authentication); logger.debug("Set the security principal for " + userDN + "," + userBaseDN); env.put(Context.SECURITY_PRINCIPAL, userDN + "," + userBaseDN); env.put(Context.SECURITY_CREDENTIALS, password); logger.debug("Binding the user."); context = new InitialDirContext(env); logger.debug("User " + user + " successfully bound."); context.close(); So, in your case, it means that the combination of the retrieved userDN used to contruct the principal (concat of userDN + userBaseDN) and the password is not valid on the LDAP. Try to logon with this userDN and password using slapd or such kind of tools to validate the DN. The password is provided by a callback: Callback[] callbacks = new Callback[2]; callbacks[0] = new NameCallback("Username: "); callbacks[1] = new PasswordCallback("Password: ", false); Regards JB On 08/23/2013 01:20 PM, Oliver Wulff wrote: > Hi JB > > I haven't found infomration "native/core" in the context of JAAS except for > the sun web server. I've tried now to create a jaas:config like this: > > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; > xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; > xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";> > <!-- Bean that allows the $[karaf.base] property to be resolved --> > <ext:property-placeholder placeholder-prefix="$[" > placeholder-suffix="]"/> > > <jaas:config name="karaf" rank="1"> > <jaas:module > className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" > flags="required"> > connection.url = ldap://ldap.example.com:389 > connection.username = CN=... > connection.password = .... > user.base.dn = OU=... > user.filter = (saMAccountName=%u) > user.search.subtree = true > authentication = simple > role.base.dn = ... > role.filter = (member:=uid=%u) > role.name.attribute = cn > role.search.subtree = true > detailedLoginExcepion = true > </jaas:module> > > <jaas:module > className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" > flags="required"> > users = $[karaf.base]/etc/users.properties > detailedLoginExcepion = true > debug = true > </jaas:module> > > </jaas:config> > > </blueprint> > > I've configured the LDAP user and its role in users.properties as well (but > without password, as authentication is done by LDAP). I can successfully > authenticate but get a login error in PropertiesLoginModule: > > 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 162 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Create the LDAP initial > context. > 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 166 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Bound access requested. > 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 174 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN. > 11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 178 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Initialize the JNDI LDAP > Dir Context. > 11:24:16,629 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 180 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Define the subtree scope > search control. > 11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 187 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user in > LDAP with > 11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 188 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | base DN: OU=<removed> > 11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 190 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | filter: > (saMAccountName=owulff) > 11:24:16,640 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 196 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN. > 11:24:16,641 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 214 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Bind user (authentication). > 11:24:16,641 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 216 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Set the security principal > for CN=owulff,<removed> > 11:24:16,642 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 219 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Binding the user. > 11:24:16,653 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 221 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | User owulff successfully > bound. > 11:24:16,654 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 239 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get user roles. > 11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 250 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user roles > in LDAP with > 11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 251 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | base DN: OU=<removed> > 11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule > 253 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | filter: > (member:=uid=owulff) > 11:24:16,668 | DEBUG | NioProcessor-2 | properties.PropertiesLoginModule > 53 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Initialized debug=true > usersFile=/projects/talend/Talend-ESB-V5.3.1/container/etc/users.properties > 11:24:16,669 | DEBUG | NioProcessor-2 | les.encryption.EncryptionSupport > 64 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled. > 11:24:16,670 | DEBUG | NioProcessor-2 | les.encryption.EncryptionSupport > 64 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled. > 11:24:16,670 | DEBUG | NioProcessor-2 | properties.PropertiesLoginModule > 164 | 24 - org.apache.karaf.jaas.modules - 2.3.1 | abort > 11:24:16,670 | DEBUG | NioProcessor-2 | shell.ssh.KarafJaasAuthenticator > 106 | 29 - org.apache.karaf.shell.ssh - 2.3.1 | User authentication failed > with login failed > javax.security.auth.login.FailedLoginException: login failed > at > org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:141) > at > org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:] > at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.7.0_21] > at java.lang.reflect.Method.invoke(Method.java:601)[:1.7.0_21] > at > javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)[:1.7.0_21] > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)[:1.7.0_21] > at > javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)[:1.7.0_21] > at > javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)[:1.7.0_21] > at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_21] > at > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)[:1.7.0_21] > at > javax.security.auth.login.LoginContext.login(LoginContext.java:594)[:1.7.0_21] > at > org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate(KarafJaasAuthenticator.java:82)[29:org.apache.karaf.shell.ssh:2.3.1] > > > As a test, I've configured the password of the ldap user in users.properties. > Then it works but it's not my extected behaviour. > > Maybe I'm missing something here? > > If not, we could enhance the PropertiesLoginModule to support authentication > against LDAP but roles are managed locally. > > Thanks > Oli > > > ________________________________________ > From: Jean-Baptiste Onofré [[email protected]] > Sent: 22 August 2013 19:37 > To: [email protected] > Subject: Re: LDAP authentication must role management in properties file > > Hi, > > like in JAAS "core/native": it depends of the realm (a realm has a > dedicated function: authentication/authorization). > > Regards > JB > > On 08/22/2013 11:34 AM, Oliver Wulff wrote: >> Hi JB >> >> How can I tell which login module is used for authentication (LDAP) and >> which for authorization (PropertiesFile)? If I configure a list of login >> modules, I thought JAAS will login with username/password in each login >> module. >> >> Thanks >> Oli >> ________________________________________ >> From: Jean-Baptiste Onofré [[email protected]] >> Sent: 22 August 2013 10:20 >> To: [email protected] >> Subject: Re: LDAP authentication must role management in properties file >> >> Hi, >> >> yes, the same realm (let say Karaf) can use several login module. It's >> leverage JAAS. >> >> You can do that directly with the jaas:* commands. >> >> Or you can define both login modules in the same blueprint and define a >> rank for the login module: >> >> <jaas:config name="myrealm"> >> <jaas:module >> className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" >> flags="required"> >> users = $[karaf.base]/etc/users.properties >> </jaas:module> >> <jaas:module >> className="org.apache.karaf.jaas.modules.ldap.LdapLoginModule ...."/> >> </jaas:config> >> >> You have more details here: >> http://karaf.apache.org/manual/latest-2.3.x/developers-guide/security-framework.html >> >> Regards >> JB >> >> On 08/22/2013 10:14 AM, Oliver Wulff wrote: >>> Hi there >>> >>> I'm looking for a solution to use the LDAP Login Module only for >>> authentication and another module (ex. PropertiesLoginModule) to manage >>> the roles? >>> >>> Thanks >>> >>> Oli >>> >> >> -- >> Jean-Baptiste Onofré >> [email protected] >> http://blog.nanthrax.net >> Talend - http://www.talend.com >> > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com > -- Jean-Baptiste Onofré [email protected] http://blog.nanthrax.net Talend - http://www.talend.com
