we are currently running into issues when configuring LDAP authentication for a deployed VDB, we would like to enter our active directory username and password when authenticating.
We have successful configured LDAP authentication for admin console, but running into errors during server start up.
I have been able to successfully configure authentication for the admin console at hostname:9990. I have done so by with the following changes to Standalone.xml we can provide our active directory user/pass and log in to the admin console.
Below are defined security domain which we are running into issues. And a security realm which is working.
This is the error we are receiving
ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) Exception during createSubject() for java:/refresh: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_121]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:318)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:122)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
This is the security realm which is working when authenticating for the admin panel
<security-realm name="ldap-security-realm">
<authentication>
<ldap connection="ldap-connection" base-dn="dc=main">
<advanced-filter filter="(&(sAMAccountName={0}))"/>
</ldap>
</authentication>
</security-realm>
<outbound-connections>
<ldap name="ldap-connection" url="ldap://hostname:389" search dn="adminusername" search-credential="adminpassword"/>
</outbound-connections>
This is the security domain which we are trying to enable authentication for a deployed VDB
<datasource jndi-name="java:/refresh" pool-name="refresh" enabled="true">
<connection-url>jdbc:teiid:refresh#mm://hostname:31000</connection-url>
<driver>teiid</driver>
<security>
<security-domain>test_ldap_security_domain</security-domain>
</security>
</datasource>
<security-domain name="test_ldap_security_domain">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url" value="ldap://hostname:389" />
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindDN" value="adminusername" />
<module-option name="bindCredential" value="adminpassword" />
<module-option name="distinguishedNameAttribute" value="sAMAccountName" />
<module-option name="baseFilter" value="(sAMAccountName={0})" />
<module-option name="baseCtxDN" value="dc=main" />
</login-module>
</authentication>
</security-domain>
<transport name="odata">
<authentication security-domain="test_ldap_security_domain"/>
</transport>
<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
<authentication security-domain="test_ldap_security_domain"/>
</transport>
<transport name="odbc" socket-binding="teiid-odbc" protocol="pg">
<authentication security-domain="test_ldap_security_domain"/>
<ssl mode="disabled"/>
</transport>
The data source configuration by default during the startup tries to create a minimum number of connections. Since data source is secured based on user credentials and there is no active user during the startup it fails.
Change the data source configuration not to create any connections during the startup.
<pool>
<prefill>false</prefill>
</pool>
Related
We have to provide Alfresco and jBoss web application users authentication with openLDAP.
The OpenLDAP is configured so, that there is now need to provide any credentials to read openLDAP directory.
In case of jBoss configuration I am not providing these credentials with bindDN and bindCredential tags and authentication is working.
In case of Alfresco that is not the case, if I do not provide ldap.synchronization.java.naming.security.principal and ldap.synchronization.java.naming.security.credentials, I have synchronization error in log:
2019-02-15 10:58:04,466 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 01150001 Failed to authenticate, username or password is wrong. User name:cn=Manager,dc=company,dc=com Reason [LDAP: error code 49 - Invalid Credentials]
So ldapsearch retreives the openLDAP directory without providing any credentials:
ldapsearch -x -h 10.0.1.15:389 -b "dc=some,dc=ua"
jBoss standalone-full.xml:
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://10.0.1.15:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="baseCtxDN" value="ou=Users,dc=some,c=ua"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Users,dc=some,c=ua"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="roleRecursion" value="1"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
Alfresco alfresco-global.properties
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=some,dc=ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.0.1.15:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Admin
ldap.synchronization.java.naming.security.principal=uid\=someUser,ou\=users,dc\=some,dc\=ua
ldap.synchronization.java.naming.security.credentials=12356
ldap.synchronization.groupSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.userSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.groupQuery=(&(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=inetOrgPerson
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1
Is it possible to avoid providing OpenLDAP credentials in alfresco-global.properties?
Alfresco Community (Build: 201612)
jBoss EAP-6.4
There are two things going on with Alfresco: Authentication and Synchronization. Authentication against OpenLDAP can happen without a credential because it binds using the user's credential.
Synchronization, however, happens in batch in the background. The synchronization job that runs needs a credential to authenticate with OpenLDAP so it can query for users and groups created or modified since the last check. If you don't provide a credential it would mean your OpenLDAP directory would have to be wide open, which is surely not what you want.
I am trying setup authentication on an application on JBoss 7 against a LDAP Server. Below is the link I have followed for the configuration
LDAP authentication with JBoss 7
The LDAP login module performs three queries against the LDAP server to log in a user, as follows:
As per JBoss in Action, there are 3 steps how JBoss LDAP Login Module works:
- The first query looks up the user object using only the login id. This search is similar to the first ldapsearch query that we showed you earlier.
- A second query is a login attempt using the user’s login id and the password.
- The last query obtains the group objects.
The password is used, but you don’t have to reference it in the login module. Now let’s take a look at another login module that helps simplify development and testing.
Looking in the LDAP Server logs it looks like my setup is only doing the first step but not the 2nd. So the login fails with a password error :
10:47:11,448 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000283: Bad password for username testuser1
10:47:11,450 TRACE [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000244: Begin abort method
10:47:11,450 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
Here is the configuration from my standalone.xml:
<security-domain name="LDAPAuth" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="cn=admin"/>
<module-option name="bindCredential" value="********"/>
<module-option name="baseCtxDN" value="ou=Internal,cn=Users,dc=company,dc=local"/>
<module-option name="baseFilter" value="(cn={0})"/>
<module-option name="roleFilter" value="(uniqumember={1})"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>
</security-domain>
I have a security domain defined in jboss-web.xml as below
<jboss-web>
<security-domain>java:/jaas/my_ldap_security_domain</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
I also have defined inside my standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="my_ldap_security_domain" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:yyyy"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="temp#my.domain"/>
<module-option name="bindCredential" value="mypass"/>
<module-option name="baseCtxDN" value="DC=my,DC=domain"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="DC=my,DC=domain"/>
<module-option name="roleFilter" value="(uniquemember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
My only realms present on my standalone.xml are
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
I did not mention it before because i presumed that this security realms were meant to authenticate the application server console access. Sorry for that.
My doubt is how to create a jsf2 login page to authenticate against what is defined above. I read a lot of articles about but still in the same place beacause most articles use a fake authentication as example (comparing with static strings instead of showing how to consult LDAP server).
Can anyone help me?
i presumed that this security realms were meant to authenticate the application server console access
You're partially correct there. The name="ManagementRealm" does indeed specify a realm config for accessing admin functions. name="ApplicationRealm" would be the attribute to specify for securing a web application
Your current realm config is missing some things necessary for LDAP authentication. I presume you're already familiar with the login-form configuration in web.xml. Your realm configuration should look something like the following, an excerpt from the Wildfly 8 Realm Configuration Manual:
<management>
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<ldap connection="EC2" base-dn="CN=Users,DC=darranl,DC=jboss,DC=org">
<username-filter attribute="sAMAccountName" />
</ldap>
</authentication>
</security-realm>
</security-realms>
</management>
Where the <ldap> tag specifies that your lookup is against an LDAP server. Beyond this, you only need follow the standard auth methods for a JavaEE application.
The takeaway from this should be that web application security within JavaEE generally takes the same approach of
Setting up a realm (App-server specific)
Setting up security constraints in web.xml (uniform across all JavaEE applications)
Implementing a login method (Configuration or Programmatic)
Related
Java EE 6 Programmatic security, glassfish and JDBC realm
How to properly logout of a Java EE 6 Web Application after logging in
Performing user authentication in Java EE / JSF using j_security_check
I'm trying to authenticate users of the administrative consoles (Admin, JMX, JBoss Web and JBoss WS) using an LDAP provider defined in conf/login-config.xml:
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldaps://ldap.company.com:636</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=dummy,cn=users,cn=accounts,dc=company,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">cn=accounts,dc=company,dc=com</module-option>
<module-option name="baseFilter">(&(objectClass=inetOrgPerson)(uid={0}))</module-option>
<module-option name="rolesCtxDN">cn=groups,cn=accounts,dc=company,dc=com</module-option>
<module-option name="roleAttributeID">dn</module-option>
<module-option name="roleFilter">(&(objectClass=posixgroup)(member={1}))</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
</login-module>
<!-- This login-module is used only in one use case, see below for details
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
-->
</authentication>
</application-policy>
The appropriate JAAS config has been set in the following files:
$ grep LDAP /usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/*xml
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/components.xml: <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="LDAP"/>
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/jboss-web.xml: <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>
Connection with the LDAP server works correctly. I have verified that capturing traffic using wireshark and setting org.jboss.secutiry logging to TRACE in jboss-log4j.xml:
<category name="org.jboss.security.auth.spi">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
I have also set DEBUG level for the org.jboss.seam component:
<category name="org.jboss.seam">
<priority value="DEBUG"/>
</category>
which also verifies that the authentication step is working correctly:
2014-06-09 16:42:41,189 DEBUG [org.jboss.seam.security.Identity] (http-192.0.2.1-8080-6) Login successful for: someuser
There seems to be a problem with authorization, I can't access the admin-console even though the user is correctly authenticated. I've tried two different approaches:
As I don't have a group in my LDAP named JBossAdmin (which is the role used by default):
$ grep JBossAdmin -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('JBossAdmin')}">
pages.xml: <rule if="#{s:hasRole('JBossAdmin')}">
pages.xml: <restrict>#{s:hasRole('JBossAdmin')}</restrict>
web.xml: <role-name>JBossAdmin</role-name>
I'm trying to map my LDAP groups and JBoss roles using the RoleMappingLoginModule:
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
The contents of the props/admin-console-roles.properties is:
someuser=JBossAdmin
as documented, the syntax is username=role1,role2.
Replace the occurrences of JBossAdmin with one of the groups present in the LDAP structure, say developers:
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>
Neither of the two work. I'm stuck at the login page.Moreover, if I insist and press the login button again, I'm greeted with this:
How can I debug it further? Is it possible to map LDAP groups to roles in JBoss 5? Can group names (instead of user names) be used in a role.properties file when using RoleMappingLoginModule?
I have a problem with the jbpm-console, generated to source , I installed jbpm-console-ng-jboss-as7.0.war in jboss, that deploy OK, config security-domain in the subsystem "urn:jboss:domain:security:1.1" and add users and roles properties , in the standalone, create the jboss user, but when login to jbpm-console, I have the following error Login failed: Not Authorized
The security-dommain is that in standalone.xml :
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
...
<security-domain name="jbpm-console-ng" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
The roles.properties you content is that :
root=jbpm-console-user,user,analyst,PM,IT,Reviewer
The users.properties you content is that :
root=root
The jboss user is "root".
Help me plis !!
Make sure your security-domain is being referenced in jboss-web.xml
<jboss-web>
<security-domain>jbpm-console-ng</security-domain>
</jboss-web>
this file is on jbpm-console.war/WEB-INF/jboss-web.xml