I'm trying to setup karaf (4.0.9) to authenticate/authorize users via ldap/active directory.
I've copied the following ldap-module.xml to the deploy directory per https://karaf.apache.org/manual/latest/#_available_realm_and_login_modules:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="karaf" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="sufficient">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username=cn=ldapsearch,cn=users,dc=eng,dc=net
connection.password=****
connection.protocol=
connection.url=ldap://server:389
user.base.dn=dc=eng,dc=net
user.filter=(samaccountname=%u)
user.search.subtree=true
user.debug=true
role.base.dn=dc=eng,dc=net
role.name.attribute=cn
role.filter=(member=%fqdn)
role.search.subtree=true
role.mapping=jtAdmins=admin,user,operator
authentication=simple
debug=true
</jaas:module>
</jaas:config>
</blueprint>
I see the logs, and I can see the LDAP login on the realm, so I'm confident the config is at least being used
karaf#root(jaas)> jaas:realm-list
Index | Realm Name | Login Module Class Name
-----------------------------------------------------------------------
1 | karaf | org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
When I try to ssh in, I get the following logs (truncated), and I can see shark the LDAP communications:
2017-07-31 16:50:39,229 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Get the user DN.
2017-07-31 16:50:39,238 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Looking for the user in LDAP with
2017-07-31 16:50:39,238 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | base DN: dc=eng,dc=net
2017-07-31 16:50:39,238 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | filter: (samaccountname=jtAdmin)
2017-07-31 16:50:39,244 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Found the user DN.
2017-07-31 16:50:39,245 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Bind user (authentication).
2017-07-31 16:50:39,245 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Set the security principal for CN=jtAdmin,CN=Users,dc=eng,dc=net
2017-07-31 16:50:39,245 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Binding the user.
2017-07-31 16:50:39,254 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | User jtAdmin successfully bound.
2017-07-31 16:50:39,256 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Looking for the user roles in LDAP with
2017-07-31 16:50:39,256 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | base DN: dc=eng,dc=net
2017-07-31 16:50:39,256 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | filter: (member=CN=jtAdmin,CN=Users,DC=eng,DC=net)
2017-07-31 16:50:39,359 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | User jtAdmin is a member of role Domain Computers
2017-07-31 16:50:39,359 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Parse role mapping jtAdmin=admin,user,operator
2017-07-31 16:50:39,359 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Parse role mapping jtAdmin=admin,user,operator
2017-07-31 16:50:39,359 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | User jtAdmin is a member of role Domain Controllers
...
2017-07-31 16:50:39,364 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Parse role mapping jtAdmins=admin,user,operator
2017-07-31 16:50:39,364 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | Parse role mapping jtAdmins=admin,user,operator
2017-07-31 16:50:39,364 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | LDAP role jtAdmins is mapped to Karaf role admin
2017-07-31 16:50:39,364 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | LDAP role jtAdmins is mapped to Karaf role user
2017-07-31 16:50:39,365 | DEBUG | 8]-nio2-thread-9 | LDAPLoginModule | 35 - org.apache.karaf.jaas.modules - 4.0.9 | LDAP role jtAdmins is mapped to Karaf role operator
I can see LDAP authorize my user, but it seems I don't have permission to login. I thought the role.mapping would handle mapping my LDAP/AD membership to Karaf roles, but that doesn't seem to allow me access. Webconsole also attempts to allow access, but ultimately fails.
What config am I missing to map the LDAP/AD user roles to enable ssh karaf/console for my user? Do I need another login module? And how might I do this dynamically (not using hard-coded role.mapping in the ldap-module.xml bundle)?
Ideally, I'd also like to be able to give ldap OR local users access simultaneously, but I realize that might not be possible.
As luck would have it, I managed to track down the root cause. Thanks to the folks on the karaf IRC channel that let me think out loud.
Ultimately, I believe the root cause is this exception:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ...
I only actually see this exception in the webconsole handler, and NOT in the ssh/shell handler (but ssh doesn't work either, so...)
The exception is coming from LDAPCache.java (namingEnumeration.hasMore(), ~line 259) and ultimately from
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2914)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
This exception is propagated to the caller. Since I can't very well change the JVM, I'm borrowing a suggestions/solution of adding a config option to ignorePartialNameResult regarding this exception. I don't quite understand why there is a partial name result, but I saw one comment implying that the error was due to role.base.dn being the same level as the user.base.dn which is true in my case. After catching the exception, and returning the existing roleList, I am able to successfully login w/ ldap users.
Related
I have a server in Node.js + Express, that exposes some APIs both to public and admins. Actually I have 2 cloned instances running, one for Test, one for Production. They are twins, exposing same routes (/admin, /public), but are connected to two different DataBases, and are deployed on two different addresses.
I want to use Express-Gateway to provide APIs to 3d parties, so I'll give them firstly access to the Test Server. Once it's all done, I'll give them also the Production access.
To do this, my Idea is to create just 1 eg user, with multiple eg application. Each eg application will have eg credentials to access to Server or Production.
http://server_test.com
|-------------| |-------------|
| App Prod | | Server Test |
+----► | scopes: |------+ +-----► | /public |
| | [api_prod] | | | | /admin |
| |-------------| ▼ | |-------------|
| http://gateway.com
|------| |------------|
| User | | Express |
|------| | Gateway |
| |-------------| |------------|
| | App Test | ▲ | http://server_prod.com
+----► | scopes: | | | |-------------|
| [api_test] |------+ +-----► | Server Prod |
|-------------| | /public |
| /admin |
|-------------|
According to the credentials provided, the Gateway should redirect requests to server_test.com or server_prod.com. My idea was to use eg scopes to address requests to the right endpoint. So Server Test policy, will require the scope api_test, while Server Prod will require api_prod scope.
Anyway this solution doesn't work, because if the first match in apiEndpoints fails, it just results in "Not Found".
Example: I make a request to http://gateway.com/public using App Prod credentials, with api_prod scope. It should be passed to http://server_prod.com/public, but instead It matches first paths: '/*' of testEndpoint, and fails the scopes condition. So it just fails, while the correct apiEndpoint should be prodEndpoint.
How can I solve this problem?
This is my gateway.config.yml
apiEndpoints:
testEndpoint
host:*
paths: '/*' # <--- match this
scopes: ["api_test"] # <--- but fails this
prodEndpoint
host:*
paths: '/*'
scopes: ["api_prod"] # <---- this is right
serviceEndpoints
testService
url: "http://server_test.com"
prodService
url: "http://server_prod.com"
policies
- proxy
pipelines
testEndpoint: # Test
apiEndpoints:
- testEndpoint
policies:
- proxy
- action
serviceEndpoint: testService
prodEndpoint: # Prod
apiEndpoints:
- prodEndpoint
policies:
- proxy
- action
serviceEndpoint: prodService
I solved in this way: using -rewrite policy.
I prefix my clients' requests with /test or /prod
Use the prefix to match path the correct apiEndpoint
rewrite the request, deleting the prefix
choose the serviceEndpoint and go on...
http://server_test.com
|-------------| |-------------|
| App Prod | /prod/admin /admin | Server Test |
| scopes: |-------------+ +--------► | /public |
| [api_prod] | | | | /admin |
|-------------| ▼ | |-------------|
http://gateway.com
|------------|
| Express |
| Gateway |
|-------------| |------------|
| App Test | ▲ | http://server_prod.com
| scopes: | | | |-------------|
| [api_test] |-------------+ +---------► | Server Prod |
|-------------| /test/admin /admin | /public |
| /admin |
|-------------|
This is my config file:
apiEndpoints:
testEndpoint
host:*
paths: '/test/*'
scopes: ["api_test"]
prodEndpoint
host:*
paths: '/prod/*'
scopes: ["api_prod"]
serviceEndpoints
testService
url: "http://server_test.com"
prodService
url: "http://server_prod.com"
policies
- proxy
pipelines
testEndpoint: # Test
apiEndpoints:
- testEndpoint
policies:
- rewrite: # rewrite - delete '/test'
-
condition:
name: regexpmatch
match: ^/test/?(.*)$
action:
rewrite: /$1
- proxy
- action
serviceEndpoint: testService
prodEndpoint: # Prod
apiEndpoints:
- prodEndpoint
policies:
- rewrite: # rewrite - delete '/prod'
-
condition:
name: regexpmatch
match: ^/prod/?(.*)$
action:
rewrite: /$1
- proxy
- action
serviceEndpoint: prodService
I am configuring a new install of ActiveMQ 5.15.10 on a RHEL 7.7 AWS instance. When the process starts I get this error:
[ec2-user#ip-***-***-***-*** activemq]$ more data/activemq.log
2019-10-30 17:36:45,784 | INFO | Refreshing org.apache.activemq.xbean.XBeanBrokerFactory$1#4667ae56: startup date [Wed Oct 30 17:36:45 UTC 2019]; root of context hierarchy | org.apache.activemq.xbean.XBeanBrokerFactory$1 | main
2019-10-30 17:36:46,568 | INFO | Using Persistence Adapter: KahaDBPersistenceAdapter[/opt/activemq/data/kahadb] | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:46,628 | INFO | KahaDB is version 6 | org.apache.activemq.store.kahadb.MessageDatabase | main
2019-10-30 17:36:46,652 | INFO | PListStore:[/opt/activemq/data/***-***-***-***/tmp_storage] started | org.apache.activemq.store.kahadb.plist.PListStoreImpl | main
2019-10-30 17:36:46,821 | INFO | Apache ActiveMQ 5.15.10 (***-***-***-***, ID:ip-***-***-***-***.ec2.internal-36686-1572457006663-0:1) is starting | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:46,849 | INFO | Listening for connections at: tcp://ip-***-***-***-***.ec2.internal:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main
2019-10-30 17:36:46,851 | INFO | Connector openwire started | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:46,855 | INFO | Listening for connections at: amqp://ip-***-***-***-***.ec2.internal:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main
2019-10-30 17:36:46,856 | INFO | Connector amqp started | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:46,859 | INFO | Listening for connections at: stomp://ip-***-***-***-***.ec2.internal:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main
2019-10-30 17:36:46,861 | INFO | Connector stomp started | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:46,864 | INFO | Listening for connections at: mqtt://ip-***-***-***-***.ec2.internal:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main
2019-10-30 17:36:46,865 | INFO | Connector mqtt started | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:46,870 | INFO | Starting Jetty server | org.apache.activemq.transport.WebTransportServerSupport | main
2019-10-30 17:36:46,951 | INFO | Creating Jetty connector | org.apache.activemq.transport.WebTransportServerSupport | main
2019-10-30 17:36:47,043 | WARN | ServletContext#o.e.j.s.ServletContextHandler#7b420819{/,null,STARTING} has uncovered http methods for path: / | org.eclipse.jetty.security.SecurityHandler | main
2019-10-30 17:36:47,091 | INFO | Listening for connections at ws://ip-***-***-***-***.ec2.internal:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.ws.WSTransportServer | main
2019-10-30 17:36:47,092 | INFO | Connector ws started | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:47,093 | INFO | Apache ActiveMQ 5.15.10 (***-***-***-***, ID:ip-***-***-***-***.ec2.internal-36686-1572457006663-0:1) started | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:47,094 | INFO | For help or more information please see: http://activemq.apache.org | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:47,095 | WARN | Store limit is 102400 mb (current store usage is 0 mb). The data directory: /opt/activemq/data/kahadb only has 47858 mb of usable space. - resetting to maximum available disk space: 47858 mb | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:47,096 | WARN | Temporary Store limit is 51200 mb (current store usage is 0 mb). The data directory: /opt/activemq/data only has 47858 mb of usable space. - resetting to maximum available disk space: 47858 mb | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:47,726 | INFO | ActiveMQ WebConsole available at http://***-***-***-***:8161/ | org.apache.activemq.web.WebConsoleStarter | main
2019-10-30 17:36:47,726 | INFO | ActiveMQ Jolokia REST API available at http://***-***-***-***:8161/api/jolokia/ | org.apache.activemq.web.WebConsoleStarter | main
2019-10-30 17:36:48,001 | WARN | Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'invokeStart' defined in class path resource [jetty.xml]: Invocation of init method failed; nested exception is java.io.IOException: Failed to bind to /***-***-***-***:8161 | org.apache.activemq.xbean.XBeanBrokerFactory$1 | main
2019-10-30 17:36:48,013 | INFO | Apache ActiveMQ 5.15.10 (***-***-***-***, ID:ip-***-***-***-***.ec2.internal-36686-1572457006663-0:1) is shutting down | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:48,014 | INFO | Connector openwire stopped | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:48,015 | INFO | Connector amqp stopped | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:48,016 | INFO | Connector stomp stopped | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:48,017 | INFO | Connector mqtt stopped | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:48,021 | INFO | Connector ws stopped | org.apache.activemq.broker.TransportConnector | main
2019-10-30 17:36:48,024 | INFO | PListStore:[/opt/activemq/data/***-***-***-***/tmp_storage] stopped | org.apache.activemq.store.kahadb.plist.PListStoreImpl | main
2019-10-30 17:36:48,025 | INFO | Stopping async queue tasks | org.apache.activemq.store.kahadb.KahaDBStore | main
2019-10-30 17:36:48,025 | INFO | Stopping async topic tasks | org.apache.activemq.store.kahadb.KahaDBStore | main
2019-10-30 17:36:48,026 | INFO | Stopped KahaDB | org.apache.activemq.store.kahadb.KahaDBStore | main
2019-10-30 17:36:48,046 | INFO | Apache ActiveMQ 5.15.10 (***-***-***-***, ID:ip-***-***-***-***.ec2.internal-36686-1572457006663-0:1) uptime 1.495 seconds | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:48,047 | INFO | Apache ActiveMQ 5.15.10 (***-***-***-***, ID:ip-***-***-***-***.ec2.internal-36686-1572457006663-0:1) is shutdown | org.apache.activemq.broker.BrokerService | main
2019-10-30 17:36:48,048 | INFO | Closing org.apache.activemq.xbean.XBeanBrokerFactory$1#4667ae56: startup date [Wed Oct 30 17:36:45 UTC 2019]; root of context hierarchy | org.apache.activemq.xbean.XBeanBrokerFactory$1 | main
2019-10-30 17:36:48,049 | ERROR | Failed to load: class path resource [activemq.xml], reason: Error creating bean with name 'invokeStart' defined in class path resource [jetty.xml]: Invocation of init method failed; nested exception is java.io.IOException: Failed to bind to /***-***-***-***:8161 | org.apache.activemq.xbean.XBeanBrokerFactory | main
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'invokeStart' defined in class path resource [jetty.xml]: Invocation of init method failed; nested exception is java.io.IOException: Failed to bind to /3.231.235.30:8161
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1630)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:737)[spring-beans-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)[spring-context-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542)[spring-context-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.apache.xbean.spring.context.ResourceXmlApplicationContext.<init>(ResourceXmlApplicationContext.java:64)[xbean-spring-4.14.jar:4.14]
at org.apache.xbean.spring.context.ResourceXmlApplicationContext.<init>(ResourceXmlApplicationContext.java:52)[xbean-spring-4.14.jar:4.14]
at org.apache.activemq.xbean.XBeanBrokerFactory$1.<init>(XBeanBrokerFactory.java:104)[activemq-spring-5.15.10.jar:5.15.10]
at org.apache.activemq.xbean.XBeanBrokerFactory.createApplicationContext(XBeanBrokerFactory.java:104)[activemq-spring-5.15.10.jar:5.15.10]
at org.apache.activemq.xbean.XBeanBrokerFactory.createBroker(XBeanBrokerFactory.java:67)[activemq-spring-5.15.10.jar:5.15.10]
at org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:71)[activemq-broker-5.15.10.jar:5.15.10]
at org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:54)[activemq-broker-5.15.10.jar:5.15.10]
at org.apache.activemq.console.command.StartCommand.runTask(StartCommand.java:87)[activemq-console-5.15.10.jar:5.15.10]
at org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:63)[activemq-console-5.15.10.jar:5.15.10]
at org.apache.activemq.console.command.ShellCommand.runTask(ShellCommand.java:154)[activemq-console-5.15.10.jar:5.15.10]
at org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:63)[activemq-console-5.15.10.jar:5.15.10]
at org.apache.activemq.console.command.ShellCommand.main(ShellCommand.java:104)[activemq-console-5.15.10.jar:5.15.10]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_191]
at org.apache.activemq.console.Main.runTaskClass(Main.java:262)[activemq.jar:5.15.10]
at org.apache.activemq.console.Main.main(Main.java:115)[activemq.jar:5.15.10]
It looks like the web console is logged as available, and then it tries to bind the web console port again? This is on a fresh instance with no other services or java processes running.
Please advise.
TL;DR: Why does the LDAPLoginModule (apparently) not throw a FailedLoginException when a user fails to be authenticated?
I have overridden the default "karaf" jaas realm in jboss fuse 6.2.[0|1]. My configuration has 2 modules:
an instance of org.apache.karaf.jaas.modules.ldap.LDAPLoginModule to authenticate the user via an LDAP-to-Active-Directory link
MyCustomLoginModule extends AbstractKarafLoginModule - a second module to check for locally-defined roles for an authentic user.
The latter works fine. However, when the LDAPLoginModule fails to authenticate a user, they are still allowed to pass. This is the case no matter what combination of required/requisite and ordering I use for the 2 modules.
An example of the behavior:
I define my modules like:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xsi:schemaLocation="
http://www.osgi.org/xmlns/blueprint/v1.0.0
http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd" >
. . .
<jaas:config . . . >
. . .
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="requisite">
. . .
properties herein as commonly seen for ldap-ad
. . .
</jaas:module>
<jaas:module className="com.abc.xyz.MyCustomLoginModule"
flags="requisite">
. . . nothing shocking in here either . . .
</jaas:module>
</jaas:config>
</blueprint>
This blueprint file and the MyCustomLoginModule are within a bundle that has been added to a feature that, itself, has been added to the etc/org.apache.karaf.features.cfg along with the associated remote mvn repo
I put "userX=admin" into the flat-file that MyCustomLoginModule uses to assign roles.
I try to login (via hawtio web console) as userX, but enter the wrong password.
Logged output is like:
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Get the user DN.
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Bind user (authentication).
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Setting up SSL
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Set the security principal for CN=...
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Binding the user.
WARN | LDAPLoginModule | org.apache.karaf.jaas.modules | User userX authentication failed.
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580]
^^ as expected, LDAP Authentication fails--as per the WARN message and the "52e" error code ^^
HOWEVER, execution continues and I am successfully logged into the hawtio web console as userX!
Alternatively, I can define a user=role mapping in my custom, local file, where the user does not even exist in our Active Directory.... something simple, like: admin=admin. I then go through the same process. This time the LDAP module throws no Exceptions, but logs:
WARN | LDAPLoginModule | org.apache.karaf.jaas.modules | User admin not found in LDAP.
but yet again, execution continues and I am successfully logged into the hawtio web console, this time as "admin."
Lastly... Using a valid Active Directory user, but not one defined in my custom, local file, produces expected logging like:
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Get the user DN.
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Setting up SSL
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Looking for the user in LDAP with
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | base DN:XXXXXXXXXX
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | filter: (&(|(samAccountName=<valid-username>)(userPrincipalName=<valid-username>)(cn=<valid-username>))(objectClass=user))
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Found the user DN.
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Bind user (authentication).
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Setting up SSL
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Set the security principal for CN=<valid-username>,...
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Binding the user.
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | User <valid-username> successfully bound.
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Setting up SSL
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | Looking for the user roles in LDAP with
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | base DN:XXXXXXXX
DEBUG | LDAPLoginModule | org.apache.karaf.jaas.modules | filter: (uniqueMember=CN=<valid-username>)
WARN | Authenticator | io.hawt.hawtio-web | Login failed due User <valid-username> has no local roles defined
where that last line is because my module throws a FailedLoginException if the user has no roles defined in the aforementioned custom file
I also noted that if the LDAPLoginModule's configuration is bad--e.g., a bad password is given for the system account that searches ldap for the user--then it DOES halt the login process, by throwing a FailedLoginExcpetion like:
WARN | Authenticator | io.hawt.hawtio-web | Login failed due Can't connect to
the LDAP server: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580]
note that this is logged by the Authenticator (not the LDAPLoginModule as above
...so at length, the question is -- why does the LDAPLoginModule (apparently) not throw a FailedLoginException when a user fails to be authenticated? I'd think that this is what's needed--does anyone disagree? Is there some additional bit of configuration that the LDAPLoginModule needs in order to be effective?
Has anyone else had this issue with JBoss FUSE v6.2.1 or karaf v2.4? Were you able to resolve within that version? If not, was it resolved by up-leveling to a newer version of either?
Thanks,
Hans
Though not an exact answer to the question asked, the following is an effective workaround.
Instead of using LDAPLoginModule directly, create a class that extends it and #Override the login() method--which returns a boolean... This boolean is set to false if the user being searched for does not exist, or has provided an incorrect password. Thus, simply call super.login() and if the result is false, then throw a FailedLoginException.
I'm trying to set a network of brokers in activemq, my current setup is having two brokers each running on a different vm. My configuration is:
<networkConnectors>
<networkConnector
name="Q:broker1->broker2"
uri="static:(tcp://10.10.10.12:61612)"
duplex="false"
decreaseNetworkConsumerPriority="true"
networkTTL="2"
dynamicOnly="true"
userName="activemq"
password="password">
<excludedDestinations>
<topic physicalName=">" />
</excludedDestinations>
</networkConnector>
</networkConnectors>
I'm getting this error when I start up activemq on broker1:
2016-11-01 17:49:18,571 | INFO | Establishing network connection from vm://localhost?create=false&async=false to tcp://10.10.10.12:61612 | org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-1
2016-11-01 17:49:18,572 | INFO | Connector vm://localhost started | org.apache.activemq.broker.TransportConnector | ActiveMQ Task-1
2016-11-01 17:49:18,578 | WARN | Failed to add Connection localhost->localhost-34161-1478036807089-20:1 due to java.lang.SecurityException: User name [activemq] or password is invalid. | org.apache.activemq.broker.TransportConnection | triggerStartAsyncNetworkBridgeCreation: remoteBroker=tcp:///10.10.10.12:61612#43981, localBroker= vm://localhost#18
2016-11-01 17:49:18,580 | WARN | Security Error occurred on connection to: vm://localhost#18, User name [activemq] or password is invalid. | org.apache.activemq.broker.TransportConnection.Service | triggerStartAsyncNetworkBridgeCreation: remoteBroker=tcp:///10.10.10.12:61612#43981, localBroker= vm://localhost#18
2016-11-01 17:49:18,580 | INFO | Network connection between vm://localhost#18 and tcp:///10.10.10.12:61612#43981 shutdown due to a local error: java.lang.SecurityException: User name [activemq] or password is invalid. | org.apache.activemq.network.DemandForwardingBridgeSupport | triggerStartAsyncNetworkBridgeCreation: remoteBroker=tcp:///10.10.10.12:61612#43981, localBroker= vm://localhost#18
2016-11-01 17:49:18,583 | INFO | Connector vm://localhost stopped | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[localhost] Task-8
2016-11-01 17:49:18,584 | INFO | localhost bridge to localhost stopped | org.apache.activemq.network.DemandForwardingBridgeSupport | ActiveMQ BrokerService[localhost] Task-8
2016-11-01 17:49:20,580 | INFO | Stopping vm://localhost#18 because Failed with SecurityException: User name [activemq] or password is invalid. | org.apache.activemq.broker.TransportConnection | ActiveMQ BrokerService[localhost] Task-5
I set the activemq user in broker2 activemq.xml like the following:
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="activemq" password="${activemq.password}"
groups="admins"/>
and the user activemq is defined in credentials-enc.properties file like:
activemq.password=password
why broker1 is enable to establish a connection with broker2? what I'm missing here?
Add the userName and password attributes like this:
<networkConnector .. userName="admin" password="admin".. >
Network Connector Properties
Part 2:
Do you have a property placeholder bean in your activemq.xml file? You need that for the macro replacement to work. Otherwise, the broker probably thinks the password is literally the text below with the $ sign and { } braces.
${activemq.password}
We're having the same problem as this OP: JBoss ActiveMQ on Red Hat - Unable to access AMQ Web Console, however that post doesn't indicate how he solved the problem.
We're trying to evaluate JBoss A-MQ, and have installed RHEL 7 with A-MQ 6.1 according to their installation guide. Everything works locally, e.g. the sample producer/consumer tests succeed in the Verifying the Installation step.
However, we cannot access the management console, even after configuring the remote user. We did have to add a JAVA_OPTIONS entry to setenv to override the default IPv6 sockets, and netstat shows that the service is now listening on the tcp socket instead of tcp6:
File /opt/jboss-a-mq-6.1.0.redhat-379/bin/setenv now contains:
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
export JAVA_OPTS
# netstat -paunt | grep 8181
tcp 0 0 0.0.0.0:8181 0.0.0.0:* LISTEN 10698/java
We can ping the box from other systems, however attempting to open a telnet session on port 8181 times out. The management console URLs we've tried are:
http://172.16.100.110:8181/hawtio
http://172.16.100.110:8181
but neither work. What are we missing?
Here are entries from amq.log containing hawt, which seem like it is starting things up correctly:
$ grep hawt amq.log
2014-09-09 11:32:35,778 | INFO | FelixStartLevel | HttpServiceFactoryImpl | .internal.HttpServiceFactoryImpl 35 | 98 - org.ops4j.pax.web.pax-web-runtime - 3.0.6 | Binding bundle: [io.hawt.hawtio-web [146]] to http service
2014-09-09 11:32:35,860 | INFO | pool-10-thread-1 | ConfigManager | io.hawt.system.ConfigManager 32 | 146 - io.hawt.hawtio-web - 1.2.0.redhat-379 | Configuration will be discovered via system properties
2014-09-09 11:32:35,863 | INFO | pool-10-thread-1 | JmxTreeWatcher | io.hawt.jmx.JmxTreeWatcher 63 | 146 - io.hawt.hawtio-web - 1.2.0.redhat-379 | Welcome to hawtio 1.2-redhat-379 : http://hawt.io/ : Don't cha wish your console was hawt like me? ;-)
2014-09-09 11:32:35,865 | INFO | pool-10-thread-1 | UploadManager | io.hawt.jmx.UploadManager 40 | 146 - io.hawt.hawtio-web - 1.2.0.redhat-379 | Using file upload directory: /opt/jboss-a-mq-6.1.0.redhat-379/data/tmp/uploads
2014-09-09 11:32:35,868 | INFO | pool-10-thread-1 | AuthenticationFilter | io.hawt.web.AuthenticationFilter 84 | 146 - io.hawt.hawtio-web - 1.2.0.redhat-379 | Starting hawtio authentication filter, JAAS realm: "karaf" authorized role: "admin" role principal classes: ""
2014-09-09 11:32:35,965 | INFO | FelixStartLevel | HttpServiceFactoryImpl | .internal.HttpServiceFactoryImpl 35 | 98 - org.ops4j.pax.web.pax-web-runtime - 3.0.6 | Binding bundle: [io.hawt.hawtio-karaf-terminal [148]] to http service
2014-09-09 11:32:35,987 | INFO | pool-10-thread-2 | ConfigManager | io.hawt.system.ConfigManager 32 | 148 - io.hawt.hawtio-karaf-terminal - 1.2.0.redhat-379 | Configuration will be discovered via system properties
2014-09-09 11:32:35,988 | INFO | pool-10-thread-2 | AuthenticationFilter | io.hawt.web.AuthenticationFilter 84 | 148 - io.hawt.hawtio-karaf-terminal - 1.2.0.redhat-379 | Starting hawtio authentication filter, JAAS realm: "karaf" authorized role: "admin" role principal classes: ""
2014-09-09 11:32:35,996 | WARN | FelixStartLevel | ConfigFacade | io.hawt.config.ConfigFacade 23 | 149 - io.hawt.hawtio-maven-indexer - 1.2.0.redhat-379 | No ConfigFacade constructed yet so using default configuration for now
2014-09-09 11:32:36,015 | INFO | pool-10-thread-2 | LoginServlet | io.hawt.web.LoginServlet 55 | 148 - io.hawt.hawtio-karaf-terminal - 1.2.0.redhat-379 | hawtio login is using default HttpSession timeout
2014-09-09 11:32:36,128 | INFO | pool-10-thread-1 | hawtio-web - 146} | lipse.jetty.util.log.JavaUtilLog 75 | 90 - org.eclipse.jetty.aggregate.jetty-all-server - 8.1.14.v20131031 | jolokia-agent: No access restrictor found at classpath:/jolokia-access.xml, access to all MBeans is allowed
2014-09-09 11:32:36,191 | INFO | pool-10-thread-1 | LoginServlet | io.hawt.web.LoginServlet 55 | 146 - io.hawt.hawtio-web - 1.2.0.redhat-379 | hawtio login is using default HttpSession timeout
2014-09-09 11:32:39,227 | INFO | de startup timer | MavenIndexerFacade | maven.indexer.MavenIndexerFacade 98 | 149 - io.hawt.hawtio-maven-indexer - 1.2.0.redhat-379 | Storing maven index files in local directory: /opt/jboss-a-mq-6.1.0.redhat-379/data/mavenIndexer
2014-09-09 11:32:39,621 | INFO | de startup timer | MavenIndexerFacade | maven.indexer.MavenIndexerFacade 148 | 149 - io.hawt.hawtio-maven-indexer - 1.2.0.redhat-379 | Updating the maven indices. This may take a while, please be patient...
2014-09-09 11:32:39,852 | INFO | de startup timer | MavenIndexerFacade | maven.indexer.MavenIndexerFacade 185 | 149 - io.hawt.hawtio-maven-indexer - 1.2.0.redhat-379 | Completed updating 2 maven indices.
OMG, it was the firewall on the local server.
After spending the day scouring the web for ideas, trying to figure out what was wrong with my configuration, in desperation I finally thought I should try disabling the firewall and see what happens. So I shut it down with the command:
sudo service firewalld stop
and suddenly I could access the management console! I tried the default URL, and it worked:
http://172.16.100.110:8181
d'oh!