I am trying setup authentication on an application on JBoss 7 against a LDAP Server. Below is the link I have followed for the configuration
LDAP authentication with JBoss 7
The LDAP login module performs three queries against the LDAP server to log in a user, as follows:
As per JBoss in Action, there are 3 steps how JBoss LDAP Login Module works:
- The first query looks up the user object using only the login id. This search is similar to the first ldapsearch query that we showed you earlier.
- A second query is a login attempt using the user’s login id and the password.
- The last query obtains the group objects.
The password is used, but you don’t have to reference it in the login module. Now let’s take a look at another login module that helps simplify development and testing.
Looking in the LDAP Server logs it looks like my setup is only doing the first step but not the 2nd. So the login fails with a password error :
10:47:11,448 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000283: Bad password for username testuser1
10:47:11,450 TRACE [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000244: Begin abort method
10:47:11,450 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
Here is the configuration from my standalone.xml:
<security-domain name="LDAPAuth" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="cn=admin"/>
<module-option name="bindCredential" value="********"/>
<module-option name="baseCtxDN" value="ou=Internal,cn=Users,dc=company,dc=local"/>
<module-option name="baseFilter" value="(cn={0})"/>
<module-option name="roleFilter" value="(uniqumember={1})"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>
</security-domain>
Related
I am very new to LDAP,I have configured LDAP in jboss-6.0.0.Final using following setting in login-config.xml.
<application-policy name = "XXXXXX">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag ="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">XXXXXXXXXXX/module-option>
<module-option name="unauthenticatedIdentity">anonymous</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="bindDN">XXXXXXXXXXXX</module-option>
<module-option name="baseCtxDN">XXXXXXX</module-option>
<module-option name="java.naming.security.principal">XXXXXXXX</module-option>
<module-option name="java.naming.security.credentials">XXXXXXX</module-option>
<module-option name="rolesCtxDN">XXXXXXXXXX/module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">1</module-option>
<module-option name="defaultRole">XXXXXXXX</module-option>
<module-option name="allowEmptyPasswords">true</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="throwValidateError">true</module-option>
</login-module>
</authentication>
</application-policy>
It is working fine and now my lead is asking what have you set for "LDAP Token timeout setting".So i googled it out and found that it some thing for how often server checks for authentication.for e.g if a user already logged in to application and in between password changed how much time will it take to check the password..could you please help me to set this timeout setting ???
LDAP doesn't give you tokens. It either authenticates you or it doesn't. The timeout in servlet-container-based Web systems is the HTTP session timeout, which is configured in web.xml. Nothing to do with LDAP whatsoever.
The following authentication policy is defined in login-config.xml
<policy>
<!--- - - - -->
<application-policy name="myAuthenticationPolicy">
<authentication>
<login-module code="com.ge.trans.mp.samp.jaas.LoggingLdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
A switchyard configuration is below:
<switchyard xmlns="urn:switchyard-config:switchyard:1.0"
xmlns:sy="urn:switchyard-config:switchyard:1.0"
xmlns:bean="urn:switchyard-component-bean:config:1.0"
xmlns:camel="urn:switchyard-component-camel:config:1.0"
xmlns:http="urn:switchyard-component-http:config:1.0"
xmlns:sca="http://docs.oasis-open.org/ns/opencsa/sca/200912">
<sca:composite name="http-bridge-esb" targetNamespace="urn:switchyard-quickstart:http-binding:1.0">
<sca:service name="httpPostService" promote="HttpPostBuilder/HttpPost" **sy:security="basic-auth"**>
<http:binding.http>
<operationSelector operationName="postMessage"/>
<http:contextPath>myContextPath</http:contextPath>
</http:binding.http>
</sca:service>
<sca:component name="HttpPostBuilder">
<camel:implementation.camel>
<camel:xml path="META-INF/route.xml"/>
</camel:implementation.camel>
<sca:service name="HttpPost">
<sca:interface.java interface="my.post.Class"/>
</sca:service>
</sca:component>
</sca:composite>
<domain>
<securities>
<**security name="basic-auth"** securityDomain="myAuthenticationPolicy" rolesAllowed="mesgPoster"/>
</securities>
</domain>
</switchyard>
This configuration starts up in JBoss 6.1 EAP and appears to receive messages correctly, however it does not appear to authenticate.
I am presuming that the default username password callback handler is used to handle basic auth, and am also presuming the security domain reference in the security element relates to the application policy name configured in login-config.xml.
I seem unable to locate an example configuration showing basic auth authentication using an LDAP configuration policy.
If someone could point out the dots that I am missing, or somewhere that an example for a switchyard basic auth configuration exists it would be greatly appreciated.
Your login-config.xml is incomplete and invalid.
It should look something like this:
<application-policy name="myAuthenticationPolicy">
<authentication>
<login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://XXX:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">XXX\XXX</module-option>
<module-option name="bindCredential">XXX</module-option>
<module-option name="baseCtxDN">dc=XXX,dc=XXX</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">dc=XXX,dc=XXX</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="java.naming.referral">follow</module-option>
</login-module>
</authentication>
</application-policy>
I'm trying to authenticate users of the administrative consoles (Admin, JMX, JBoss Web and JBoss WS) using an LDAP provider defined in conf/login-config.xml:
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldaps://ldap.company.com:636</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=dummy,cn=users,cn=accounts,dc=company,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">cn=accounts,dc=company,dc=com</module-option>
<module-option name="baseFilter">(&(objectClass=inetOrgPerson)(uid={0}))</module-option>
<module-option name="rolesCtxDN">cn=groups,cn=accounts,dc=company,dc=com</module-option>
<module-option name="roleAttributeID">dn</module-option>
<module-option name="roleFilter">(&(objectClass=posixgroup)(member={1}))</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
</login-module>
<!-- This login-module is used only in one use case, see below for details
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
-->
</authentication>
</application-policy>
The appropriate JAAS config has been set in the following files:
$ grep LDAP /usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/*xml
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/components.xml: <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="LDAP"/>
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/jboss-web.xml: <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>
Connection with the LDAP server works correctly. I have verified that capturing traffic using wireshark and setting org.jboss.secutiry logging to TRACE in jboss-log4j.xml:
<category name="org.jboss.security.auth.spi">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
I have also set DEBUG level for the org.jboss.seam component:
<category name="org.jboss.seam">
<priority value="DEBUG"/>
</category>
which also verifies that the authentication step is working correctly:
2014-06-09 16:42:41,189 DEBUG [org.jboss.seam.security.Identity] (http-192.0.2.1-8080-6) Login successful for: someuser
There seems to be a problem with authorization, I can't access the admin-console even though the user is correctly authenticated. I've tried two different approaches:
As I don't have a group in my LDAP named JBossAdmin (which is the role used by default):
$ grep JBossAdmin -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('JBossAdmin')}">
pages.xml: <rule if="#{s:hasRole('JBossAdmin')}">
pages.xml: <restrict>#{s:hasRole('JBossAdmin')}</restrict>
web.xml: <role-name>JBossAdmin</role-name>
I'm trying to map my LDAP groups and JBoss roles using the RoleMappingLoginModule:
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
The contents of the props/admin-console-roles.properties is:
someuser=JBossAdmin
as documented, the syntax is username=role1,role2.
Replace the occurrences of JBossAdmin with one of the groups present in the LDAP structure, say developers:
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>
Neither of the two work. I'm stuck at the login page.Moreover, if I insist and press the login button again, I'm greeted with this:
How can I debug it further? Is it possible to map LDAP groups to roles in JBoss 5? Can group names (instead of user names) be used in a role.properties file when using RoleMappingLoginModule?
I would like to authenticate the user only if he in a specific group.
To my test I have two users:
one user is in the FIRST GROUP
other is in de SECOND GROUP
I have an active directory :
CN=Users,DC=XXXX,DC=com
---usrA
---usrB
---group1
---group2
usrA is in the group1, usrB is in the group2
and I authenticate the user via JBoss with LdapLoginModule in the standalone.xml.
standelone.xml:
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://192.168.1.18"/>
<module-option name="java.naming.allowEmptyPasswords" value="false"/>
<module-option name="userfilter" value="(&(objectCategory=person)(objectClass=user)(cn={USERNAME})((primaryGroupID=1109)))"/>
<module-option name="principalDNSuffix" value="#XXXX.com"/>
<module-option name="java.naming.security.authentication" value="simple"/>
</login-module>
When (primaryGroupID=1109) = group1.
The result is:
the usrA success login
the usrB success too
So the filter used does not work properly or is not used at all, and I have no error.
I tested the query of userfilter in active directory and it returns me well "usrA"
Someone has an idea of the problem? Anyone have another way to use a user according to his group?
How do I have to configure a JBoss 7.1.1 server to use the DatabaseServerLoginModule when authenticating remote clients of my application?
create a table with 3 columns:
rolename, username and password. (or with name you need)
in your server xml declare your datasource, next put:
<security-domain name="mydomain">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MyDS"/>
<module-option name="principalsQuery" value="select password from tab_credential where username=?"/>
<module-option name="rolesQuery" value="select rolename, 'Roles' from tab_credential where username=?"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
</authentication>
</security-domain>