0
votes

I am struggling to get ldap authentication using openDS to work. I am using Worklight Studio 6.2 and Apache DS 2.0 as the ldap browser.

The project is supposed to call a login page, and then submit the username and password for authentication to ldap.

I get the following error in the firefox console:

POST http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check [HTTP/1.1 200 OK 253ms]
undefined entity j_security_check:134 

And in eclipse in the worklight console:

[WARNING ] FWLSE0138W: LdapLoginModule authentication failed. Reason 'javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
[WARNING ] FWLSE0239W: Authentication failure in realm 'LDAPRealm': login fail [project LDAPTest]

I thought that the issue would be either my connection string or my challange handler. But I suspect that since my errror is invalid credentials that it must be my connection string in the authenticationconfig.xml.

I have tried several methods including some of the posts here such as :

Worklight LDAP authentication using ApacheDS Worklight LDAP authentication using ApacheDS 2.0

and there others. I followed the IBM LDAP sample to set this up and I have checked to make sure that I have the same structure.

Any help figuring this out would be much appreciated. Also if you think I should check my LDAP config, I can post that too I followed a tutorial from openDS wiki. I was able to connect to it using apache browser studio and softera LDAP administrator.

My project is as follows:-

index.html:

<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>LDAPTest</title>
<meta name="viewport"
    content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=0">
<!--
                <link rel="shortcut icon" href="images/favicon.png">
                <link rel="apple-touch-icon" href="images/apple-touch-icon.png"> 
            -->
<link rel="stylesheet" href="css/main.css">
<script>window.$ = window.jQuery = WLJQ;</script>
</head>
<body style="display: none;">

    <div id="header">
        <h1>SigmaLDAP Login Module</h1>
    </div>

    <div id="wrapper">
        <div id="AppDiv">
            <input type="button" class="appButton"
                value="Call protected adapter proc" onclick="getSecretData()" /> <input
                type="button" class="appButton" value="Logout"
                onclick="WL.Client.logout('LDAPRealm',{onSuccess: WL.Client.reloadApp})" />
            <p id="resultDiv"></p>
        </div>

        <div id="AuthDiv" style="display: none">
            <div id="loginForm">
                <input type="text" id="usernameInputField"
                    placeholder="Enter username" /> <br /> <input type="password"
                    placeholder="Enter password" id="passwordInputField" /> <br /> <input
                    type="button" class="formButton" id="loginButton" value="Login" />
                <input type="button" class="formButton" id="cancelButton"
                    value="Cancel" />
            </div>
        </div>
    </div>


    <script src="js/initOptions.js"></script>
    <script src="js/main.js"></script>
    <script src="js/messages.js"></script>
    <script src="js/LDAPRealmChallenger.js"></script>
</body>
</html>

Main.js

function wlCommonInit(){

}

function getSecretData(){
    WL.Logger.info('invoking the adpater');
    var invocationData = {
            adapter: "LDAPter",
            procedure: "getSecretData",
            parameters: []
    };

    WL.Client.invokeProcedure(invocationData, {
        onSuccess: getSecretData_Callback,
        onFailure: getSecretData_Callback,
        timeout: 2000
    });
}

function getSecretData_Callback(response){
    $("#resultDiv").css("padding", "10px");
    $("#resultDiv").html(new Date() + "<hr/>");
    $("#resultDiv").append("Secret data :: " + response.invocationResult.secretData + "<hr/>"); 
    $("#resultDiv").append("Response :: " + JSON.stringify(response));
}

My Challenger.js

var LDAPRealmChallengeHandler = WL.Client.createChallengeHandler("LDAPRealm");

LDAPRealmChallengeHandler.isCustomResponse = function(response) {
    if (!response || !response.responseText) {
        WL.Logger.info('failed to authenticate');
    }

    var idx = response.responseText.indexOf("j_security_check");

    if (idx >= 0){ 
        WL.Logger.info("Authenticated");
        return true;
    }
    return false;

};

LDAPRealmChallengeHandler.handleChallenge = function(response){
        $('#AppDiv').hide();
        $('#AuthDiv').show();
        $('#passwordInputField').val('');
};

$('#loginButton').bind('click', function () {
    var reqURL = '/j_security_check';
    var options = {};
    options.parameters = {
            j_username : $('#usernameInputField').val(),
            j_password : $('#passwordInputField').val()
    };
    options.headers = {};
    LDAPRealmChallengeHandler.submitLoginForm(reqURL, options, LDAPRealmChallengeHandler.submitLoginFormCallback);
});

$('#cancelButton').bind('click', function () {
    $('#AppDiv').show();
    $('#AuthDiv').hide();
    LDAPRealmChallengeHandler.submitFailure();
});

LDAPRealmChallengeHandler.submitLoginFormCallback = function(response) {
    var isLoginFormResponse = LDAPRealmChallengeHandler.isCustomResponse(response);
    if (isLoginFormResponse){
        LDAPRealmChallengeHandler.handleChallenge(response);
    } else {
        $('#AppDiv').show();
        $('#AuthDiv').hide();
        LDAPRealmChallengeHandler.submitSuccess();
    }
};

My adpater: the js file

function getSecretData(){
     console.log("getting you secrets mofos");
    return {secretData: 1234};
  }

The xml file:

 <?xml version="1.0" encoding="UTF-8"?>
    <!--
        Licensed Materials - Property of IBM
        5725-I43 (C) Copyright IBM Corp. 2011, 2013. All Rights Reserved.
        US Government Users Restricted Rights - Use, duplication or
        disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    -->
    <wl:adapter name="LDAPter"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:wl="http://www.worklight.com/integration"
        xmlns:http="http://www.worklight.com/integration/http">

        <displayName>LDAPter</displayName>
        <description>LDAPter</description>
            <connectivity>
            <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
                <protocol>http</protocol>
                <domain>none</domain>
                <port>80</port>         
            </connectionPolicy>
            <loadConstraints maxConcurrentConnectionsPerNode="2" />
        </connectivity>

        <procedure name="getSecretData"  securityTest="LDAPSecurityTest" />
    </wl:adapter>


The authenticationConfig.xml:

<?xml version="1.0" encoding="UTF-8"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- Licensed Materials - Property of IBM 5725-I43 (C) Copyright IBM Corp. 
        2006, 2013. All Rights Reserved. US Government Users Restricted Rights - 
        Use, duplication or disclosure restricted by GSA ADP Schedule Contract with 
        IBM Corp. -->

    <staticResources>
        <!-- <resource id="logUploadServlet" securityTest="LogUploadServlet"> <urlPatterns>/apps/services/loguploader*</urlPatterns> 
            </resource> -->
        <resource id="subscribeServlet" securityTest="SubscribeServlet">
            <urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
        </resource>

    </staticResources>

    <!-- Sample security tests Even if not used there will be some default webSecurityTest 
        and mobileSecurityTest Attention: If you are adding an app authenticity realm 
        to a security test, you must also update the application-descriptor.xml. 
        Please refer to the user documentation on application authenticity for environment 
        specific guidelines. -->

    <securityTests>

        <customSecurityTest name="LDAPSecurityTest">
                <test isInternalUserID="true" realm="LDAPRealm" />
        </customSecurityTest>

        <!-- <mobileSecurityTest name="mobileTests"> <testAppAuthenticity/> <testDeviceId 
            provisioningType="none" /> <testUser realm="myMobileLoginForm" /> <testDirectUpdate 
            mode="perSession" /> </mobileSecurityTest> <webSecurityTest name="webTests"> 
            <testUser realm="myWebLoginForm"/> </webSecurityTest> <customSecurityTest 
            name="customTests"> <test realm="wl_antiXSRFRealm" step="1"/> <test realm="wl_authenticityRealm" 
            step="1"/> <test realm="wl_remoteDisableRealm" step="1"/> <test realm="wl_directUpdateRealm" 
            mode="perSession" step="1"/> <test realm="wl_anonymousUserRealm" isInternalUserID="true" 
            step="1"/> <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" 
            step="2"/> </customSecurityTest> <customSecurityTest name="LogUploadServlet"> 
            <test realm="wl_anonymousUserRealm" step="1"/> <test realm="LogUploadServlet" 
            isInternalUserID="true"/> </customSecurityTest> -->
        <customSecurityTest name="SubscribeServlet">
            <test realm="SubscribeServlet" isInternalUserID="true" />
        </customSecurityTest>

    </securityTests>

    <realms>

        <realm loginModule="LDAPLoginModule" name="LDAPRealm">
            <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
            <onLoginUrl>/console</onLoginUrl>
        </realm>

        <realm name="SubscribeServlet" loginModule="rejectAll">
            <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
        </realm>

        <!-- For client logger -->
        <!-- <realm name="LogUploadServlet" loginModule="StrongDummy"> <className>com.worklight.core.auth.ext.HeaderAuthenticator</className> 
            </realm -->

        <!-- For websphere -->
        <!-- realm name="WASLTPARealm" loginModule="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className> 
            <parameter name="login-page" value="/login.html"/> <parameter name="error-page" 
            value="/loginError.html"/> </realm -->

        <!-- For User Certificate Authentication -->
        <!-- realm name="wl_userCertificateAuthRealm" loginModule="WLUserCertificateLoginModule"> 
            <className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className> 
            <parameter name="dependent-user-auth-realm" value="WASLTPARealm" /> <parameter 
            name="pki-bridge-class" value="com.worklight.core.auth.ext.UserCertificateEmbeddedPKI" 
            /> <parameter name="embedded-pki-bridge-ca-p12-file-path" value="/opt/ssl_ca/ca.p12"/> 
            <parameter name="embedded-pki-bridge-ca-p12-password" value="capassword" 
            /> </realm -->

        <!-- For Trusteer Fraud Detection -->
        <!-- Requires acquiring Trusteer SDK -->
        <!-- realm name="wl_basicTrusteerFraudDetectionRealm" loginModule="trusteerFraudDetectionLogin"> 
            <className>com.worklight.core.auth.ext.TrusteerAuthenticator</className> 
            <parameter name="rooted-device" value="block"/> <parameter name="device-with-malware" 
            value="block"/> <parameter name="rooted-hiders" value="block"/> <parameter 
            name="unsecured-wifi" value="alert"/> <parameter name="outdated-configuration" 
            value="alert"/> </realm -->

    </realms>

    <loginModules>

        <loginModule name="LDAPLoginModule">
            <className>com.worklight.core.auth.ext.LdapLoginModule</className>
            <parameter name="ldapProviderUrl" value="ldap://localhost:389/dc=sigma,dc=com" />
            <parameter name="ldapTimeoutMs" value="2000"/>
            <parameter name="ldapSecurityAuthentication" value="simple"/>
            <parameter name="validationType" value="searchPattern"/>
            <parameter name="ldapSecurityPrincipalPattern" value="uid={username},ou=users,dc=sigma,dc=com"/>
            <parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
            <parameter name="ldapSearchBase" value="ou=users,dc=sigma,dc=com"/>  
        </loginModule>

        <loginModule name="StrongDummy">
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
        </loginModule>

        <loginModule name="requireLogin">
            <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
        </loginModule>

        <loginModule name="rejectAll">
            <className>com.worklight.core.auth.ext.RejectingLoginModule</className>
        </loginModule>

        <!-- Required for Trusteer - wl_basicTrusteerFraudDetectionRealm -->
        <!-- loginModule name="trusteerFraudDetectionLogin"> <className>com.worklight.core.auth.ext.TrusteerLoginModule</className> 
            </loginModule -->

        <!-- For websphere -->
        <!-- loginModule name="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereLoginModule</className> 
            </loginModule -->

        <!-- Login module for User Certificate Authentication -->
        <!-- <loginModule name="WLUserCertificateLoginModule"> <className>com.worklight.core.auth.ext.UserCertificateLoginModule</className> 
            </loginModule> -->


        <!-- For enabling SSO with no-provisioning device authentication -->
        <!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule"> 
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className> 
            </loginModule> -->


        <!-- For enabling SSO with auto-provisioning device authentication -->
        <!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceAutoProvisioningLoginModule"> 
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className> 
            </loginModule> -->
    </loginModules>

</tns:loginConfiguration>

The response from the j_security_check

Request URL:    http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check
Request Method:     POST
Status Code:    HTTP/1.1 200 OK


Request Headers 12:47:00.000
x-wl-app-version:   1.0
x-wl-analytics-tracking-id: a948e425-1ace-a28b-3d27-11bac5ba3de3
X-Requested-With:   XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Referer:    http://10.2.38.14:10080/LDAPTest/apps/services/preview/LDAPTest/common/0/default/index.html
Pragma: no-cache
Host:   10.2.38.14:10080
Content-Type:   application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 37
Connection: keep-alive
Cache-Control:  no-cache
Accept-Language:    en-US
Accept-Encoding:    gzip, deflate
Accept: text/javascript, text/html, application/xml, text/xml, */*


Sent Cookie
WL_PERSISTENT_COOKIE:   b24de65a-9c5a-4f58-97d7-348e92c78034
testcookie: oreo
LtpaToken2: rZBXVP4XKLnpvJpLFrp3UArtZGrcsGAXr4jGDTBurns9Ej5Nrx1s4/yWsDJJN6xfWkxWh1/3bBruHvL9twdae1qVcE2/D/0GfMwd1pVLbpowclNLFtqKBonEXxV6TlFIVaKgKz62SHR2to3Az/vbTjF+ZH8V1QnAdGi6dC8mk+wympju0P/4hLKWHseN9Sty2UM94cL2Cd+vcBGhJ5QVF211RIwQTXuGeQl+WMTg6B8Kfjlvly4sanyVr5va2AW38752VNEWtdnsrTHcayO/lAG1SyebFEKtaTVZhOPBkml5m6AojEGlDbcUjjof6e9H
JSESSIONID: 0000QTvrT7OBSgjn7OJG9XPMtIE:b45f2ac7-fb59-4da4-b233-f8bc81b81cf0


Response Headers Δ315ms
X-Powered-By:   Servlet/3.0
Transfer-Encoding:  chunked
P3P:    policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Expires:    -1
Date:   Mon, 10 Nov 2014 11:47:00 GMT
Content-Language:   en-US

And the firefox console also returns undefined entity for j_sescurity_check and a line number 134, which in the snippet below is the last line before the dic. The code it points to is as follows:

body onload="isPopup(); setFocus();">
        <div id="authenticatorLoginFormWrapper">
            <h1>IBM</h1>
            <h2>IBM Worklight</h2>
            <form method="post" action="j_security_check">
                <p id="error">Please check the credentials</p>
                <label for="j_username">User name:</label>
                <input type="text" id="j_username" name="j_username" placeholder="User name" />
                <br />
                <label for="j_password">Password:</label>
                <input type="password" id="j_password" name="j_password" placeholder="Password" />
                <br />
                <input type="submit" id="login" name="login" value="Log In" />
            </form>
            <p id="copyright">&copy; 2006, 2012 IBM Corporation. <a href="#" target="_blank">Trademark</a></p>
        </div>
2
I'm not seeing anything immediately wrong. Could you post the contents of the response for POST x.x.x.x:10080/LDAPTest/apps/services/j_security_check? There may be a hidden error there that the challenge handler does not handle.Mike
Sorry for the late response Mike, please find the contents of the j_security_check added as an edit above. I didn't find anything useful in it. I have been playing around with my connection string trying to figure out if that where the issue is but nothing definitive yetAnthony K

2 Answers

0
votes

Can you try and eliminate some variables in your setup and try as a first step to check whether your LDAP server is configured properly?

you can use this: https://serverfault.com/questions/514870/how-do-i-authenticate-with-ldap-via-the-command-line

to do a simple connection to your ldap server using a command line tool

0
votes

I had a similar issue and a working config in my case was to move from simple to exists check in the authenticationConfig.xml file. But especially the big leap forward was not using the uid anymore in the ldapSecurityPrincipalPattern and instead use cn for the user.

I paste the configuration below hoping it's useful for you (please note in my specific case I setup a test server corp.workgroup.com domain):

 <loginModules>
  <loginModule expirationInSeconds="-1" name="LDAPLoginModule">
  <className>com.worklight.core.auth.ext.LdapLoginModule</className>
   <parameter name="ldapProviderUrl" value="ldap://yourserver" />
   <parameter name="ldapTimeoutMs" value="2000" />
   <parameter name="ldapSecurityAuthentication" value="simple" />
   <parameter name="validationType" value="exists" />
   <parameter name="ldapSecurityPrincipalPattern" value="cn={username},cn=Users,dc=corp,dc=workgroup,dc=com" />
   <parameter name="ldapReferral" value="ignore" />
</loginModule>