JBoss LDAP Login Module Issue

0
votes

I'm attempting to configure JBoss with a LDAP login module, but so far I have been unsuccessful. When I pull up my webapp, I get the authentication box, but my credentials are not working.

Here is the error I get in the server log:

15:40:15,951 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) initialize 15:40:15,952 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) Security domain: LDAPAuth 15:40:15,953 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) login 15:40:15,953 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) Failed to parse: null, disabling recursion: java.lang.NumberFormatException: null at java.lang.Integer.parseInt(Integer.java:454) [rt.jar:1.7.0_79] at java.lang.Integer.parseInt(Integer.java:527) [rt.jar:1.7.0_79] at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:395) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:312) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_79] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_79] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_79] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_79] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_79] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]

And then the bad password error:

15:40:15,974 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, searchScope=ONELEVEL_SCOPE, java.naming.security.principal=uid=admin,ou=system, baseCtxDN=cn=ou=people,o=sevenSeas, roleAttributeID=cn, roleFilter=(uniquemember={1}), allowEmptyPasswords=true, rolesCtxDN=cn=ou=groups,o=sevenSeas, baseFilter=(uid={0}), jboss.security.security_domain=LDAPAuth, java.naming.provider.url=ldap://localhost:10389, bindDN=uid=admin,ou=system, java.naming.security.authentication=simple, bindCredential=, java.naming.security.credentials=} 15:40:15,984 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) Bad password for username=cbuckley 15:40:15,985 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8088-1) abort 15:40:15,985 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8088-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_79] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_79] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_79] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_79] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_79] at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_79] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]

Here are my config files:

web.xml

<web-app >
<security-constraint>
    <web-resource-collection>
        <web-resource-name>HtmlAuth</web-resource-name>
        <description>application security constraints</description>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Manager</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>LDAPAuth realm</realm-name>
</login-config>
<security-role>
    <role-name>Manager</role-name>
</security-role>

jboss-web.xml

<jboss-web>
<security-domain>java:/jaas/LDAPAuth</security-domain>

standalone.xml

<security-domain name="LDAPAuth">
                <authentication>
                    <login-module code="LdapExtended" flag="required">
                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                        <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
                        <module-option name="java.naming.security.authentication" value="simple"/>
                        <module-option name="bindDN" value="uid=admin,ou=system"/>
                        <module-option name="bindCredential" value="secret"/>
                        <module-option name="baseCtxDN" value="cn=ou=people,o=sevenSeas"/>
                        <module-option name="baseFilter" value="(uid={0})"/>
                        <module-option name="rolesCtxDN" value="cn=ou=groups,o=sevenSeas"/>
                        <module-option name="roleFilter" value="(uniquemember={1})"/>
                        <module-option name="roleAttributeID" value="cn"/>
                        <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
                        <module-option name="allowEmptyPasswords" value="true"/>
                    </login-module>
                </authentication>
            </security-domain>

ApacheDS Config (sevenSeas example from apacheds user guide - Sorry I do not have enough rep to post a picture)

o=sevenSeas
    ou=groups
        ou=crews
            ou=HMS Bounty (2 more)
        ou=ranks
    ou=people
        cn=Cornelius Buckley (10 more)

I can't figure out what it is failing to parse. Any idea why this is not working? Thank you.

1
securityauthenticationldapjboss7.x

1 Answers

0
votes

I think your baseCtxDN and rolesCtxDN values shouldn't have the prefix "cn=" based on your LDAP structure.