Authentication fail using LDAP Login Module for Teiid VDB Data Virtualization

0
votes

we are currently running into issues when configuring LDAP authentication for a deployed VDB, we would like to enter our active directory username and password when authenticating.

We have successful configured LDAP authentication for admin console, but running into errors during server start up.

I have been able to successfully configure authentication for the admin console at hostname:9990. I have done so by with the following changes to Standalone.xml we can provide our active directory user/pass and log in to the admin console.

Below are defined security domain which we are running into issues. And a security realm which is working.

This is the error we are receiving

ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) Exception during createSubject() for java:/refresh: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
    at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
    at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
    at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_121]
    at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
    at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
    at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
    at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:318)
    at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:122)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]

This is the security realm which is working when authenticating for the admin panel

<security-realm name="ldap-security-realm">
<authentication>
    <ldap connection="ldap-connection" base-dn="dc=main">
         <advanced-filter filter="(&amp;(sAMAccountName={0}))"/>
     </ldap>
 </authentication>
</security-realm>

<outbound-connections>
   <ldap name="ldap-connection" url="ldap://hostname:389" search dn="adminusername" search-credential="adminpassword"/>
</outbound-connections>

This is the security domain which we are trying to enable authentication for a deployed VDB

<datasource jndi-name="java:/refresh" pool-name="refresh" enabled="true">
    <connection-url>jdbc:teiid:refresh@mm://hostname:31000</connection-url>
    <driver>teiid</driver>
    <security>
      <security-domain>test_ldap_security_domain</security-domain>
    </security>
</datasource>

<security-domain name="test_ldap_security_domain">
    <authentication>
         <login-module code="LdapExtended" flag="sufficient">
             <module-option name="java.naming.provider.url" value="ldap://hostname:389" />
             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
             <module-option name="java.naming.security.authentication" value="simple" />
             <module-option name="bindDN" value="adminusername" />
             <module-option name="bindCredential" value="adminpassword" />
             <module-option name="distinguishedNameAttribute" value="sAMAccountName" />
             <module-option name="baseFilter" value="(sAMAccountName={0})" />  
             <module-option name="baseCtxDN" value="dc=main" />
             </login-module>
     </authentication>
</security-domain>

<transport name="odata">
    <authentication security-domain="test_ldap_security_domain"/>
</transport>
<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
    <authentication security-domain="test_ldap_security_domain"/>
</transport>
<transport name="odbc" socket-binding="teiid-odbc" protocol="pg">
    <authentication security-domain="test_ldap_security_domain"/>
    <ssl mode="disabled"/>
</transport>
1
ldapredhatteiiddata-virtualizationredhat-datavirt

1 Answers

0
votes

The data source configuration by default during the startup tries to create a minimum number of connections. Since data source is secured based on user credentials and there is no active user during the startup it fails.

Change the data source configuration not to create any connections during the startup.

<pool>
    <prefill>false</prefill>
</pool>