Re: LDAP & Roles
ipal, continuing 2017-03-06 09:11:14,600 | DEBUG | wtio/auth/login/ | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | User inttest02 does not have the required role webconsole -- View this message in context: http://karaf.922171.n3.nabble.com/LDAP-Roles-tp4049745p4049768.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: LDAP & Roles
To add : When using the bin\client it works fine seems to only happen when using the web portals, system/console, hawtio, activemq 2017-03-06 11:03:48,057 | DEBUG | c]-nio2-thread-3 | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Get the user DN. 2017-03-06 11:03:48,058 | DEBUG | c]-nio2-thread-3 | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Bind user (authentication). 2017-03-06 11:03:48,058 | DEBUG | c]-nio2-thread-3 | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Set the security principal for CN=inttest02,OU=Test Accounts,OU=IT,OU=Domain Users,DC=corp,DC=local 2017-03-06 11:03:48,058 | DEBUG | c]-nio2-thread-3 | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Binding the user. 2017-03-06 11:03:48,281 | DEBUG | c]-nio2-thread-3 | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | User inttest02 successfully bound. -- View this message in context: http://karaf.922171.n3.nabble.com/LDAP-Roles-tp4049745p4049767.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: LDAP & Roles
Here is the ldap config from both systems. I also tried a fresh install on the server with no luck. Thanks for the help Server Version http://www.osgi.org/xmlns/blueprint/v1.0.0; xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0; xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0;> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=CN=X,OU=Service Accounts,DC=corp,DC=local connection.password=X connection.protocol=s connection.url=ldap://corp.local:389 user.base.dn=DC=corp,DC=local user.filter=((objectCategory=person)(samAccountName=%u)) user.search.subtree=true role.base.dn=OU=Application Groups,OU=Domain Groups,DC=corp,DC=local role.name.attribute=cn role.filter=((objectClass=group)(member=%dn)) role.search.subtree=true role.mapping=ActiveMQ_Admins_DEV=admin,webconsole,manager,jmxUser,sshConsole,viewer;ActiveMQ_Users_DEV=viewer authentication=simple debug=true detailedLoginExcepion = true Local Version http://www.osgi.org/xmlns/blueprint/v1.0.0; xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0; xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0;> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=CN=X,OU=Service Accounts,DC=corp,DC=local connection.password=X connection.protocol=s connection.url=ldap://corp.local:389 user.base.dn=DC=corp,DC=local user.filter=((objectCategory=person)(samAccountName=%u)) user.search.subtree=true role.base.dn=OU=Application Groups,OU=Domain Groups,DC=corp,DC=local role.name.attribute=cn role.filter=((objectClass=group)(member=%dn)) role.search.subtree=true role.mapping=ActiveMQ_Admins_DEV=admin,webconsole,manager,jmxUser,sshConsole,viewer;ActiveMQ_Users_DEV=viewer authentication=simple debug=true detailedLoginExcepion = true -- View this message in context: http://karaf.922171.n3.nabble.com/LDAP-Roles-tp4049745p4049766.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: LDAP & Roles
=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Looking for rolePrincipalClass: org.apache.karaf.jaas.boot.principal.RolePrincipal 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[viewer] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role viewer doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[Mirth Admins DEV] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role Mirth Admins DEV doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[manager] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role manager doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[jmxUser] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role jmxUser doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[admin] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role admin doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[sshConsole] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role sshConsole doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.UserPrincipal toString: UserPrincipal[inttest02] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | principal class org.apache.karaf.jaas.boot.principal.UserPrincipal doesn't match org.apache.karaf.jaas.boot.principal.RolePrincipal, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[webconsole] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Matched role and role principal class -- View this message in context: http://karaf.922171.n3.nabble.com/LDAP-Roles-tp4049745.html Sent from the Karaf - User mailing list archive at Nabble.com. -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
LDAP & Roles
| 116 - org.apache.karaf.jaas.modules - 4.0.8 | Binding the user. 2017-03-05 18:05:52,180 | DEBUG | icalNaming=false | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | User inttest02 successfully bound. 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Looking for rolePrincipalClass: org.apache.karaf.jaas.boot.principal.RolePrincipal 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[viewer] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role viewer doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[Mirth Admins DEV] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role Mirth Admins DEV doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[manager] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role manager doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[jmxUser] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role jmxUser doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[admin] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role admin doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[sshConsole] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | role sshConsole doesn't match webconsole, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.UserPrincipal toString: UserPrincipal[inttest02] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | principal class org.apache.karaf.jaas.boot.principal.UserPrincipal doesn't match org.apache.karaf.jaas.boot.principal.RolePrincipal, continuing 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Checking principal, classname: org.apache.karaf.jaas.boot.principal.RolePrincipal toString: RolePrincipal[webconsole] 2017-03-05 18:05:52,181 | DEBUG | icalNaming=false | Authenticator | 243 - io.hawt.hawtio-web - 1.4.68 | Matched role and role principal class -- View this message in context: http://karaf.922171.n3.nabble.com/LDAP-Roles-tp4049745.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Does Karaf support hierarchical LDAP roles ?
Jean-Baptiste Onofré wrote: with subtree=true, you don't need the FQN. JB Hi JB, Thanks for your fast reply. Actually, I had already subtree set to true for both users and roles. But adding a wildcard in the LDAP filter did make it work : role.filter = (uniqueMember=uid=%u,*,ou=Users,dc=mycompany,dc=com) Thanks again, metatech -- View this message in context: http://karaf.922171.n3.nabble.com/Does-Karaf-support-hierarchical-LDAP-roles-tp3477321p3487444.html Sent from the Karaf - User mailing list archive at Nabble.com.
