Hi Oli,
the LDAP Login Module can use double bind:
- first bind as LDAP "admin" to lookup user
- second bind as LDAP user to validate credentials
The connection.username/connection.password is for "admin" user who
performs the lookup.
The user auth is done using the retrieved DN:
logger.debug("Bind user (authentication).");
env.put(Context.SECURITY_AUTHENTICATION, authentication);
logger.debug("Set the security principal for " + userDN +
"," + userBaseDN);
env.put(Context.SECURITY_PRINCIPAL, userDN + "," + userBaseDN);
env.put(Context.SECURITY_CREDENTIALS, password);
logger.debug("Binding the user.");
context = new InitialDirContext(env);
logger.debug("User " + user + " successfully bound.");
context.close();
So, in your case, it means that the combination of the retrieved userDN
used to contruct the principal (concat of userDN + userBaseDN) and the
password is not valid on the LDAP.
Try to logon with this userDN and password using slapd or such kind of
tools to validate the DN.
The password is provided by a callback:
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
Regards
JB
On 08/23/2013 01:20 PM, Oliver Wulff wrote:
Hi JB
I haven't found infomration "native/core" in the context of JAAS except for the
sun web server. I've tried now to create a jaas:config like this:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0";
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";>
<!-- Bean that allows the $[karaf.base] property to be resolved -->
<ext:property-placeholder placeholder-prefix="$["
placeholder-suffix="]"/>
<jaas:config name="karaf" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
connection.url = ldap://ldap.example.com:389
connection.username = CN=...
connection.password = ....
user.base.dn = OU=...
user.filter = (saMAccountName=%u)
user.search.subtree = true
authentication = simple
role.base.dn = ...
role.filter = (member:=uid=%u)
role.name.attribute = cn
role.search.subtree = true
detailedLoginExcepion = true
</jaas:module>
<jaas:module
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">
users = $[karaf.base]/etc/users.properties
detailedLoginExcepion = true
debug = true
</jaas:module>
</jaas:config>
</blueprint>
I've configured the LDAP user and its role in users.properties as well (but
without password, as authentication is done by LDAP). I can successfully
authenticate but get a login error in PropertiesLoginModule:
11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 162
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Create the LDAP initial context.
11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 166
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Bound access requested.
11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 174
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN.
11:24:16,621 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 178
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Initialize the JNDI LDAP Dir
Context.
11:24:16,629 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 180
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Define the subtree scope search
control.
11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 187
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user in LDAP with
11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 188 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | base DN: OU=<removed>
11:24:16,630 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 190
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | filter: (saMAccountName=owulff)
11:24:16,640 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 196
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN.
11:24:16,641 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 214
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Bind user (authentication).
11:24:16,641 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 216 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Set the security principal for
CN=owulff,<removed>
11:24:16,642 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 219
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Binding the user.
11:24:16,653 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 221
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | User owulff successfully bound.
11:24:16,654 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 239
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Get user roles.
11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 250
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user roles in
LDAP with
11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 251 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | base DN: OU=<removed>
11:24:16,664 | DEBUG | NioProcessor-2 | aas.modules.ldap.LDAPLoginModule 253
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | filter: (member:=uid=owulff)
11:24:16,668 | DEBUG | NioProcessor-2 | properties.PropertiesLoginModule 53
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Initialized debug=true
usersFile=/projects/talend/Talend-ESB-V5.3.1/container/etc/users.properties
11:24:16,669 | DEBUG | NioProcessor-2 | les.encryption.EncryptionSupport 64
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled.
11:24:16,670 | DEBUG | NioProcessor-2 | les.encryption.EncryptionSupport 64
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled.
11:24:16,670 | DEBUG | NioProcessor-2 | properties.PropertiesLoginModule 164
| 24 - org.apache.karaf.jaas.modules - 2.3.1 | abort
11:24:16,670 | DEBUG | NioProcessor-2 | shell.ssh.KarafJaasAuthenticator 106
| 29 - org.apache.karaf.shell.ssh - 2.3.1 | User authentication failed with
login failed
javax.security.auth.login.FailedLoginException: login failed
at
org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:141)
at
org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:]
at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.7.0_21]
at java.lang.reflect.Method.invoke(Method.java:601)[:1.7.0_21]
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)[:1.7.0_21]
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)[:1.7.0_21]
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)[:1.7.0_21]
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)[:1.7.0_21]
at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_21]
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)[:1.7.0_21]
at
javax.security.auth.login.LoginContext.login(LoginContext.java:594)[:1.7.0_21]
at
org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate(KarafJaasAuthenticator.java:82)[29:org.apache.karaf.shell.ssh:2.3.1]
As a test, I've configured the password of the ldap user in users.properties.
Then it works but it's not my extected behaviour.
Maybe I'm missing something here?
If not, we could enhance the PropertiesLoginModule to support authentication
against LDAP but roles are managed locally.
Thanks
Oli
________________________________________
From: Jean-Baptiste Onofré [[email protected]]
Sent: 22 August 2013 19:37
To: [email protected]
Subject: Re: LDAP authentication must role management in properties file
Hi,
like in JAAS "core/native": it depends of the realm (a realm has a
dedicated function: authentication/authorization).
Regards
JB
On 08/22/2013 11:34 AM, Oliver Wulff wrote:
Hi JB
How can I tell which login module is used for authentication (LDAP) and which
for authorization (PropertiesFile)? If I configure a list of login modules, I
thought JAAS will login with username/password in each login module.
Thanks
Oli
________________________________________
From: Jean-Baptiste Onofré [[email protected]]
Sent: 22 August 2013 10:20
To: [email protected]
Subject: Re: LDAP authentication must role management in properties file
Hi,
yes, the same realm (let say Karaf) can use several login module. It's
leverage JAAS.
You can do that directly with the jaas:* commands.
Or you can define both login modules in the same blueprint and define a
rank for the login module:
<jaas:config name="myrealm">
<jaas:module
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">
users = $[karaf.base]/etc/users.properties
</jaas:module>
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LdapLoginModule ...."/>
</jaas:config>
You have more details here:
http://karaf.apache.org/manual/latest-2.3.x/developers-guide/security-framework.html
Regards
JB
On 08/22/2013 10:14 AM, Oliver Wulff wrote:
Hi there
I'm looking for a solution to use the LDAP Login Module only for
authentication and another module (ex. PropertiesLoginModule) to manage
the roles?
Thanks
Oli
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
