I have narrowed this issue down a bit I have a local copy of Servicemix 7.0 and Apache DS setup for testing I can authenticate using the client but not the webconsole. I suspect it has to do with the roles configuration.
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=secret connection.protocol= connection.url=ldap://localhost:10389 user.base.dn=ou=users,ou=system user.filter=(uid=%u) user.search.subtree=true role.base.dn=ou=roles,ou=system role.name.attribute=cn role.filter=(member:=uid=%u) role.search.subtree=true authentication=simple </jaas:module> </jaas:config> </blueprint> I'm getting the following error when I enable DEBUG in the security log. Note the ': N O T I M P L E M E N T E D Y E T !] I'm not sure what that’s about I thought this was supported with this release of Servicemix. 2017-02-13 09:40:32,081 | DEBUG | /system/console | HttpServiceContext | 212 - org.ops4j.pax.web.pax-web-jetty - 4.3.0 | Handling request for [/system/console] using http context [org.a pache.felix.webconsole.internal.servlet.OsgiManagerHttpContext@5348f26] 2017-02-13 09:40:32,090 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Get the user DN. 2017-02-13 09:40:32,111 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Looking for the user in LDAP with 2017-02-13 09:40:32,111 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | base DN: ou=users,ou=system 2017-02-13 09:40:32,111 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | filter: (uid=janedoe) 2017-02-13 09:40:32,114 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Found the user DN. 2017-02-13 09:40:32,115 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Bind user (authentication). 2017-02-13 09:40:32,115 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Set the security principal for uid=janedoe,ou=users,ou=system 2017-02-13 09:40:32,115 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Binding the user. 2017-02-13 09:40:32,118 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | User janedoe successfully bound. 2017-02-13 09:40:32,121 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Looking for the user roles in LDAP with 2017-02-13 09:40:32,122 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | base DN: ou=roles,ou=system 2017-02-13 09:40:32,122 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | filter: (member:=uid=janedoe) 2017-02-13 09:40:32,126 | ERROR | /system/console | JaasSecurityProvider | 224 - org.apache.karaf.webconsole.console - 4.0.8 | General Security Exception javax.security.auth.login.LoginException: Can't get user janedoe roles: [LDAP: error code 1 - OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 7 SearchRequest baseDn : 'ou=roles,ou=system' filter : '(member-false-EXTENSIBLE-null-0x75 0x69 0x64 0x3D 0x6A 0x61 0x6E 0x65 0x64 0x6F 0x65 :[?])' scope : whole subtree typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : deref Always attributes : org.apache.directory.api.ldap.model.message.SearchRequestImpl@b7e7bbb6 ManageDsaITImpl Control Type OID : '2.16.840.1.113730.3.4.2' Criticality : 'false' ' : N O T I M P L E M E N T E D Y E T !] at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin(LDAPLoginModule.java:157) at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:54) at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.8.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.8.0_101] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[:1.8.0_101] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_101] at java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_101] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)[:1.8.0_101] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)[:1.8.0_101] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)[:1.8.0_101] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)[:1.8.0_101] at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_101] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.8.0_101] at javax.security.auth.login.LoginContext.login(LoginContext.java:587)[:1.8.0_101] at org.apache.felix.webconsole.internal.servlet.JaasSecurityProvider.doAuthenticate(JaasSecurityProvider.java:118)[224:org.apache.karaf.webconsole.console:4.0.8] at org.apache.felix.webconsole.internal.servlet.JaasSecurityProvider.authenticate(JaasSecurityProvider.java:184)[224:org.apache.karaf.webconsole.console:4.0.8] at org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)[224:org.apache.karaf.webconsole.console:4.0.8] at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[212:org.ops4j.pax.web.pax-web-jetty:4.3.0] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)[187:org.eclipse.jetty.security:9.2.19.v20160908] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:287)[212:org.ops4j.pax.web.pax-web-jetty:4.3.0] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[189:org.eclipse.jetty.servlet:9.2.19.v20160908] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)[212:org.ops4j.pax.web.pax-web-jetty:4.3.0] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.server.Server.handle(Server.java:499)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[188:org.eclipse.jetty.server:9.2.19.v20160908] at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)[180:org.eclipse.jetty.io:9.2.19.v20160908] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[191:org.eclipse.jetty.util:9.2.19.v20160908] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[191:org.eclipse.jetty.util:9.2.19.v20160908] at java.lang.Thread.run(Thread.java:745)[:1.8.0_101] 2017-02-13 09:40:32,128 | DEBUG | /system/console | HttpServiceResponseWrapper | 212 - org.ops4j.pax.web.pax-web-jetty - 4.3.0 | Response status set to [401] Mike Tod 949-230-5319 direct [email protected] -----Original Message----- From: Mike Tod [mailto:[email protected]] Sent: Friday, February 10, 2017 3:36 PM To: [email protected] Subject: RE: Servicemix 7.0 LDAP and the webconsole I used this as a guide https://access.redhat.com/documentation/en-US/Fuse_ESB_Enterprise/7.1/html/Security_Guide/files/ESBLDAPTutorialConfigAdminAuthz.html Seemed to work up to the Web part I can't find any specifics on the config. Thanks Mike Tod [email protected] -----Original Message----- From: Jean-Baptiste Onofré [mailto:[email protected]] Sent: Friday, February 10, 2017 3:31 PM To: [email protected] Cc: [email protected] Subject: Re: Servicemix 7.0 LDAP and the webconsole All depends the roles you have on LDAP or the role mapping. Webconsole expects admin as role. Regards JB On Feb 10, 2017, 19:28, at 19:28, Mike Tod <[email protected]> wrote: >I'm working with Servicemix 7.0 and LDAP I have it working for the >client but can't seem to get LDAP working on the Webconsole. > >Seems like the roles are not working correctly with the web but I have >no log's to dig into. > >Does anyone have LDAP working with the Web Console? > >If so can you give me some tips? > >Thanks > >Mike Tod >[email protected]<mailto:[email protected]> > > >This communication and any files transmitted with it may contain >information that is considered to be confidential, privileged and >exempt from disclosure under applicable law. This message is intended >for Foundation Medicine-affiliated use and that of the intended >recipient only and may contain information that is protected by >Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR >164.500. This communication is intended solely for the use of intended >recipient. If you are not the intended recipient, you are hereby >notified that any use, dissemination or copying of this communication >is strictly prohibited. If you have received this communication in >error, please notify the sender immediately and delete this message >immediately. Thank you for your cooperation. This communication and any files transmitted with it may contain information that is considered to be confidential, privileged and exempt from disclosure under applicable law. This message is intended for Foundation Medicine-affiliated use and that of the intended recipient only and may contain information that is protected by Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR § 164.500. This communication is intended solely for the use of intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this message immediately. Thank you for your cooperation. This communication and any files transmitted with it may contain information that is considered to be confidential, privileged and exempt from disclosure under applicable law. This message is intended for Foundation Medicine-affiliated use and that of the intended recipient only and may contain information that is protected by Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR § 164.500. This communication is intended solely for the use of intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this message immediately. Thank you for your cooperation.
