I’ve set up OpenLdap on a debian 6 vm (192.168.1.150:389)
I have created a JSF project with Jboss AS7.1 and am trying to authenticate against the ldap server above. The problem is that jboss displays a message indicating that my password is not valid so i don’t know how to keep on debugging this problem since i can see no other relevant output.
I have configured TRACE debug levels for org.jboss.security
I have tried countless tutorials but without any relevant errors i can’t continue to debug this.
What would cause the above error (incorrect password) besides providing the wrong password?
Here’s some output and config files. I will attach anything you request if i’ve forgotten it.
My jboss standalone.xml configuration is as follows:
319 <security-domain name="CrudJSFRealm">
320 <authentication>
321 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
322 <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
323 <module-option name="java.naming.provider.url" value="ldap://192.168.1.150:389"/>
324 <module-option name="java.naming.security.authentication" value="simple"/>
325 <module-option name="bindDN" value="cn=admin"/>
326 <module-option name="bindCredential" value="passwd"/>
327
328 <module-option name="baseCtxDN" value="ou=People,dc=nps2,dc=local"/>
329 <module-option name="rolesCtxDN" value="ou=Roles,dc=nps2,dc=local"/>
330
331 <module-option name="baseFilter" value="(uid={0})"/><!--ok-->
332 <module-option name="roleFilter" value="(member={1})"/><!--ok-->
333 <module-option name="roleAttributeID" value="cn"/><!--ok-->
334 <module-option name="roleAttributeIsDN" value="false"/>
335 <module-option name="uidAttributeID" value="member"/>
336 <module-option name="roleNameAttributeID" value="cn"/>
337
338 <module-option name="roleRecursion" value="0"/><!--ok-->
339 <module-option name="allowEmptyPasswords" value="false"/>
340 <!--<module-option name="throwValidateError" value="true"/>-->
341 <module-option name="java.naming.referral" value="follow"/>
342 </login-module>
343 </authentication>
344 </security-domain>
I am correctly referencing the CrudJSFRealm in my jboss-web.xml file since the ldap connection is being used:
<!-- Realm that will be used -->
<security-domain>java:/jaas/CrudJSFRealm</security-domain>
Here’s my openldap structure:
dn: dc=nps2,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: nps2.local
dc: nps2
dn: ou=People,dc=nps2,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=sm0ke,ou=People,dc=nps2,dc=local
uid: sm0ke
cn: Dimitrios Kordas
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15149
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/sm0ke
gecos: Dimitrios Kordas,,,
userPassword:: ***
# Roles, nps2.local
dn: ou=Roles,dc=nps2,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Roles
# users, Roles, nps2.local
dn: cn=users,ou=Roles,dc=nps2,dc=local
objectClass: top
objectClass: groupOfNames
member: uid=sm0ke,ou=People,dc=nps2,dc=local
member: uid=nobody,ou=People,dc=nps2,dc=local
cn: users
# root, Roles, nps2.local
dn: cn=root,ou=Roles,dc=nps2,dc=local
objectClass: top
objectClass: groupOfNames
member: uid=sm0ke,ou=People,dc=nps2,dc=local
member: uid=nobody,ou=People,dc=nps2,dc=local
cn: root
So basically i have 2 users (sm0ke and nobody) and 2 Roles root and users.
There’s a member attribute to each role.
Here’s the output when trying to pass authentication in my JSF project:
14:30:32,196 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
14:30:32,204 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /CrudJSF/j_security_check
14:30:32,206 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'sm0ke'
14:30:32,211 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:sm0ke, cache entry: null
14:30:32,211 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=sm0ke
14:30:32,213 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(CrudJSFRealm), size=5
14:30:32,216 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(CrudJSFRealm), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(uid={0})
name=uidAttributeID, value=member
name=java.naming.referral, value=follow
name=bindDN, value=cn=admin
name=rolesCtxDN, value=ou=Roles,dc=nps2,dc=local
name=roleNameAttributeID, value=cn
name=roleRecursion, value=0
name=baseCtxDN, value=ou=People,dc=nps2,dc=local
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.authentication, value=simple
name=allowEmptyPasswords, value=false
name=roleFilter, value=(member={1})
name=java.naming.provider.url, value=ldap://192.168.1.150:389
name=bindCredential, value=****
name=roleAttributeIsDN, value=false
name=roleAttributeID, value=cn
14:30:32,226 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) initialize
14:30:32,227 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Security domain: CrudJSFRealm
14:30:32,228 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) login
14:30:32,230 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Logging into LDAP server, env={uidAttributeID=member, baseFilter=(uid={0}), allowEmptyPasswords=false, java.naming.referral=follow, java.naming.security.credentials=***, jboss.security.security_domain=CrudJSFRealm, java.naming.security.authentication=simple, baseCtxDN=ou=People,dc=nps2,dc=local, roleAttributeIsDN=false, rolesCtxDN=ou=Roles,dc=nps2,dc=local, java.naming.security.principal=cn=admin, roleRecursion=0, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(member={1}), java.naming.provider.url=ldap://192.168.1.150:389, roleNameAttributeID=cn, roleAttributeID=cn, bindDN=cn=admin, bindCredential=***}
14:30:32,251 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Bad password for username=sm0ke
14:30:32,253 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) abort
14:30:32,253 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [classes.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [classes.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [classes.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [classes.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [classes.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [classes.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [classes.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [classes.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [classes.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [classes.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:680) [classes.jar:1.6.0_33]
14:30:32,272 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, false
14:30:32,273 TRACE [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/CrudJSF]] (http--127.0.0.1-8080-1) Username sm0ke NOT successfully authenticated
14:30:32,481 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/CrudJSF].[Faces Servlet]] (http--127.0.0.1-8080-1) Disabling the response for futher output
14:30:32,486 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/CrudJSF].[Faces Servlet]] (http--127.0.0.1-8080-1) The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response
14:30:32,495 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Failed authenticate() test ??/CrudJSF/j_security_check
14:30:32,504 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
14:30:32,506 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
14:30:32,514 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
14:30:32,515 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /CrudJSF/javax.faces.resource/main.css.xhtml
14:30:32,518 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,522 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,527 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,528 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,529 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,530 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,531 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,532 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,533 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) No applicable constraint located
14:30:32,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Not subject to any constraint
14:30:32,538 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
14:30:32,538 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
I just spotted that my bindDN is incomplete. I changed it to the complete: “cn=admin,dc=nps2,dc=local” and it worked.
Pretty hard to spot when there’s no appropriate output in the logs though.