karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: LDAP Authentication - karaf 2.1.6 fail
Date Thu, 06 Oct 2011 10:45:14 GMT
Let me check in my configuration.

Regards
JB

On 10/06/2011 12:06 PM, Charles Moulliard wrote:
> That does not change if I use member=uid=%u or member:=uid=%u
>
>
> On Thu, Oct 6, 2011 at 12:04 PM, Jean-Baptiste Onofré<jb@nanthrax.net>  wrote:
>> OK, got it :)
>>
>> role.filter should contain (member=uid=%u) and not (member:=uid=%u).
>>
>> Let me check how I construct the role search filter.
>>
>> Regards
>> JB
>>
>> On 10/06/2011 12:01 PM, Charles Moulliard wrote:
>>>
>>> member is not a OU
>>>
>>> DN: cn=admin, ou=roles,ou=system
>>> where member=uid=jdoe is a attribute of cn=admin
>>>
>>> My query works fine in ApacheDS Studio with
>>>
>>> search base = ou=roles,ou=system
>>> filter = (member=uid=jdoe)
>>>
>>> and return
>>> cn=admin, ou=roles,ou=system
>>> containing member=uid=jdoe
>>>
>>> On Thu, Oct 6, 2011 at 11:48 AM, Jean-Baptiste Onofré<jb@nanthrax.net>
>>>   wrote:
>>>>
>>>> Hi Charles,
>>>>
>>>> the role.filter doesn't look correct to me. The "member" is an ou ?
>>>> In that case the filter should be (&(ou=member)(uid=%s)).
>>>>
>>>> Regards
>>>> JB
>>>>
>>>> On 10/06/2011 11:32 AM, Charles Moulliard wrote:
>>>>>
>>>>> connection.url is correct as the user has been authenticated. There is
>>>>> an issue with roles checking
>>>>>
>>>>> On Thu, Oct 6, 2011 at 11:21 AM, Kuhtz, Andreas<andreas.kuhtz@atos.net>
>>>>>   wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> It could be that the connection.url is not correct (we had this in
our
>>>>>> project). We had to add the /dc=.... .
>>>>>> See https://cwiki.apache.org/DIRxSRVx11/enablesearchforallusers.html
>>>>>>
>>>>>> Regards
>>>>>> Andi
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Charles Moulliard [mailto:cmoulliard@gmail.com]
>>>>>> Sent: Donnerstag, 6. Oktober 2011 10:57
>>>>>> To: user
>>>>>> Subject: LDAP Authentication - karaf 2.1.6 fail
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I try to use LDAP authentication with Karaf 2.1.6 but the it fails
>>>>>> with roles based verification.
>>>>>>
>>>>>> 10:49:50,518 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Create
>>>>>> the LDAP initial context.
>>>>>> 10:49:50,519 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bound
>>>>>> access requested.
>>>>>> 10:49:50,519 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get
the
>>>>>> user DN.
>>>>>> 10:49:50,519 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |
>>>>>> Initialize the JNDI LDAP Dir Context.
>>>>>> 10:49:50,771 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Define
>>>>>> the subtree scope search control.
>>>>>> 10:49:50,772 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking
>>>>>> for the user in LDAP with
>>>>>> 10:49:50,772 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |   base
>>>>>> DN: ou=users,ou=system
>>>>>> 10:49:50,772 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |
>>>>>> filter: (uid=jdoe)
>>>>>> 10:49:50,789 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get
the
>>>>>> user DN.
>>>>>> 10:49:50,790 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Bind
>>>>>> user (authentication).
>>>>>> 10:49:50,790 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Set
the
>>>>>> security principal for uid=jdoe,ou=users,ou=system
>>>>>> 10:49:50,790 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Binding
>>>>>> the user.
>>>>>> 10:49:50,808 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | User
>>>>>> jdoe successfully bound.
>>>>>> 10:49:50,810 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Get
user
>>>>>> roles.
>>>>>> 10:49:50,834 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 | Looking
>>>>>> for the user roles in LDAP with
>>>>>> 10:49:50,834 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |   base
>>>>>> DN: ou=roles,ou=system
>>>>>> 10:49:50,834 | DEBUG | NioProcessor-1   | LDAPLoginModule
>>>>>>     | 23 - org.apache.karaf.jaas.modules - 2.1.6.fuse-00-05 |
>>>>>> filter: (member:=uid=jdoe)
>>>>>>
>>>>>> Is the following syntax correct ?
>>>>>>
>>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>>>>>>   xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
>>>>>>
>>>>>>
>>>>>> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
>>>>>>>
>>>>>>
>>>>>>   <jaas:config name="karaf" rank="1">
>>>>>>     <jaas:module
>>>>>> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
>>>>>>                  flags="required">
>>>>>>
>>>>>> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>>>>>>                       connection.username=uid=admin,ou=system
>>>>>>                       connection.password=secret
>>>>>>                       connection.protocol=
>>>>>>                       connection.url = ldap://localhost:10389
>>>>>>                       user.base.dn = ou=users,ou=system
>>>>>>                       user.filter = (uid=%u)
>>>>>>                       user.search.subtree = true
>>>>>>                       role.base.dn = ou=roles,ou=system
>>>>>>                   role.filter = (member:=uid=%u)
>>>>>>                   role.name.attribute = cn
>>>>>>                   role.search.subtree = true
>>>>>>                       authentication = simple
>>>>>>     </jaas:module>
>>>>>>   </jaas:config>
>>>>>> </blueprint>
>>>>>>
>>>>>> ApacheDS
>>>>>> =========
>>>>>> version: 1
>>>>>>
>>>>>> dn: ou=system
>>>>>> objectClass: organizationalUnit
>>>>>> objectClass: extensibleObject
>>>>>> objectClass: top
>>>>>> ou: system
>>>>>>
>>>>>> dn: uid=admin,ou=system
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: inetOrgPerson
>>>>>> objectClass: tlsKeyInfo
>>>>>> objectClass: top
>>>>>> cn: system administrator
>>>>>> keyAlgorithm: RSA
>>>>>> privateKey:: xxxxxxx
>>>>>> privateKeyFormat: PKCS#8
>>>>>> publicKey:: xxxxx
>>>>>> publicKeyFormat: X.509
>>>>>> sn: administrator
>>>>>> displayName: Directory Superuser
>>>>>> uid: admin
>>>>>> userCertificate:: xxxxxx
>>>>>> userPassword:: c2VjcmV0
>>>>>>
>>>>>> dn: ou=users,ou=system
>>>>>> objectClass: organizationalUnit
>>>>>> objectClass: top
>>>>>> ou: users
>>>>>>
>>>>>> dn: ou=roles,ou=system
>>>>>> objectClass: organizationalUnit
>>>>>> objectClass: top
>>>>>> ou: roles
>>>>>>
>>>>>> dn: cn=admin,ou=roles,ou=system
>>>>>> objectClass: groupOfNames
>>>>>> objectClass: top
>>>>>> cn: admin
>>>>>> member: uid=jdoe
>>>>>>
>>>>>> dn: uid=jdoe,ou=users,ou=system
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: person
>>>>>> objectClass: inetOrgPerson
>>>>>> objectClass: top
>>>>>> cn: John Doe
>>>>>> sn: Doe
>>>>>> uid: jdoe
>>>>>> userPassword:: c2VjcmV0
>>>>>>
>>>>>> Charles Moulliard
>>>>>>
>>>>>> Apache Committer
>>>>>>
>>>>>> Blog : http://cmoulliard.blogspot.com
>>>>>> Twitter : http://twitter.com/cmoulliard
>>>>>> Linkedin : http://www.linkedin.com/in/charlesmoulliard
>>>>>> Skype: cmoulliard
>>>>>>
>>>>
>>>> --
>>>> Jean-Baptiste Onofré
>>>> jbonofre@apache.org
>>>> http://blog.nanthrax.net
>>>> Talend - http://www.talend.com
>>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message