karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: LDAP authentication must role management in properties file
Date Fri, 23 Aug 2013 11:52:44 GMT
Hi Oli,

the LDAP Login Module can use double bind:
- first bind as LDAP "admin" to lookup user
- second bind as LDAP user to validate credentials

The connection.username/connection.password is for "admin" user who 
performs the lookup.
The user auth is done using the retrieved DN:

             logger.debug("Bind user (authentication).");
             env.put(Context.SECURITY_AUTHENTICATION, authentication);
             logger.debug("Set the security principal for " + userDN + 
"," + userBaseDN);
             env.put(Context.SECURITY_PRINCIPAL, userDN + "," + userBaseDN);
             env.put(Context.SECURITY_CREDENTIALS, password);
             logger.debug("Binding the user.");
             context = new InitialDirContext(env);
             logger.debug("User " + user + " successfully bound.");
             context.close();

So, in your case, it means that the combination of the retrieved userDN 
used to contruct the principal (concat of userDN + userBaseDN) and the 
password is not valid on the LDAP.
Try to logon with this userDN and password using slapd or such kind of 
tools to validate the DN.

The password is provided by a callback:

         Callback[] callbacks = new Callback[2];
         callbacks[0] = new NameCallback("Username: ");
         callbacks[1] = new PasswordCallback("Password: ", false);

Regards
JB

On 08/23/2013 01:20 PM, Oliver Wulff wrote:
> Hi JB
>
> I haven't found infomration "native/core" in the context of JAAS except for the sun web
server. I've tried now to create a jaas:config like this:
>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
> 	<!-- Bean that allows the $[karaf.base] property to be resolved -->
> 	<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
>
> 	<jaas:config name="karaf" rank="1">
> 		<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
> 			connection.url = ldap://ldap.example.com:389
> 			connection.username = CN=...
> 			connection.password = ....
> 			user.base.dn = OU=...
> 			user.filter = (saMAccountName=%u)
> 			user.search.subtree = true
> 			authentication = simple
> 			role.base.dn = ...
> 			role.filter = (member:=uid=%u)
> 			role.name.attribute = cn
> 			role.search.subtree = true
> 			detailedLoginExcepion = true
> 		</jaas:module>
>
> 		<jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">
> 			users = $[karaf.base]/etc/users.properties
> 			detailedLoginExcepion = true
> 			debug = true
> 		</jaas:module>
>
> 	</jaas:config>
>
> </blueprint>
>
> I've configured the LDAP user and its role in users.properties as well (but without password,
as authentication is done by LDAP). I can successfully authenticate but get a login error
in PropertiesLoginModule:
>
> 11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  162 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Create the LDAP initial context.
> 11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  166 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Bound access requested.
> 11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  174 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN.
> 11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  178 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Initialize the JNDI LDAP Dir Context.
> 11:24:16,629 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  180 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Define the subtree scope search control.
> 11:24:16,630 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  187 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user in LDAP with
> 11:24:16,630 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  188 | 24
- org.apache.karaf.jaas.modules - 2.3.1 |   base DN: OU=<removed>
> 11:24:16,630 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  190 | 24
- org.apache.karaf.jaas.modules - 2.3.1 |   filter: (saMAccountName=owulff)
> 11:24:16,640 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  196 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Get the user DN.
> 11:24:16,641 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  214 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Bind user (authentication).
> 11:24:16,641 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  216 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Set the security principal for CN=owulff,<removed>
> 11:24:16,642 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  219 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Binding the user.
> 11:24:16,653 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  221 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | User owulff successfully bound.
> 11:24:16,654 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  239 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Get user roles.
> 11:24:16,664 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  250 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Looking for the user roles in LDAP with
> 11:24:16,664 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  251 | 24
- org.apache.karaf.jaas.modules - 2.3.1 |   base DN: OU=<removed>
> 11:24:16,664 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  253 | 24
- org.apache.karaf.jaas.modules - 2.3.1 |   filter: (member:=uid=owulff)
> 11:24:16,668 | DEBUG | NioProcessor-2   | properties.PropertiesLoginModule   53 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Initialized debug=true usersFile=/projects/talend/Talend-ESB-V5.3.1/container/etc/users.properties
> 11:24:16,669 | DEBUG | NioProcessor-2   | les.encryption.EncryptionSupport   64 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled.
> 11:24:16,670 | DEBUG | NioProcessor-2   | les.encryption.EncryptionSupport   64 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | Encryption is disabled.
> 11:24:16,670 | DEBUG | NioProcessor-2   | properties.PropertiesLoginModule  164 | 24
- org.apache.karaf.jaas.modules - 2.3.1 | abort
> 11:24:16,670 | DEBUG | NioProcessor-2   | shell.ssh.KarafJaasAuthenticator  106 | 29
- org.apache.karaf.shell.ssh - 2.3.1 | User authentication failed with login failed
> javax.security.auth.login.FailedLoginException: login failed
> 	at org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:141)
> 	at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:]
> 	at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.7.0_21]
> 	at java.lang.reflect.Method.invoke(Method.java:601)[:1.7.0_21]
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)[:1.7.0_21]
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)[:1.7.0_21]
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)[:1.7.0_21]
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)[:1.7.0_21]
> 	at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_21]
> 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)[:1.7.0_21]
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:594)[:1.7.0_21]
> 	at org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate(KarafJaasAuthenticator.java:82)[29:org.apache.karaf.shell.ssh:2.3.1]
>
>
> As a test, I've configured the password of the ldap user in users.properties. Then it
works but it's not my extected behaviour.
>
> Maybe I'm missing something here?
>
> If not, we could enhance the PropertiesLoginModule to support authentication against
LDAP but roles are managed locally.
>
> Thanks
> Oli
>
>
> ________________________________________
> From: Jean-Baptiste Onofré [jb@nanthrax.net]
> Sent: 22 August 2013 19:37
> To: user@karaf.apache.org
> Subject: Re: LDAP authentication must role management in properties file
>
> Hi,
>
> like in JAAS "core/native": it depends of the realm (a realm has a
> dedicated function: authentication/authorization).
>
> Regards
> JB
>
> On 08/22/2013 11:34 AM, Oliver Wulff wrote:
>> Hi JB
>>
>> How can I tell which login module is used for authentication (LDAP) and which for
authorization (PropertiesFile)? If I configure a list of login modules, I thought JAAS will
login with username/password in each login module.
>>
>> Thanks
>> Oli
>> ________________________________________
>> From: Jean-Baptiste Onofré [jb@nanthrax.net]
>> Sent: 22 August 2013 10:20
>> To: user@karaf.apache.org
>> Subject: Re: LDAP authentication must role management in properties file
>>
>> Hi,
>>
>> yes, the same realm (let say Karaf) can use several login module. It's
>> leverage JAAS.
>>
>> You can do that directly with the jaas:* commands.
>>
>> Or you can define both login modules in the same blueprint and define a
>> rank for the login module:
>>
>>        <jaas:config name="myrealm">
>>            <jaas:module
>> className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
>>                         flags="required">
>>                users = $[karaf.base]/etc/users.properties
>>            </jaas:module>
>>           <jaas:module
>> className="org.apache.karaf.jaas.modules.ldap.LdapLoginModule ...."/>
>>        </jaas:config>
>>
>> You have more details here:
>> http://karaf.apache.org/manual/latest-2.3.x/developers-guide/security-framework.html
>>
>> Regards
>> JB
>>
>> On 08/22/2013 10:14 AM, Oliver Wulff wrote:
>>> Hi there
>>>
>>> I'm looking for a solution to use the LDAP Login Module only for
>>> authentication and another module (ex. PropertiesLoginModule) to manage
>>> the roles?
>>>
>>> Thanks
>>>
>>> Oli
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message