karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject RE: LDAP authentication must role management in properties file
Date Fri, 23 Aug 2013 11:20:25 GMT
Hi JB

I haven't found infomration "native/core" in the context of JAAS except for the sun web server.
I've tried now to create a jaas:config like this:

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
	<!-- Bean that allows the $[karaf.base] property to be resolved -->
	<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>

	<jaas:config name="karaf" rank="1">
		<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
			connection.url = ldap://ldap.example.com:389
			connection.username = CN=...
			connection.password = ....
			user.base.dn = OU=...
			user.filter = (saMAccountName=%u)
			user.search.subtree = true
			authentication = simple
			role.base.dn = ...
			role.filter = (member:=uid=%u)
			role.name.attribute = cn
			role.search.subtree = true
			detailedLoginExcepion = true
		</jaas:module>

		<jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">
			users = $[karaf.base]/etc/users.properties
			detailedLoginExcepion = true
			debug = true
		</jaas:module>

	</jaas:config>

</blueprint>

I've configured the LDAP user and its role in users.properties as well (but without password,
as authentication is done by LDAP). I can successfully authenticate but get a login error
in PropertiesLoginModule:

11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  162 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Create the LDAP initial context.
11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  166 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Bound access requested.
11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  174 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Get the user DN.
11:24:16,621 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  178 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Initialize the JNDI LDAP Dir Context.
11:24:16,629 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  180 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Define the subtree scope search control.
11:24:16,630 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  187 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Looking for the user in LDAP with 
11:24:16,630 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  188 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 |   base DN: OU=<removed>
11:24:16,630 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  190 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 |   filter: (saMAccountName=owulff)
11:24:16,640 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  196 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Get the user DN.
11:24:16,641 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  214 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Bind user (authentication).
11:24:16,641 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  216 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Set the security principal for CN=owulff,<removed>
11:24:16,642 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  219 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Binding the user.
11:24:16,653 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  221 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | User owulff successfully bound.
11:24:16,654 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  239 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Get user roles.
11:24:16,664 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  250 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Looking for the user roles in LDAP with 
11:24:16,664 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  251 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 |   base DN: OU=<removed>
11:24:16,664 | DEBUG | NioProcessor-2   | aas.modules.ldap.LDAPLoginModule  253 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 |   filter: (member:=uid=owulff)
11:24:16,668 | DEBUG | NioProcessor-2   | properties.PropertiesLoginModule   53 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Initialized debug=true usersFile=/projects/talend/Talend-ESB-V5.3.1/container/etc/users.properties
11:24:16,669 | DEBUG | NioProcessor-2   | les.encryption.EncryptionSupport   64 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Encryption is disabled.
11:24:16,670 | DEBUG | NioProcessor-2   | les.encryption.EncryptionSupport   64 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | Encryption is disabled.
11:24:16,670 | DEBUG | NioProcessor-2   | properties.PropertiesLoginModule  164 | 24 - org.apache.karaf.jaas.modules
- 2.3.1 | abort
11:24:16,670 | DEBUG | NioProcessor-2   | shell.ssh.KarafJaasAuthenticator  106 | 29 - org.apache.karaf.shell.ssh
- 2.3.1 | User authentication failed with login failed
javax.security.auth.login.FailedLoginException: login failed
	at org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:141)
	at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:]
	at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.7.0_21]
	at java.lang.reflect.Method.invoke(Method.java:601)[:1.7.0_21]
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)[:1.7.0_21]
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)[:1.7.0_21]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)[:1.7.0_21]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)[:1.7.0_21]
	at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_21]
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)[:1.7.0_21]
	at javax.security.auth.login.LoginContext.login(LoginContext.java:594)[:1.7.0_21]
	at org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate(KarafJaasAuthenticator.java:82)[29:org.apache.karaf.shell.ssh:2.3.1]


As a test, I've configured the password of the ldap user in users.properties. Then it works
but it's not my extected behaviour.

Maybe I'm missing something here?

If not, we could enhance the PropertiesLoginModule to support authentication against LDAP
but roles are managed locally.

Thanks
Oli


________________________________________
From: Jean-Baptiste Onofré [jb@nanthrax.net]
Sent: 22 August 2013 19:37
To: user@karaf.apache.org
Subject: Re: LDAP authentication must role management in properties file

Hi,

like in JAAS "core/native": it depends of the realm (a realm has a
dedicated function: authentication/authorization).

Regards
JB

On 08/22/2013 11:34 AM, Oliver Wulff wrote:
> Hi JB
>
> How can I tell which login module is used for authentication (LDAP) and which for authorization
(PropertiesFile)? If I configure a list of login modules, I thought JAAS will login with username/password
in each login module.
>
> Thanks
> Oli
> ________________________________________
> From: Jean-Baptiste Onofré [jb@nanthrax.net]
> Sent: 22 August 2013 10:20
> To: user@karaf.apache.org
> Subject: Re: LDAP authentication must role management in properties file
>
> Hi,
>
> yes, the same realm (let say Karaf) can use several login module. It's
> leverage JAAS.
>
> You can do that directly with the jaas:* commands.
>
> Or you can define both login modules in the same blueprint and define a
> rank for the login module:
>
>       <jaas:config name="myrealm">
>           <jaas:module
> className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
>                        flags="required">
>               users = $[karaf.base]/etc/users.properties
>           </jaas:module>
>          <jaas:module
> className="org.apache.karaf.jaas.modules.ldap.LdapLoginModule ...."/>
>       </jaas:config>
>
> You have more details here:
> http://karaf.apache.org/manual/latest-2.3.x/developers-guide/security-framework.html
>
> Regards
> JB
>
> On 08/22/2013 10:14 AM, Oliver Wulff wrote:
>> Hi there
>>
>> I'm looking for a solution to use the LDAP Login Module only for
>> authentication and another module (ex. PropertiesLoginModule) to manage
>> the roles?
>>
>> Thanks
>>
>> Oli
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>

--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message