Forum Home » Fuse Distributions » Fuse ESB

Thread: Help with JAAS LDAP authentication in Karaf

 
This question is answered.


Permlink Replies: 2 - Last Post: Mar 25, 2011 2:46 PM Last Post By: dhoyt
dhoyt

Posts: 32
Registered: 03/03/11
Help with JAAS LDAP authentication in Karaf
Posted: Mar 24, 2011 9:35 PM
 
  Click to reply to this thread Reply
I tried to follow the tutorial to enable LDAP authentication, but I am getting errors when I try to connect. The user I am trying to access is valid (uid=dhoyt,ou=employees,dc=example,dc=com). I can see that if I have an invalid password or a non-existent user that I get the expected errors stating such. The problem is that when I try to login to the webconsole using the dhoyt user, I get an error back stating that it can't get the roles for the user (LDAP error code 80). Below is the ldap-module.xml I put in the deploy directory and the error from the servicemix.log file. I am using apache-servicemix-4.3.1-fuse-01-09 on Solaris 10 (JDK 1.6_20). I want to allow logins for anyone in the cn=smxAdmin,ou=roles,dc=example,dc=com role.

Any help with this would be greatly appreciated.

ldap-module.xml is:

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="karaf" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username = cn=Directory Manager
connection.password = myPassword
connection.url = ldap://localhost:1389
user.base.dn = ou=employees,dc=example,dc=com
user.filter = (uid=%u)
user.search.subtree = true
role.base.dn = ou=roles,dc=example,dc=com
role.filter = (member:=uid=%u)
role.name.attribute = cn
role.search.subtree = true
authentication = simple
</jaas:module>
</jaas:config>
</blueprint>


Exception is:

javax.security.auth.login.LoginException: Can't get user dhoyt roles: LDAP: error code 80 - An unexpected error was encountered while processing a search in one of the Directory Server backends: NullPointerException(ConcurrentHashMap.java:768)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin(LDAPLoginModule.java:242)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:132)
at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)karaf-jaas-boot.jar:
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method):1.6.0_20
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39):1.6.0_20
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25):1.6.0_20
at java.lang.reflect.Method.invoke(Method.java:597):1.6.0_20
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769):1.6.0_20
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186):1.6.0_20
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683):1.6.0_20
at java.security.AccessController.doPrivileged(Native Method):1.6.0_20
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680):1.6.0_20
at javax.security.auth.login.LoginContext.login(LoginContext.java:579):1.6.0_20
at org.apache.karaf.webconsole.JaasSecurityProvider.authenticate(JaasSecurityProvider.java:66)198:org.apache.felix.webconsole:3.1.2
at org.apache.felix.webconsole.internal.servlet.OsgiManager$SecurityProvider.authenticate(OsgiManager.java:995)198:org.apache.felix.webconsole:3.1.2
at org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:123)[198:org.apache.felix.webcons

tmielke

Posts: 178
Registered: 12/04/07
Re: Help with JAAS LDAP authentication in Karaf
Posted: Mar 25, 2011 8:48 AM   in response to: dhoyt in response to: dhoyt
Correct
  Click to reply to this thread Reply
Hhhm, its failing to retrieve the roles of the user. So I presume the properties

connection.username = cn=Directory Manager
connection.password = myPassword
connection.url = ldap://localhost:1389
user.base.dn = ou=employees,dc=example,dc=com
user.filter = (uid=%u)
user.search.subtree = true

are correct. Its very likely something to do with these properties

role.base.dn = ou=roles,dc=example,dc=com
role.filter = (member:=uid=%u)
role.name.attribute = cn
role.search.subtree = true

I am not an LDAP expert but is the role.filter property syntactically correct?
dhoyt

Posts: 32
Registered: 03/03/11
Re: Help with JAAS LDAP authentication in Karaf
Posted: Mar 25, 2011 2:46 PM   in response to: tmielke in response to: tmielke
 
  Click to reply to this thread Reply
Thanks for the help! It was the role.filter. It has to match the entry in my role exactly. In my case, the correct setting was:

role.filter = (Member of Group:=uid=%u)

Thanks for the help!