3.6.1-1 LDAP Auth
26 views
Skip to first unread message
Bryan Fransman
Aug 28, 2011, 1:18:15 PM8/28/11
to ControlTier
I've run into an odd issue with LDAP authentication using 3.6.1-1
(Build 20110815), which I believe to be a release candidate.
Followed Jetty LDAP Config here: http://doc36.controltier.org/wiki/Jetty_LDAP_integration
I am able to login to CTL Center and Workbench using a valid username,
role, but without a password.
Scenarios Tested:
1. Use correct username/password with role = success
2. Use correct username no password with role = success
3. Use correct username no password without role = fail
4. Use correct username/password without role = fail
5. Use correct username incorrect password with role = fail
6. Use correct username incorrect password without role = fail
7. Use incorrect username/password without role = fail
Also, I'm having difficulty changing the "default" user and password.
When attempting to run a job from CTL center. This user and password
has been added to LDAP.
I set my new "default" user and password in pkgs/configure/
default.properties, then re-ran setup. After setup, I can find my
newly added user/pass in the following files:
pkgs/jetty-6.1.21/etc/realm.properties
pkgs/jetty-6.1.21/webapps/itnav/WEB-INF/classes/runtime.properties
ctl/etc/framework.properties
What am I missing here? Also, as a side note, the user configured as
default probably shouldn't have it's credentials echoed on the Welcome
page.
I see the following error in the Jetty logs:
2011-08-28 13:05:44.811::WARN: No CallbackHandler configured: using
DefaultCallbackHandler
javax.security.auth.login.LoginException: User not found.
at
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule.findUser(JettyCachingLdapLoginModule.java:
553)
at
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule.bindingLogin(JettyCachingLdapLoginModule.java:
511)
at
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule.login(JettyCachingLdapLoginModule.java:
432)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
43)
at java.lang.reflect.Method.invoke(Method.java:616)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:
784)
at javax.security.auth.login.LoginContext.access
$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:
698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:
696)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:
695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:
594)
at
org.mortbay.jetty.plus.jaas.JAASUserRealm.authenticate(JAASUserRealm.java:
231)
at
org.mortbay.jetty.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:
62)
at
org.mortbay.jetty.security.SecurityHandler.check(SecurityHandler.java:
441)
at
org.mortbay.jetty.security.SecurityHandler.checkSecurityConstraints(SecurityHandler.java:
269)
at
org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:
191)
at
org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:
182)
at
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:
765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:
418)
at
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:
230)
at
org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:
114)
at
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:
152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:
536)
at org.mortbay.jetty.HttpConnection
$RequestHandler.headerComplete(HttpConnection.java:915)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:539)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:
409)
at org.mortbay.thread.BoundedThreadPool
$PoolThread.run(BoundedThreadPool.java:451)
2011-08-28 13:05:44.836::WARN:
javax.security.auth.login.LoginException: Error obtaining user info.
2011-08-28 13:05:44.837::WARN: AUTH FAILURE: user default
Thanks,
Bryan
(Build 20110815), which I believe to be a release candidate.
Followed Jetty LDAP Config here: http://doc36.controltier.org/wiki/Jetty_LDAP_integration
I am able to login to CTL Center and Workbench using a valid username,
role, but without a password.
Scenarios Tested:
1. Use correct username/password with role = success
2. Use correct username no password with role = success
3. Use correct username no password without role = fail
4. Use correct username/password without role = fail
5. Use correct username incorrect password with role = fail
6. Use correct username incorrect password without role = fail
7. Use incorrect username/password without role = fail
Also, I'm having difficulty changing the "default" user and password.
When attempting to run a job from CTL center. This user and password
has been added to LDAP.
I set my new "default" user and password in pkgs/configure/
default.properties, then re-ran setup. After setup, I can find my
newly added user/pass in the following files:
pkgs/jetty-6.1.21/etc/realm.properties
pkgs/jetty-6.1.21/webapps/itnav/WEB-INF/classes/runtime.properties
ctl/etc/framework.properties
What am I missing here? Also, as a side note, the user configured as
default probably shouldn't have it's credentials echoed on the Welcome
page.
I see the following error in the Jetty logs:
2011-08-28 13:05:44.811::WARN: No CallbackHandler configured: using
DefaultCallbackHandler
javax.security.auth.login.LoginException: User not found.
at
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule.findUser(JettyCachingLdapLoginModule.java:
553)
at
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule.bindingLogin(JettyCachingLdapLoginModule.java:
511)
at
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule.login(JettyCachingLdapLoginModule.java:
432)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
43)
at java.lang.reflect.Method.invoke(Method.java:616)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:
784)
at javax.security.auth.login.LoginContext.access
$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:
698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:
696)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:
695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:
594)
at
org.mortbay.jetty.plus.jaas.JAASUserRealm.authenticate(JAASUserRealm.java:
231)
at
org.mortbay.jetty.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:
62)
at
org.mortbay.jetty.security.SecurityHandler.check(SecurityHandler.java:
441)
at
org.mortbay.jetty.security.SecurityHandler.checkSecurityConstraints(SecurityHandler.java:
269)
at
org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:
191)
at
org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:
182)
at
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:
765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:
418)
at
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:
230)
at
org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:
114)
at
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:
152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:
536)
at org.mortbay.jetty.HttpConnection
$RequestHandler.headerComplete(HttpConnection.java:915)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:539)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:
409)
at org.mortbay.thread.BoundedThreadPool
$PoolThread.run(BoundedThreadPool.java:451)
2011-08-28 13:05:44.836::WARN:
javax.security.auth.login.LoginException: Error obtaining user info.
2011-08-28 13:05:44.837::WARN: AUTH FAILURE: user default
Thanks,
Bryan
Moses Lei
Aug 29, 2011, 1:20:43 PM8/29/11
to contr...@googlegroups.com
Can you attach your LDAP configuration for us, and a sample query (redact if necessary) of a directory entry from ldapsearch (or from the ldif file)?
Thanks
Moses
--
Moses Lei
[ Professional Services | DTO Solutions, Inc. ]
[ mobile: +1 703.901.5969 | e-mail: ml...@dtosolutions.com | aim/gtalk: ml...@controltier.com | yahoo: moseslei | windows live (msn): ml...@dtosolutions.com ]
Moses Lei
[ Professional Services | DTO Solutions, Inc. ]
[ mobile: +1 703.901.5969 | e-mail: ml...@dtosolutions.com | aim/gtalk: ml...@controltier.com | yahoo: moseslei | windows live (msn): ml...@dtosolutions.com ]
--
You received this message because you are subscribed to the Google Groups "ControlTier" group.
To post to this group, send email to contr...@googlegroups.com
To unsubscribe from this group, send email to controltier...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/controltier?hl=en
http://wiki.controltier.org
Bryan Fransman
Aug 29, 2011, 2:05:55 PM8/29/11
to ControlTier
Hey Moses,
Thanks for the quick response. I was in a hurry to get ControlTier up
and running, so I downgraded to the stable release(ctier-
server-3.6.0-1) - alas, still issues:
I think I narrowed down my previous use cases to be based on:
Changing: forceBindingLogin="false"
To: forceBindingLogin="true"
My guess is that this setting controls whether the user must bind
before auth, or not.
So, after setting forceBindingLogin="false" - I am unable to
authenticate valid users.
I get the following warnings in jetty log:
2011-08-29 14:00:28.065::WARN:
javax.security.auth.login.LoginException: Login Failure: all modules
ignored
2011-08-29 14:00:28.066::WARN: AUTH FAILURE: user username
Config changes only from http://doc36.controltier.org/wiki/Jetty_LDAP_integration
:
LDAP Server = CentOS DS (RedHat and OpenLDAP compatible)
${JETTY_HOME}/etc/ldap-loginModule.conf
ldaploginmodule {
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule
required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="my.ldap.host"
port="389"
bindDn="cn=BindME,ou=profile,dc=mine,dc=com"
bindPassword="password"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=People,dc=mine,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="person"
roleBaseDn="ou=CtierRoles,dc=mine,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames";
};
I also updated:
$JETTY_HOME/etc/jetty.xml
CONFIG_PROPS in both etc/ctierrc and /etc/default/ctier
Some LDAP Searches as requested:
User:
ldapsearch -x -H ldap://my.ldap.host:389/ -
Dcn=BindME,ou=profile,dc=mine,dc=com -wpassword -b
'ou=People,dc=mine,dc=com' "(&(objectClass=person)(uid=username))"
Returns all "username" users attributes
Roles:
ldapsearch -x -H ldap://my.ldap.host:389/ -
Dcn=BindME,ou=profile,dc=mine,dc=com -wpassword -b
'ou=CtierRoles,dc=mine,dc=com' cn
# base <ou=CtierRoles,dc=mine,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: cn
#
# CtierRoles, mine.com
dn: ou=CtierRoles,dc=mine,dc=com
# architect, CtierRoles, mine.com
dn: cn=architect,ou=CtierRoles,dc=mine,dc=com
cn: architect
# admin, CtierRoles, mine.com
dn: cn=admin,ou=CtierRoles,dc=mine,dc=com
cn: admin
# user, CtierRoles, mine.com
dn: cn=user,ou=CtierRoles,dc=mine,dc=com
cn: user
# build, CtierRoles, mine.com
dn: cn=build,ou=CtierRoles,dc=mine,dc=com
cn: build
# deploy, CtierRoles, mine.com
dn: cn=deploy,ou=CtierRoles,dc=mine,dc=com
cn: deploy
Role Membership:
ldapsearch -x -H ldap://my.ldap.host:389/ -
Dcn=BindME,ou=profile,dc=mine,dc=com -wpassword -b
'cn=user,ou=CtierRoles,dc=mine,dc=com'
# base <cn=user,ou=CtierRoles,dc=mine,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# user, CtierRoles, mine.com
dn: cn=user,ou=CtierRoles,dc=mine,dc=com
cn: user
uniqueMember: uid=username,ou=People,dc=mine,dc=com
objectClass: top
objectClass: groupofuniquenames
Thanks,
Bryan
On Aug 29, 1:20 pm, Moses Lei <m...@dtosolutions.com> wrote:
> Can you attach your LDAP configuration for us, and a sample query (redact if
> necessary) of a directory entry from ldapsearch (or from the ldif file)?
>
> Thanks
>
> Moses
>
> --
> Moses Lei
> [ Professional Services | DTO Solutions, Inc. ]
> [ mobile: +1 703.901.5969 | e-mail: m...@dtosolutions.com | aim/gtalk:
> m...@controltier.com | yahoo: moseslei | windows live (msn):
> m...@dtosolutions.com ]
Thanks for the quick response. I was in a hurry to get ControlTier up
and running, so I downgraded to the stable release(ctier-
server-3.6.0-1) - alas, still issues:
I think I narrowed down my previous use cases to be based on:
Changing: forceBindingLogin="false"
To: forceBindingLogin="true"
My guess is that this setting controls whether the user must bind
before auth, or not.
So, after setting forceBindingLogin="false" - I am unable to
authenticate valid users.
I get the following warnings in jetty log:
2011-08-29 14:00:28.065::WARN:
javax.security.auth.login.LoginException: Login Failure: all modules
ignored
2011-08-29 14:00:28.066::WARN: AUTH FAILURE: user username
Config changes only from http://doc36.controltier.org/wiki/Jetty_LDAP_integration
:
LDAP Server = CentOS DS (RedHat and OpenLDAP compatible)
${JETTY_HOME}/etc/ldap-loginModule.conf
ldaploginmodule {
com.controltier.ctl.webad.jaas.JettyCachingLdapLoginModule
required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="my.ldap.host"
port="389"
bindDn="cn=BindME,ou=profile,dc=mine,dc=com"
bindPassword="password"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=People,dc=mine,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="person"
roleBaseDn="ou=CtierRoles,dc=mine,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames";
};
I also updated:
$JETTY_HOME/etc/jetty.xml
CONFIG_PROPS in both etc/ctierrc and /etc/default/ctier
Some LDAP Searches as requested:
User:
ldapsearch -x -H ldap://my.ldap.host:389/ -
Dcn=BindME,ou=profile,dc=mine,dc=com -wpassword -b
'ou=People,dc=mine,dc=com' "(&(objectClass=person)(uid=username))"
Returns all "username" users attributes
Roles:
ldapsearch -x -H ldap://my.ldap.host:389/ -
Dcn=BindME,ou=profile,dc=mine,dc=com -wpassword -b
'ou=CtierRoles,dc=mine,dc=com' cn
# base <ou=CtierRoles,dc=mine,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: cn
#
# CtierRoles, mine.com
dn: ou=CtierRoles,dc=mine,dc=com
# architect, CtierRoles, mine.com
dn: cn=architect,ou=CtierRoles,dc=mine,dc=com
cn: architect
# admin, CtierRoles, mine.com
dn: cn=admin,ou=CtierRoles,dc=mine,dc=com
cn: admin
# user, CtierRoles, mine.com
dn: cn=user,ou=CtierRoles,dc=mine,dc=com
cn: user
# build, CtierRoles, mine.com
dn: cn=build,ou=CtierRoles,dc=mine,dc=com
cn: build
# deploy, CtierRoles, mine.com
dn: cn=deploy,ou=CtierRoles,dc=mine,dc=com
cn: deploy
Role Membership:
ldapsearch -x -H ldap://my.ldap.host:389/ -
Dcn=BindME,ou=profile,dc=mine,dc=com -wpassword -b
'cn=user,ou=CtierRoles,dc=mine,dc=com'
# base <cn=user,ou=CtierRoles,dc=mine,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# user, CtierRoles, mine.com
dn: cn=user,ou=CtierRoles,dc=mine,dc=com
cn: user
uniqueMember: uid=username,ou=People,dc=mine,dc=com
objectClass: top
objectClass: groupofuniquenames
Thanks,
Bryan
On Aug 29, 1:20 pm, Moses Lei <m...@dtosolutions.com> wrote:
> Can you attach your LDAP configuration for us, and a sample query (redact if
> necessary) of a directory entry from ldapsearch (or from the ldif file)?
>
> Thanks
>
> Moses
>
> --
> Moses Lei
> [ Professional Services | DTO Solutions, Inc. ]
> m...@controltier.com | yahoo: moseslei | windows live (msn):
> m...@dtosolutions.com ]
Reply all
Reply to author
Forward
0 new messages