JAAS and principal mapping

[Helge Waastad]

Hi,

I've earlier used the standard ldaploginmodule with the following configuration:

no.company.module.jaas.LdapLoginModule OPTIONAL

debug="true"

userProvider="ldap://<my-ad-server>:389/OU=Users,OU=Company,DC=lab,DC=local"

userFilter="(&(mail={user})(objectClass=user)(memberOf=CN=Sec_Teknisk,OU=Security Groups,DC=lab,DC=local))"

authzIdentity="SiteAdminGroup"

java.naming.security.principal="CN=Kompetanse Web,OU=Service Accounts,OU=Company,DC=lab,DC=local"

java.naming.security.credentials="<my password>"

useFirstPass="true"

clearPass="false"

useSSL=false

 ;

Having more of these in sequence I would get the relevant groups needed for my application in the authzIdentity.

I try using ldaptive:

org.ldaptive.jaas.LdapLoginModule OPTIONAL

    debug="true"

    ldapUrl="ldap:///<my-ad-server>:389"

    baseDn="OU=Users,OU=Company,DC=lab,DC=local"

    bindDn="CN=Kompetanse Web,OU=Service Accounts,OU=Company,DC=lab,DC=local"

    bindCredential="hJu305mlQ291"

    useStartTLS="false"

    userFilter="(&(mail={user})(objectClass=user)(memberOf=CN=Sec_Teknisk,OU=Security Groups,DC=lab,DC=local))"

    useFirstPass="true"

    clearPass="false"

    principalGroupName="SiteAdminGroup"

    ;

However, the authentication fails:

javax.security.auth.login.LoginException: Authentication failed: [org.ldaptive.auth.AuthenticationResponse@2033283537::authenticationResultCode=DN_RESOLUTION_FAILURE, ldapEntry=null, accountState=null, result=false, resultCode=null, message=DN cannot be null, controls=null]

Is there something I'm missing (dnreslover??)

Another issue I might have is that I use TomEE and I think I need:

org.apache.openejb.core.security.jaas.GroupPrincipal

org.apache.openejb.core.security.jaas.UserPrincipal

best regards,

hw

[Daniel Fisher]

On Tue, Sep 17, 2013 at 4:19 PM, Helge Waastad <helge....@gmail.com> wrote:

I try using ldaptive:

org.ldaptive.jaas.LdapLoginModule OPTIONAL

    debug="true"

    ldapUrl="ldap:///<my-ad-server>:389"

    baseDn="OU=Users,OU=Company,DC=lab,DC=local"

    bindDn="CN=Kompetanse Web,OU=Service Accounts,OU=Company,DC=lab,DC=local"

    bindCredential="hJu305mlQ291"

    useStartTLS="false"

    userFilter="(&(mail={user})(objectClass=user)(memberOf=CN=Sec_Teknisk,OU=Security Groups,DC=lab,DC=local))"

    useFirstPass="true"

    clearPass="false"

    principalGroupName="SiteAdminGroup"

    ;

However, the authentication fails:

javax.security.auth.login.LoginException: Authentication failed: [org.ldaptive.auth.AuthenticationResponse@2033283537::authenticationResultCode=DN_RESOLUTION_FAILURE, ldapEntry=null, accountState=null, result=false, resultCode=null, message=DN cannot be null, controls=null]

By default the JAAS module uses the SearchDnResolver. Which means a search using the userFilter should get executed by the bindDn. There are a lot of reasons the search can fail, but the most common is because a one level search is done by default. If you need to perform a subtree search on your baseDn, add subtreeSearch="true". Turning on debug logging for org.ldaptive will also help. And of course inspecting your LDAP logs if possible.

--Daniel Fisher

[Helge Waastad]

Hi,

and thanks a lot for your answer.

Yes, you are perfectly right. Adding subtreeSearch="true" made the authentication wok.

My next challenge is the role.

The principalGroupName="SiteAdminGroup" or roleGroupName="SiteAdminGroup" does not work. If I use the defaultRole="SiteAdminGroup", I get authroized. Still something I've been missing ? :-) 

BTW, how can I get more verbosity from ldaptive? (The AD server is way out of my control ;-) )

best regards,

he

[Daniel Fisher]

Is SiteAdminGroup a role you want to assign to every user that successfully authenticates?

If so, then using defaultRole is correct.

If SiteAdminGroup is a role you want assigned based on data in the LDAP, I'll need more information on how your data is structured.

A sample LDAP entry would help.

To increase your logging set 'org.ldaptive' to debug in whatever logging framework you're using.

--Daniel Fisher

[Helge Waastad]

OK,

I think I've got it working.

My EE application has several group, for instance SuperGroup(allowed to do all), SiteGroup(allowed to do some), UserGroup(only view).

So if i build my JAAS config like this:

org.ldaptive.jaas.LdapLoginModule OPTIONAL

filter=(&(mail={user})(objectClass=user))

storePass=true

defaultRole=UserGroup

;

org.ldaptive.jaas.LdapLoginModule OPTIONAL

filter=<memberofsite>

defaultRole=SiteGroup

;

org.ldaptive.jaas.LdapLoginModule OPTIONAL

filter=<memberofsuper>

defaultRole=SuperGroup

;

I guess that if the user is not found in the super/site filters the outcome would be UserGroup.

BTW,

thanks alot for the response. ldaptive is great. It's just too bad that I did'nt find it months ago :-)

 

[Daniel Fisher]

You should consider using the LdapRoleAuthorizationModule for this:

http://www.ldaptive.org/docs/guide/jaas#TOC-LdapRoleAuthorizationModule

The configuration you're using will perform an authentication for each module.

Setting an appropriate roleFilter with the same defaultGroup on an LdapRoleAuthorizationModule should give you the desired results without the multiple authentications.

If this module can't do what you need, feel free to submit a feature request:

https://code.google.com/p/vt-middleware/issues/list

It's certainly intended to solve these sorts of role problems.

--Daniel Fisher

[Helge Waastad]

Yes,

I did a quick consideration and that made perfectly sense!

Thanks again.

hw 

[Helge Waastad]

Hi,

I just wanted to give U an update on this issue.

This is what I came up with:

org.ldaptive.jaas.LdapLoginModule REQUISITE

    debug="true"

    ldapUrl="ldap://<my AD>"

    baseDn="CN=Users,DC=lab,DC=local"

    bindDn="CN=LDAP SEARCH,CN=Users,DC=lab,DC=local"

    bindCredential="password"

    useStartTLS="false"

    useSSL="false"

    userFilter="(&(mail={user})(objectClass=user))"

    storePass="true"

    clearPass="false"

    subtreeSearch="true"

    ;

    org.ldaptive.jaas.LdapRoleAuthorizationModule sufficient

    useFirstPass="true"

    ldapUrl="ldap://<my AD>"

    baseDn="CN=Test User,CN=Users,DC=LAB,DC=LOCAL"

    bindDn="CN=LDAP SEARCH,CN=Users,DC=lab,DC=local"

    bindCredential="password"

    roleFilter="(member={dn})"

    defaultRole="UserGroup"

    ;

    org.ldaptive.jaas.LdapRoleAuthorizationModule required

    useFirstPass="true"

    ldapUrl="ldap://<my AD>"

    baseDn="CN=Test Superadmin,CN=Users,DC=LAB,DC=LOCAL"

    bindDn="CN=LDAP SEARCH,CN=Users,DC=lab,DC=local"

    bindCredential="password"

    roleFilter="(member={dn})"

    defaultRole="SuperAdminGroup"

    ;

I have to order the auth modules from low to high privileges and hence I put sufficient on the first auth module.

If I do not, it will add the defaultrole and process the second module. if the second module returns empty from filter it still adds the default role.

Is there a way of not adding defaultrole if rolefilter return empty?

br hw

[Daniel Fisher]

Add noResultsIsError="true" to the role authorization modules.

--Daniel Fisher

[Helge Waastad]

OK, thanks. I think I'be got it working now:

I redesigned my test AD a bit I found out that I needed to add roleAttribute in AuthorizationModule or else the result always would be null.

I will still work a littlebit with the options (required,optional etc) to tune the authorization.

Thanks again for all your help.

org.ldaptive.jaas.LdapRoleAuthorizationModule optional

    useFirstPass="true"

    ldapUrl="ldap://<AD>:389"

    baseDn="OU=Security Groups,OU=Firmanavn,DC=LAB,DC=LOCAL"

    bindDn="CN=LDAP SEARCH,OU=Service Accounts,OU=Firmanavn,DC=lab,DC=local"

    bindCredential="<password>"

    roleFilter="(&(member={dn})(cn=Customeradmins))"

    defaultRole="CustomerAdminGroup"

    roleAttribute="cn"

    noResultsIsError="true"

    ;

    org.ldaptive.jaas.LdapRoleAuthorizationModule optional

    useFirstPass="true"

    ldapUrl="ldap://<AD>:389"

    baseDn="OU=Security Groups,OU=Firmanavn,DC=LAB,DC=LOCAL"

    bindDn="CN=LDAP SEARCH,OU=Service Accounts,OU=Firmanavn,DC=lab,DC=local"

    bindCredential="<password>"

    roleFilter="(&(member={dn})(cn=Superadmins))"

    defaultRole="SuperAdminGroup"

    roleAttribute="cn"

    noResultsIsError="true"

    ;