[Shib-Users] IdP Login Authentication failure against LDAP

121 views
Skip to first unread message

Ram Munjuluri

unread,
Aug 21, 2010, 8:50:55 AM8/21/10
to shibbole...@internet2.edu
Hello all,

I have set up and configured an SP & and IDP instance. The IDP is installed in
JBoss 5.01 and I have OpenDS as my LDAP server where I created a few entities
(userids/password).

I have configured the IdP's login handler as :
==========================================
<!----- handler.xml ---->
<LoginHandler xsi:type="UsernamePassword"

jaasConfigurationLocation="file:////c://SWInstalls//shibboleth-idp//conf//logi
n.config">

<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtected
Transport</AuthenticationMethod>
</LoginHandler>
============================================
<!--- login.config --->
ShibUserPassAuth {

edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldap.pictorsolutions.com"
base="ou=people,dc=pictor,dc=com"
port="389"
subtreesearch="true"
serviceUser="cn=Directory Manager"
serviceCredential="password"
ssl="false"
userField="uid"

};
==============================================

When I navigate to https://sp.pictorsolutions.com/secure, I am directed to the
Shibboleth Identity Provider Login Page. I enter the user id/password of one
of my test entities in LDAP, I get an "Authentication Failure" error. And when
I check the logs, I see the following. Looks like the UsernamePasswordLogin is
looking for a users.properties file locally instead of using the login.config
to authenticate against LDAP.

========================================
08:23:31.797 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:138] - Redirecting to login page
https://idp.pictorsolutions.com:443/idp/login.jsp?actionUrl=%2Fidp%2FAuthn%2FU
serPassword
08:23:31.985 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:93] -
Attempting to retrieve IdP session cookie.
08:23:31.985 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - No
IdP session cookie sent by the client.
08:23:32.219 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:93] -
Attempting to retrieve IdP session cookie.
08:23:32.219 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - No
IdP session cookie sent by the client.
08:23:50.702 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:93] -
Attempting to retrieve IdP session cookie.
08:23:50.702 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - No
IdP session cookie sent by the client.
08:23:50.802 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:186] - User authentication failed
javax.security.auth.login.LoginException: Missing users.properties file.
at
org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.
java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginSe
rvlet.authenticateUser(UsernamePasswordLoginServlet.java:165)
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginSe
rvlet.service(UsernamePasswordLoginServlet.java:100)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206)
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPS
essionFilter.java:72)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java
:96)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve

=========================================
Can someone please verify I did not miss any configuration?

thanx in advance.
-ram

Scott Cantor

unread,
Aug 21, 2010, 10:56:39 AM8/21/10
to shibbole...@internet2.edu
> I have set up and configured an SP & and IDP instance. The IDP is
installed
> in JBoss 5.01

JBoss has its own JAAS configuration requirements that are specific to it,
you can't use the IdP's embedded config for it.

Search the list, if it's not in the wiki.

-- Scott


Ram Munjuluri

unread,
Aug 22, 2010, 1:40:28 PM8/22/10
to shibbole...@internet2.edu
Thank you very much for the info. I tried replacing the JBoss LdapLoginModule
with vtldapJAAS login module. And here are the properties I set in
login-config.xml file under JBoss 5.1

=========== login-config.xml===================
<application-policy name="ShibUserPassAuth">

<authentication>
<!--
<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
-->
<login-module code="edu.vt.middleware.ldap.jaas.LdapLoginModule"
flag="required">
<module-option
name="contextFactory">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option
name="ldapUrl">ldap://ldap.pictorsolutions.com:389</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option name="userField">uid=</module-option>
<module-option
name="baseDn">ou=People,dc=pictor,dc=com</module-option>
<module-option name="bindDn">cn=Directory Manager</module-option>
<module-option name="bindCredential">password</module-option>

</login-module>
</authentication>
</application-policy>
===================================================
Now the authenticaiton failure still happens, but when I check the log file, I
see the following error:

11:00:53.157 DEBUG [edu.vt.middleware.ldap.LdapProperties:299] -
edu.vt.middleware.ldap.auth.userField = uid=
11:00:53.157 DEBUG [edu.vt.middleware.ldap.LdapProperties:392] - Called
setUserField for edu.vt.middleware.ldap.Authenticator
11:00:53.157 DEBUG [edu.vt.middleware.ldap.LdapProperties:337] -
edu.vt.middleware.ldap.principalDNSuffix = ou=People,dc=pictor,dc=com
11:00:53.157 ERROR [edu.vt.middleware.ldap.LdapProperties:396] - Could not
invoke method setPrincipalDNSuffix
java.lang.NoSuchMethodException:
edu.vt.middleware.ldap.LdapConfig.setPrincipalDNSuffix(java.lang.String)
at java.lang.Class.getMethod(Class.java:1605)
at
edu.vt.middleware.ldap.LdapProperties.invokeMethod(LdapProperties.java:389)
at
edu.vt.middleware.ldap.LdapProperties.setLdapConfig(LdapProperties.java:340)
at
edu.vt.middleware.ldap.LdapProperties.initialize(LdapProperties.java:272)
.....
.....
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Authenticator:149] - Looking up DN
from userfield and base
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:665] - One level search with
the following parameters:
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:666] - dn = null
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:667] - attributes = <not
shown>
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:668] - return attributes =
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:676] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1513] - Bind with the
following parameters:
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1514] - dn = null
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1518] - credential =
<suppressed>
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1520] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1528] - dn or credential is
null, authtype set to none
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1539] - TLS not used
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1540] - authtype is none
11:00:53.167 DEBUG


[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:186] - User authentication failed

javax.security.auth.login.LoginException: java.lang.NullPointerException
at javax.naming.NameImpl.<init>(NameImpl.java:264)
at javax.naming.CompositeName.<init>(CompositeName.java:214)
===============

am I not setting the configuration properties correctly or using an
incompatible version of the vtldap jar ?


any help is appreciated.

thanx
-ram

Chad La Joie

unread,
Aug 22, 2010, 2:08:03 PM8/22/10
to shibbole...@internet2.edu
The documentation that gives the JAAS properties that need to be set is
here:
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Ram Munjuluri

unread,
Aug 22, 2010, 10:37:18 PM8/22/10
to shibbole...@internet2.edu
What I dont understand is, why does the log say dn = null. Looks like somehow
the configuration is not picking up the "cn=Directory Manager" for the
serviceUser parameter. Has anyone got IdP working in JBoss environment ? The
last resort for me is to switch to Tomcat 6.x and try this again.

==========================
22:03:52.003 DEBUG [edu.vt.middleware.ldap.Authenticator:149] - Looking up DN
from userfield and base
22:03:52.005 DEBUG [edu.vt.middleware.ldap.Ldap:665] - One level search with
the following parameters:
22:03:52.005 DEBUG [edu.vt.middleware.ldap.Ldap:666] - dn = null
22:03:52.006 DEBUG [edu.vt.middleware.ldap.Ldap:667] - attributes = <not
shown>
22:03:52.006 DEBUG [edu.vt.middleware.ldap.Ldap:668] - return attributes =
22:03:52.006 DEBUG [edu.vt.middleware.ldap.Ldap:676] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
22:03:52.007 DEBUG [edu.vt.middleware.ldap.Ldap:1513] - Bind with the
following parameters:
22:03:52.007 DEBUG [edu.vt.middleware.ldap.Ldap:1514] - dn = null
22:03:52.007 DEBUG [edu.vt.middleware.ldap.Ldap:1518] - credential =
<suppressed>
22:03:52.008 DEBUG [edu.vt.middleware.ldap.Ldap:1520] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
22:03:52.008 DEBUG [edu.vt.middleware.ldap.Ldap:1528] - dn or credential is


null, authtype set to none

22:03:52.008 DEBUG [edu.vt.middleware.ldap.Ldap:1539] - TLS not used
22:03:52.009 DEBUG [edu.vt.middleware.ldap.Ldap:1540] - authtype is none
22:03:52.013 DEBUG


[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:186] - User authentication failed
javax.security.auth.login.LoginException: java.lang.NullPointerException
at javax.naming.NameImpl.<init>(NameImpl.java:264)

=========================================

Ram Munjuluri

unread,
Aug 22, 2010, 10:50:40 PM8/22/10
to shibbole...@internet2.edu
Thanx for the info. I finally managed to get the authenticaiton working. The
next error I get after authentication to the "IdP Login Page".

Error Message: No peer endpoint available to which to send SAML response .

I was using the URL "https://sp.pictorsolutions.com/secure" which directed me
the login page.

thanx
-ram

Chad La Joie

unread,
Aug 23, 2010, 6:54:33 AM8/23/10
to shibbole...@internet2.edu
That error is discussed on the FAQ page.

--

Reply all
Reply to author
Forward
0 new messages