[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Re: Problems configuring Jetty for LDAP authentication
|
good point
if someone wants to open an issue on it I'll take a look, maybe switch
the default (which I thought had been by bind), or maybe split it into
two different login modules
cheers,
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Tue, Jun 15, 2010 at 16:59, Chad La Joie <lajoie@xxxxxxxxx> wrote:
> Well, I've worked with LDAP directories in my job for the last 10 years or
> so and worked with quite a few other folks in similar positions in other
> companies.
>
> The general consesus that I've always heard and experienced is that the
> "right" way to do LDAP authentication is to bind, search for the user's DN
> using some particular filter, and then bind again as that DN with the user's
> password.
>
> Computing the user's DN from some pattern is considered bad because it makes
> the application tightly coupled to the DIT. Having the ability to pull back
> the user's password from the directory is horrible security flaw in whatever
> directory allows it.
>
> On 6/15/10 5:26 PM, Jesse McConnell wrote:
>>
>> i wonder about that setting from time to time...theory was that you
>> could authn via the binding approach or a simple 'get pwd and verify
>> against that'
>>
>> but I think the default use case for people seems to be binding approach
>>
>> glad you got it sorted out
>>
>> jesse
>>
>> --
>> jesse mcconnell
>> jesse.mcconnell@xxxxxxxxx
>>
>>
>>
>> On Tue, Jun 15, 2010 at 15:43, Loren Cahlander
>> <loren.cahlander@xxxxxxxxx> wrote:
>>>
>>> I found my problem. If I change forceBindingLogin to true in login.conf,
>>> then everything works.
>>>
>>> On Jun 14, 2010, at 10:25 AM, Loren Cahlander wrote:
>>>
>>>> Hello,
>>>>
>>>> I am trying to configure Jetty for LDAP authentication. Can someone
>>>> tell me what is wrong in my login.conf?
>>>>
>>>> Here is an authentication that works under the Apache 2.2 configuration:
>>>>
>>>> Alias /doc/ "/usr/share/doc/"
>>>> <Directory "/usr/share/doc/">
>>>> Options Indexes MultiViews FollowSymLinks
>>>> AllowOverride None
>>>> Order allow,deny
>>>> Allow from all
>>>> AuthBasicProvider ldap
>>>> AuthUserFile /dev/null
>>>> AuthType Basic
>>>> AuthName "Subversion Authentication"
>>>> AuthBasicProvider ldap
>>>> # The distinguished name to bind to the directory server
>>>> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>>>>
>>>> # The password for the user above
>>>> AuthLDAPBindPassword "1234"
>>>> AuthLDAPUrl
>>>> "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)"
>>>> AuthLDAPGroupAttribute memberUid
>>>> AuthLDAPGroupAttributeIsDN off
>>>> AuthLDAPCompareDNOnServer off
>>>> AuthzLDAPAuthoritative on
>>>> Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org
>>>>
>>>> </Directory>
>>>>
>>>> Here is the Authentication Login Service information in jetty.xml:
>>>>
>>>> <!-- =========================================================== -->
>>>> <!-- Configure Authentication Login Service -->
>>>> <!-- =========================================================== -->
>>>> <Call class="java.lang.System" name="setProperty">
>>>> <Arg>java.security.auth.login.config</Arg>
>>>> <Arg><SystemProperty name="jetty.home" default="."
>>>> />/etc/login.conf</Arg>
>>>> </Call>
>>>>
>>>> <Call name="addBean">
>>>> <Arg>
>>>> <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
>>>> <Set name="name">JAASLoginService</Set>
>>>> <Set name="LoginModuleName">eXistDB</Set>
>>>> </New>
>>>> </Arg>
>>>> </Call>
>>>>
>>>>
>>>> My login.conf under Jetty is:
>>>>
>>>> eXistDB {
>>>> org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
>>>> debug="true"
>>>> useLdaps="false"
>>>> contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
>>>> hostname="127.0.0.1"
>>>> port="389"
>>>> bindDn="cn=admin,dc=exist-db,dc=org"
>>>> bindPassword="1234"
>>>> authenticationMethod="simple"
>>>> forceBindingLogin="false"
>>>> userBaseDn="ou=Users,dc=exist-db,dc=org"
>>>> userRdnAttribute="uid"
>>>> userIdAttribute="uid"
>>>> userPasswordAttribute="userPassword"
>>>> userObjectClass="posixAccount"
>>>> roleBaseDn="ou=Groups,dc=exist-db,dc=org"
>>>> roleNameAttribute="cn"
>>>> roleMemberAttribute="memberUid"
>>>> roleObjectClass="posixGroup";
>>>> };
>>>>
>>>>
>>>> And I am getting the following error:
>>>>
>>>>
>>>> 14 Jun 2010 10:20:08,143 [qtp2133251039-20] INFO (Slf4jLog.java
>>>> [info]:92) - Searching for users with filter:
>>>> '(&(objectClass={0})({1}={2}))' from base dn: ou=Users,dc=exist-db,dc=org
>>>> 14 Jun 2010 10:20:08,145 [qtp2133251039-20] INFO (Slf4jLog.java
>>>> [info]:92) - Found user?: true
>>>> 14 Jun 2010 10:20:08,152 [qtp2133251039-20] WARN (Slf4jLog.java
>>>> [warn]:124) - EXCEPTION
>>>> javax.security.auth.login.LoginException: Login Failure: all modules
>>>> ignored
>>>> at
>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:936)
>>>> at
>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>> at
>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
>>>> at
>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
>>>> at
>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:594)
>>>> at
>>>> org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)
>>>> at
>>>> org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:174)
>>>> at
>>>> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:417)
>>>> at
>>>> org.eclipse.jetty.server.session.SessionHandler.handle(SessionHandler.java:182)
>>>> at
>>>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:933)
>>>> at
>>>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:362)
>>>> at
>>>> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
>>>> at
>>>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>>>> at
>>>> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>>>> at
>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>>>> at org.eclipse.jetty.server.Server.handle(Server.java:334)
>>>> at
>>>> org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559)
>>>> at
>>>> org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1007)
>>>> at
>>>> org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:747)
>>>> at
>>>> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:209)
>>>> at
>>>> org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406)
>>>> at
>>>> org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462)
>>>> at
>>>> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>>>> at java.lang.Thread.run(Thread.java:636)
>>>>
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>
> --
> Chad La Joie
> http://itumi.biz
> trusted identities, delivered
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>