Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Re: Problems configuring Jetty for LDAP authentication
If you guys want, I'm more than willing to take a look at the module and offer up any suggestions. Alternatively you might want to look at the login module we use[1], written by a colleague of mine. It has some pretty advanced features that may be useful for some users, depending on their LDAP setup. I can attest that it's used by quite a number of places. 

[1] http://code.google.com/p/vt-middleware/wiki/vtldap

On 6/15/10 6:14 PM, Jesse McConnell wrote:

good point

if someone wants to open an issue on it I'll take a look, maybe switch
the default (which I thought had been by bind), or maybe split it into
two different login modules

cheers,
jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx



On Tue, Jun 15, 2010 at 16:59, Chad La Joie<lajoie@xxxxxxxxx>  wrote:

Well, I've worked with LDAP directories in my job for the last 10 years or
so and worked with quite a few other folks in similar positions in other
companies.

The general consesus that I've always heard and experienced is that the
"right" way to do LDAP authentication is to bind, search for the user's DN
using some particular filter, and then bind again as that DN with the user's
password.

Computing the user's DN from some pattern is considered bad because it makes
the application tightly coupled to the DIT.  Having the ability to pull back
the user's password from the directory is horrible security flaw in whatever
directory allows it.

On 6/15/10 5:26 PM, Jesse McConnell wrote:


i wonder about that setting from time to time...theory was that you
could authn via the binding approach or a simple 'get pwd and verify
against that'

but I think the default use case for people seems to be binding approach

glad you got it sorted out

jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx



On Tue, Jun 15, 2010 at 15:43, Loren Cahlander
<loren.cahlander@xxxxxxxxx>    wrote:


I found my problem.  If I change forceBindingLogin to true in login.conf,
then everything works.

On Jun 14, 2010, at 10:25 AM, Loren Cahlander wrote:


Hello,

I am trying to configure Jetty for LDAP authentication.  Can someone
tell me what is wrong in my login.conf?

Here is an authentication that works under the Apache 2.2 configuration:

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
                Order allow,deny
                Allow from all
           AuthBasicProvider ldap
           AuthUserFile /dev/null
           AuthType Basic
           AuthName "Subversion Authentication"
           AuthBasicProvider ldap
           # The distinguished name to bind to the directory server
           AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"

           # The password for the user above
           AuthLDAPBindPassword "1234"
           AuthLDAPUrl
"ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)"
           AuthLDAPGroupAttribute memberUid
           AuthLDAPGroupAttributeIsDN off
           AuthLDAPCompareDNOnServer off
           AuthzLDAPAuthoritative on
           Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org

    </Directory>

Here is the Authentication Login Service information in jetty.xml:

    <!-- =========================================================== -->
    <!-- Configure Authentication Login Service                      -->
    <!-- =========================================================== -->
    <Call class="java.lang.System" name="setProperty">
      <Arg>java.security.auth.login.config</Arg>
      <Arg><SystemProperty name="jetty.home" default="."
/>/etc/login.conf</Arg>
    </Call>

    <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
          <Set name="name">JAASLoginService</Set>
          <Set name="LoginModuleName">eXistDB</Set>
        </New>
      </Arg>
    </Call>


My login.conf under Jetty is:

eXistDB {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="127.0.0.1"
    port="389"
    bindDn="cn=admin,dc=exist-db,dc=org"
    bindPassword="1234"
    authenticationMethod="simple"
    forceBindingLogin="false"
    userBaseDn="ou=Users,dc=exist-db,dc=org"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="posixAccount"
    roleBaseDn="ou=Groups,dc=exist-db,dc=org"
    roleNameAttribute="cn"
    roleMemberAttribute="memberUid"
    roleObjectClass="posixGroup";
};


And I am getting the following error:


14 Jun 2010 10:20:08,143 [qtp2133251039-20] INFO  (Slf4jLog.java
[info]:92) - Searching for users with filter:
'(&(objectClass={0})({1}={2}))' from base dn: ou=Users,dc=exist-db,dc=org
14 Jun 2010 10:20:08,145 [qtp2133251039-20] INFO  (Slf4jLog.java
[info]:92) - Found user?: true
14 Jun 2010 10:20:08,152 [qtp2133251039-20] WARN  (Slf4jLog.java
[warn]:124) - EXCEPTION
javax.security.auth.login.LoginException: Login Failure: all modules
ignored
       at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:936)
       at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
       at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
       at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
       at java.security.AccessController.doPrivileged(Native Method)
       at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
       at
javax.security.auth.login.LoginContext.login(LoginContext.java:594)
       at
org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)
       at
org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:174)
       at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:417)
       at
org.eclipse.jetty.server.session.SessionHandler.handle(SessionHandler.java:182)
       at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:933)
       at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:362)
       at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
       at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
       at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
       at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
       at org.eclipse.jetty.server.Server.handle(Server.java:334)
       at
org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559)
       at
org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1007)
       at
org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:747)
       at
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:209)
       at
org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406)
       at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462)
       at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
       at java.lang.Thread.run(Thread.java:636)



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Chad La Joie
http://itumi.biz
trusted identities, delivered
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Back to the top