[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Re: Problems configuring Jetty for LDAP authentication
|
If you guys want, I'm more than willing to take a look at the module and
offer up any suggestions. Alternatively you might want to look at the
login module we use[1], written by a colleague of mine. It has some
pretty advanced features that may be useful for some users, depending on
their LDAP setup. I can attest that it's used by quite a number of places.
[1] http://code.google.com/p/vt-middleware/wiki/vtldap
On 6/15/10 6:14 PM, Jesse McConnell wrote:
good point
if someone wants to open an issue on it I'll take a look, maybe switch
the default (which I thought had been by bind), or maybe split it into
two different login modules
cheers,
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Tue, Jun 15, 2010 at 16:59, Chad La Joie<lajoie@xxxxxxxxx> wrote:
Well, I've worked with LDAP directories in my job for the last 10 years or
so and worked with quite a few other folks in similar positions in other
companies.
The general consesus that I've always heard and experienced is that the
"right" way to do LDAP authentication is to bind, search for the user's DN
using some particular filter, and then bind again as that DN with the user's
password.
Computing the user's DN from some pattern is considered bad because it makes
the application tightly coupled to the DIT. Having the ability to pull back
the user's password from the directory is horrible security flaw in whatever
directory allows it.
On 6/15/10 5:26 PM, Jesse McConnell wrote:
i wonder about that setting from time to time...theory was that you
could authn via the binding approach or a simple 'get pwd and verify
against that'
but I think the default use case for people seems to be binding approach
glad you got it sorted out
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Tue, Jun 15, 2010 at 15:43, Loren Cahlander
<loren.cahlander@xxxxxxxxx> wrote:
I found my problem. If I change forceBindingLogin to true in login.conf,
then everything works.
On Jun 14, 2010, at 10:25 AM, Loren Cahlander wrote:
Hello,
I am trying to configure Jetty for LDAP authentication. Can someone
tell me what is wrong in my login.conf?
Here is an authentication that works under the Apache 2.2 configuration:
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthType Basic
AuthName "Subversion Authentication"
AuthBasicProvider ldap
# The distinguished name to bind to the directory server
AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
# The password for the user above
AuthLDAPBindPassword "1234"
AuthLDAPUrl
"ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPCompareDNOnServer off
AuthzLDAPAuthoritative on
Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org
</Directory>
Here is the Authentication Login Service information in jetty.xml:
<!-- =========================================================== -->
<!-- Configure Authentication Login Service -->
<!-- =========================================================== -->
<Call class="java.lang.System" name="setProperty">
<Arg>java.security.auth.login.config</Arg>
<Arg><SystemProperty name="jetty.home" default="."
/>/etc/login.conf</Arg>
</Call>
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">JAASLoginService</Set>
<Set name="LoginModuleName">eXistDB</Set>
</New>
</Arg>
</Call>
My login.conf under Jetty is:
eXistDB {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
debug="true"
useLdaps="false"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="127.0.0.1"
port="389"
bindDn="cn=admin,dc=exist-db,dc=org"
bindPassword="1234"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=Users,dc=exist-db,dc=org"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixAccount"
roleBaseDn="ou=Groups,dc=exist-db,dc=org"
roleNameAttribute="cn"
roleMemberAttribute="memberUid"
roleObjectClass="posixGroup";
};
And I am getting the following error:
14 Jun 2010 10:20:08,143 [qtp2133251039-20] INFO (Slf4jLog.java
[info]:92) - Searching for users with filter:
'(&(objectClass={0})({1}={2}))' from base dn: ou=Users,dc=exist-db,dc=org
14 Jun 2010 10:20:08,145 [qtp2133251039-20] INFO (Slf4jLog.java
[info]:92) - Found user?: true
14 Jun 2010 10:20:08,152 [qtp2133251039-20] WARN (Slf4jLog.java
[warn]:124) - EXCEPTION
javax.security.auth.login.LoginException: Login Failure: all modules
ignored
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:936)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at
javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at
org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)
at
org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:174)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:417)
at
org.eclipse.jetty.server.session.SessionHandler.handle(SessionHandler.java:182)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:933)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:362)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
at org.eclipse.jetty.server.Server.handle(Server.java:334)
at
org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559)
at
org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1007)
at
org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:747)
at
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:209)
at
org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
at java.lang.Thread.run(Thread.java:636)
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Chad La Joie
http://itumi.biz
trusted identities, delivered