Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Re: Problems configuring Jetty for LDAP authentication

We would be happy to have comments on the module, even more happy to
have a patch attached to an issue in either bugzilla or jira on it :)

cheers,
jesse


--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx



On Tue, Jun 15, 2010 at 17:55, Chad La Joie <lajoie@xxxxxxxxx> wrote:
> If you guys want, I'm more than willing to take a look at the module and
> offer up any suggestions.  Alternatively you might want to look at the login
> module we use[1], written by a colleague of mine.  It has some pretty
> advanced features that may be useful for some users, depending on their LDAP
> setup.  I can attest that it's used by quite a number of places.
>
> [1] http://code.google.com/p/vt-middleware/wiki/vtldap
>
> On 6/15/10 6:14 PM, Jesse McConnell wrote:
>>
>> good point
>>
>> if someone wants to open an issue on it I'll take a look, maybe switch
>> the default (which I thought had been by bind), or maybe split it into
>> two different login modules
>>
>> cheers,
>> jesse
>>
>> --
>> jesse mcconnell
>> jesse.mcconnell@xxxxxxxxx
>>
>>
>>
>> On Tue, Jun 15, 2010 at 16:59, Chad La Joie<lajoie@xxxxxxxxx>  wrote:
>>>
>>> Well, I've worked with LDAP directories in my job for the last 10 years
>>> or
>>> so and worked with quite a few other folks in similar positions in other
>>> companies.
>>>
>>> The general consesus that I've always heard and experienced is that the
>>> "right" way to do LDAP authentication is to bind, search for the user's
>>> DN
>>> using some particular filter, and then bind again as that DN with the
>>> user's
>>> password.
>>>
>>> Computing the user's DN from some pattern is considered bad because it
>>> makes
>>> the application tightly coupled to the DIT.  Having the ability to pull
>>> back
>>> the user's password from the directory is horrible security flaw in
>>> whatever
>>> directory allows it.
>>>
>>> On 6/15/10 5:26 PM, Jesse McConnell wrote:
>>>>
>>>> i wonder about that setting from time to time...theory was that you
>>>> could authn via the binding approach or a simple 'get pwd and verify
>>>> against that'
>>>>
>>>> but I think the default use case for people seems to be binding approach
>>>>
>>>> glad you got it sorted out
>>>>
>>>> jesse
>>>>
>>>> --
>>>> jesse mcconnell
>>>> jesse.mcconnell@xxxxxxxxx
>>>>
>>>>
>>>>
>>>> On Tue, Jun 15, 2010 at 15:43, Loren Cahlander
>>>> <loren.cahlander@xxxxxxxxx>    wrote:
>>>>>
>>>>> I found my problem.  If I change forceBindingLogin to true in
>>>>> login.conf,
>>>>> then everything works.
>>>>>
>>>>> On Jun 14, 2010, at 10:25 AM, Loren Cahlander wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am trying to configure Jetty for LDAP authentication.  Can someone
>>>>>> tell me what is wrong in my login.conf?
>>>>>>
>>>>>> Here is an authentication that works under the Apache 2.2
>>>>>> configuration:
>>>>>>
>>>>>>    Alias /doc/ "/usr/share/doc/"
>>>>>>    <Directory "/usr/share/doc/">
>>>>>>        Options Indexes MultiViews FollowSymLinks
>>>>>>        AllowOverride None
>>>>>>                Order allow,deny
>>>>>>                Allow from all
>>>>>>           AuthBasicProvider ldap
>>>>>>           AuthUserFile /dev/null
>>>>>>           AuthType Basic
>>>>>>           AuthName "Subversion Authentication"
>>>>>>           AuthBasicProvider ldap
>>>>>>           # The distinguished name to bind to the directory server
>>>>>>           AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>>>>>>
>>>>>>           # The password for the user above
>>>>>>           AuthLDAPBindPassword "1234"
>>>>>>           AuthLDAPUrl
>>>>>>
>>>>>> "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)"
>>>>>>           AuthLDAPGroupAttribute memberUid
>>>>>>           AuthLDAPGroupAttributeIsDN off
>>>>>>           AuthLDAPCompareDNOnServer off
>>>>>>           AuthzLDAPAuthoritative on
>>>>>>           Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org
>>>>>>
>>>>>>    </Directory>
>>>>>>
>>>>>> Here is the Authentication Login Service information in jetty.xml:
>>>>>>
>>>>>>    <!-- ===========================================================
>>>>>> -->
>>>>>>    <!-- Configure Authentication Login Service
>>>>>>  -->
>>>>>>    <!-- ===========================================================
>>>>>> -->
>>>>>>    <Call class="java.lang.System" name="setProperty">
>>>>>>      <Arg>java.security.auth.login.config</Arg>
>>>>>>      <Arg><SystemProperty name="jetty.home" default="."
>>>>>> />/etc/login.conf</Arg>
>>>>>>    </Call>
>>>>>>
>>>>>>    <Call name="addBean">
>>>>>>      <Arg>
>>>>>>        <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
>>>>>>          <Set name="name">JAASLoginService</Set>
>>>>>>          <Set name="LoginModuleName">eXistDB</Set>
>>>>>>        </New>
>>>>>>      </Arg>
>>>>>>    </Call>
>>>>>>
>>>>>>
>>>>>> My login.conf under Jetty is:
>>>>>>
>>>>>> eXistDB {
>>>>>> org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
>>>>>>    debug="true"
>>>>>>    useLdaps="false"
>>>>>>    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
>>>>>>    hostname="127.0.0.1"
>>>>>>    port="389"
>>>>>>    bindDn="cn=admin,dc=exist-db,dc=org"
>>>>>>    bindPassword="1234"
>>>>>>    authenticationMethod="simple"
>>>>>>    forceBindingLogin="false"
>>>>>>    userBaseDn="ou=Users,dc=exist-db,dc=org"
>>>>>>    userRdnAttribute="uid"
>>>>>>    userIdAttribute="uid"
>>>>>>    userPasswordAttribute="userPassword"
>>>>>>    userObjectClass="posixAccount"
>>>>>>    roleBaseDn="ou=Groups,dc=exist-db,dc=org"
>>>>>>    roleNameAttribute="cn"
>>>>>>    roleMemberAttribute="memberUid"
>>>>>>    roleObjectClass="posixGroup";
>>>>>> };
>>>>>>
>>>>>>
>>>>>> And I am getting the following error:
>>>>>>
>>>>>>
>>>>>> 14 Jun 2010 10:20:08,143 [qtp2133251039-20] INFO  (Slf4jLog.java
>>>>>> [info]:92) - Searching for users with filter:
>>>>>> '(&(objectClass={0})({1}={2}))' from base dn:
>>>>>> ou=Users,dc=exist-db,dc=org
>>>>>> 14 Jun 2010 10:20:08,145 [qtp2133251039-20] INFO  (Slf4jLog.java
>>>>>> [info]:92) - Found user?: true
>>>>>> 14 Jun 2010 10:20:08,152 [qtp2133251039-20] WARN  (Slf4jLog.java
>>>>>> [warn]:124) - EXCEPTION
>>>>>> javax.security.auth.login.LoginException: Login Failure: all modules
>>>>>> ignored
>>>>>>       at
>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:936)
>>>>>>       at
>>>>>>
>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>>>>       at
>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
>>>>>>       at
>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
>>>>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>>>>       at
>>>>>>
>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
>>>>>>       at
>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:594)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:174)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:417)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.session.SessionHandler.handle(SessionHandler.java:182)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:933)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:362)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>>>>>>       at org.eclipse.jetty.server.Server.handle(Server.java:334)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1007)
>>>>>>       at
>>>>>> org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:747)
>>>>>>       at
>>>>>> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:209)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462)
>>>>>>       at
>>>>>>
>>>>>> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>>>>>>       at java.lang.Thread.run(Thread.java:636)
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> jetty-users mailing list
>>>>> jetty-users@xxxxxxxxxxx
>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>>
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> jetty-users@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>
>>>
>>> --
>>> Chad La Joie
>>> http://itumi.biz
>>> trusted identities, delivered
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>
> --
> Chad La Joie
> http://itumi.biz
> trusted identities, delivered
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>


Back to the top