[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Re: Problems configuring Jetty for LDAP authentication
|
Well, I've worked with LDAP directories in my job for the last 10 years
or so and worked with quite a few other folks in similar positions in
other companies.
The general consesus that I've always heard and experienced is that the
"right" way to do LDAP authentication is to bind, search for the user's
DN using some particular filter, and then bind again as that DN with the
user's password.
Computing the user's DN from some pattern is considered bad because it
makes the application tightly coupled to the DIT. Having the ability to
pull back the user's password from the directory is horrible security
flaw in whatever directory allows it.
On 6/15/10 5:26 PM, Jesse McConnell wrote:
i wonder about that setting from time to time...theory was that you
could authn via the binding approach or a simple 'get pwd and verify
against that'
but I think the default use case for people seems to be binding approach
glad you got it sorted out
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Tue, Jun 15, 2010 at 15:43, Loren Cahlander
<loren.cahlander@xxxxxxxxx> wrote:
I found my problem. If I change forceBindingLogin to true in login.conf, then everything works.
On Jun 14, 2010, at 10:25 AM, Loren Cahlander wrote:
Hello,
I am trying to configure Jetty for LDAP authentication. Can someone tell me what is wrong in my login.conf?
Here is an authentication that works under the Apache 2.2 configuration:
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthType Basic
AuthName "Subversion Authentication"
AuthBasicProvider ldap
# The distinguished name to bind to the directory server
AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
# The password for the user above
AuthLDAPBindPassword "1234"
AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org?uid?sub?(objectclass=posixAccount)"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPCompareDNOnServer off
AuthzLDAPAuthoritative on
Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org
</Directory>
Here is the Authentication Login Service information in jetty.xml:
<!-- =========================================================== -->
<!-- Configure Authentication Login Service -->
<!-- =========================================================== -->
<Call class="java.lang.System" name="setProperty">
<Arg>java.security.auth.login.config</Arg>
<Arg><SystemProperty name="jetty.home" default="." />/etc/login.conf</Arg>
</Call>
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">JAASLoginService</Set>
<Set name="LoginModuleName">eXistDB</Set>
</New>
</Arg>
</Call>
My login.conf under Jetty is:
eXistDB {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule REQUIRED
debug="true"
useLdaps="false"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="127.0.0.1"
port="389"
bindDn="cn=admin,dc=exist-db,dc=org"
bindPassword="1234"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=Users,dc=exist-db,dc=org"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixAccount"
roleBaseDn="ou=Groups,dc=exist-db,dc=org"
roleNameAttribute="cn"
roleMemberAttribute="memberUid"
roleObjectClass="posixGroup";
};
And I am getting the following error:
14 Jun 2010 10:20:08,143 [qtp2133251039-20] INFO (Slf4jLog.java [info]:92) - Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: ou=Users,dc=exist-db,dc=org
14 Jun 2010 10:20:08,145 [qtp2133251039-20] INFO (Slf4jLog.java [info]:92) - Found user?: true
14 Jun 2010 10:20:08,152 [qtp2133251039-20] WARN (Slf4jLog.java [warn]:124) - EXCEPTION
javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:936)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:174)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:417)
at org.eclipse.jetty.server.session.SessionHandler.handle(SessionHandler.java:182)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:933)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:362)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
at org.eclipse.jetty.server.Server.handle(Server.java:334)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559)
at org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1007)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:747)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:209)
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
at java.lang.Thread.run(Thread.java:636)
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Chad La Joie
http://itumi.biz
trusted identities, delivered