Target: create a test environment for JBoss JAAS authentication using LDAP.
Platform: Linux Ubuntu 9.10, JBoss 4.2.2.GA, java 1.6.0_15
Install and configure openldap
Installing ldap proved to be the most complicated part as apparently Karmic stripped all ldap configuration from the install so all tutorials found on ubuntu site are useless. Finally I’ve found a thread which described the process. Here are the steps I followed:
apt-get remove --purge slapd ldap-utils #remove all my tests
apt-get install slapd ldap-utils #install fresh
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
I’ve created a db.ldif similar to the one described and applied it, the only difference is than I changed the database to match dc=example,dc=com and the cn=admin,dc=example,dc=com password to be secret:
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/db.ldif
I’ve then created a app.ldif containing an admin user with password secret
dn: dc=example,dc=com
objectclass: top
objectclass: dcObject
objectclass: organization
dc: example
o: MCC
dn: ou=People,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People
dn: uid=admin,ou=People,dc=example,dc=com
objectclass: top
objectclass: uidObject
objectclass: person
uid: admin
cn: Admin
sn: Admin
userPassword: simple
dn: ou=Roles,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Roles
dn: cn=Admin,ou=Roles,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: the DiapasonAdmin group
member: uid=admin,ou=People,dc=example,dc=com
which I then imported:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f /tmp/app.ldif
Openldap structure
JBoss configuration
Following informations from this page I then configured an authentication policy in $JBOSS_HOME/server/defautl/conf/login-config.xml as follows:
<application-policy name="example">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=admin,dc=example,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">ou=People,dc=example,dc=com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">true</module-option>
</login-module>
</authentication>
which works in authenticating my user.
JAAS Code
Here is a piece of example code which can use this authentication policy to perform user authentication:
protected void doLogin(String user, String pass) {
try {
CallbackHandler handler = new UserPassHandler(user, pass);
LoginContext lc = new LoginContext("example", handler);
lc.login();
} catch (Exception e) {
log.info("Login failed", e);
}
return null;
}
class UserPassHandler implements CallbackHandler {
private String user, pass;
private UserPassHandler(String user, String pass) {
super();
this.user = user;
this.pass = pass;
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
NameCallback nc = (NameCallback) callbacks[i];
nc.setName(user);
} else if (callbacks[i] instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback) callbacks[i];
pc.setPassword(pass.toCharArray());
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
}
Apache Directory Studio
In the process of searching information about openldap I’ve found a link to an eclipse based ldap environment which I’ve tested (read this if eclipse crashes in ubuntu). It’s bundled with Apache Directory. I’ve tested it and imported the same app.ldif and I only needed to change a few lines in the application-policy file to make it work:
ApacheDS
<application-policy name="example">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:10389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=admin,ou=system</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">ou=People,dc=example,dc=com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">true</module-option>
</login-module>
</authentication>
</application-policy>
Comments:
Len » JBoss and LDAP Match Web -
[…] Read more: Len » JBoss and LDAP […]