JBoss and LDAP

Target: create a test environment for JBoss JAAS authentication using LDAP.

Platform: Linux Ubuntu 9.10, JBoss 4.2.2.GA, java 1.6.0_15

Install and configure openldap

Installing ldap proved to be the most complicated part as apparently Karmic stripped all ldap configuration from the install so all tutorials found on ubuntu site are useless. Finally I’ve found a thread which described the process. Here are the steps I followed:

apt-get remove --purge slapd ldap-utils #remove all my tests
apt-get install slapd ldap-utils #install fresh
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

I’ve created a db.ldif similar to the one described and applied it, the only difference is than I changed the database to match dc=example,dc=com and the cn=admin,dc=example,dc=com password to be secret:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/db.ldif

I’ve then created a app.ldif containing an admin user with password secret

dn: dc=example,dc=com
objectclass: top
objectclass: dcObject
objectclass: organization
dc: example
o: MCC

dn: ou=People,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=admin,ou=People,dc=example,dc=com
objectclass: top
objectclass: uidObject
objectclass: person
uid: admin
cn: Admin
sn: Admin
userPassword: simple

dn: ou=Roles,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=Admin,ou=Roles,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: the DiapasonAdmin group
member: uid=admin,ou=People,dc=example,dc=com

which I then imported:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f /tmp/app.ldif
Openldap structure

Openldap structure

JBoss configuration

Following informations from this page I then configured an authentication policy in $JBOSS_HOME/server/defautl/conf/login-config.xml as follows:

<application-policy name="example">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="bindDN">cn=admin,dc=example,dc=com</module-option>
 <module-option name="bindCredential">secret</module-option>
 <module-option name="baseCtxDN">ou=People,dc=example,dc=com</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>

 <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 <module-option name="allowEmptyPasswords">true</module-option>
 </login-module>
</authentication>

which works in authenticating my user.

JAAS Code

Here is a piece of example code which can use this authentication policy to perform user authentication:

protected void doLogin(String user, String pass) {
 try {
 CallbackHandler handler = new UserPassHandler(user, pass);
 LoginContext lc = new LoginContext("example", handler);
 lc.login();
 } catch (Exception e) {
 log.info("Login failed", e);
 }
 return null;
 }

 class UserPassHandler implements CallbackHandler {
 private String user, pass;

 private UserPassHandler(String user, String pass) {
 super();
 this.user = user;
 this.pass = pass;
 }

 public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
 for (int i = 0; i < callbacks.length; i++) {
 if (callbacks[i] instanceof NameCallback) {
 NameCallback nc = (NameCallback) callbacks[i];
 nc.setName(user);
 } else if (callbacks[i] instanceof PasswordCallback) {
 PasswordCallback pc = (PasswordCallback) callbacks[i];
 pc.setPassword(pass.toCharArray());
 } else {
 throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
 }
 }
 }
 }

Apache Directory Studio

In the process of searching information about openldap I’ve found a link to an eclipse based ldap environment which I’ve tested (read this if eclipse crashes in ubuntu). It’s bundled with Apache Directory. I’ve tested it and imported the same app.ldif and I only needed to change a few lines in the application-policy file to make it work:

ApacheDS

ApacheDS

<application-policy name="example">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:10389</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="bindDN">uid=admin,ou=system</module-option>
 <module-option name="bindCredential">secret</module-option>
 <module-option name="baseCtxDN">ou=People,dc=example,dc=com</module-option>
 <module-option name="baseFilter">(uid={0})</module-option>

 <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
 <module-option name="roleFilter">(member={1})</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 <module-option name="allowEmptyPasswords">true</module-option>
 </login-module>
 </authentication>
</application-policy>

One Response

  1. […] Read more: Len » JBoss and LDAP […]

Leave a Reply

*