ldap - required or requisite jaas LDAPLoginModule not throwing FailedLoginException when user fails authentication -
tl;dr: why ldaploginmodule (apparently) not throw failedloginexception when user fails authenticated?
i have overridden default "karaf" jaas realm in jboss fuse 6.2.[0|1]. configuration has 2 modules:
- an instance of
org.apache.karaf.jaas.modules.ldap.ldaploginmoduleauthenticate user via ldap-to-active-directory link mycustomloginmodule extends abstractkarafloginmodule- second module check locally-defined roles authentic user.
the latter works fine. however, when ldaploginmodule fails authenticate user, still allowed pass. case no matter combination of required/requisite , ordering use 2 modules.
an example of behavior:
i define modules like:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xsi:schemalocation=" http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd" > . . .
</blueprint><jaas:config . . . > . . . <jaas:module classname="org.apache.karaf.jaas.modules.ldap.ldaploginmodule" flags="requisite"> . . . properties herein commonly seen ldap-ad . . . </jaas:module> <jaas:module classname="com.abc.xyz.mycustomloginmodule" flags="requisite"> . . . nothing shocking in here either . . . </jaas:module> </jaas:config>this blueprint file , mycustomloginmodule within bundle has been added feature that, itself, has been added
etc/org.apache.karaf.features.cfgalong associated remote mvn repo- i put
"userx=admin"flat-file mycustomloginmodule uses assign roles. - i try login (via hawtio web console) userx, enter wrong password.
logged output like:
debug | ldaploginmodule | org.apache.karaf.jaas.modules | user dn. debug | ldaploginmodule | org.apache.karaf.jaas.modules | bind user (authentication). debug | ldaploginmodule | org.apache.karaf.jaas.modules | setting ssl debug | ldaploginmodule | org.apache.karaf.jaas.modules | set security principal cn=... debug | ldaploginmodule | org.apache.karaf.jaas.modules | binding user. warn | ldaploginmodule | org.apache.karaf.jaas.modules | user userx authentication failed. javax.naming.authenticationexception: [ldap: error code 49 - 80090308: ldaperr: dsid-0c0903d9, comment: acceptsecuritycontext error, data 52e, v2580]
^^ expected, ldap authentication fails--as per warn message , "52e" error code ^^
- however, execution continues , logged hawtio web console userx!
alternatively, can define user=role mapping in custom, local file, user not exist in our active directory.... simple, like: admin=admin. go through same process. time ldap module throws no exceptions, logs:
warn | ldaploginmodule | org.apache.karaf.jaas.modules | user admin not found in ldap.lastly... using valid active directory user, not 1 defined in custom, local file, produces expected logging like:
debug | ldaploginmodule | org.apache.karaf.jaas.modules | user dn. debug | ldaploginmodule | org.apache.karaf.jaas.modules | setting ssl debug | ldaploginmodule | org.apache.karaf.jaas.modules | looking user in ldap debug | ldaploginmodule | org.apache.karaf.jaas.modules | base dn:xxxxxxxxxx debug | ldaploginmodule | org.apache.karaf.jaas.modules | filter: (&(|(samaccountname=<valid-username>)(userprincipalname=<valid-username>)(cn=<valid-username>))(objectclass=user)) debug | ldaploginmodule | org.apache.karaf.jaas.modules | found user dn. debug | ldaploginmodule | org.apache.karaf.jaas.modules | bind user (authentication). debug | ldaploginmodule | org.apache.karaf.jaas.modules | setting ssl debug | ldaploginmodule | org.apache.karaf.jaas.modules | set security principal cn=<valid-username>,... debug | ldaploginmodule | org.apache.karaf.jaas.modules | binding user. debug | ldaploginmodule | org.apache.karaf.jaas.modules | user <valid-username> bound. debug | ldaploginmodule | org.apache.karaf.jaas.modules | setting ssl debug | ldaploginmodule | org.apache.karaf.jaas.modules | looking user roles in ldap debug | ldaploginmodule | org.apache.karaf.jaas.modules | base dn:xxxxxxxx debug | ldaploginmodule | org.apache.karaf.jaas.modules | filter: (uniquemember=cn=<valid-username>) warn | authenticator | io.hawt.hawtio-web | login failed due user <valid-username> has no local roles definedwhere last line because module throws failedloginexception if user has no roles defined in aforementioned custom file
i noted if ldaploginmodule's configuration bad--e.g., bad password given system account searches ldap user--then halt login process, throwing failedloginexcpetion like:
warn | authenticator | io.hawt.hawtio-web | login failed due can't connect ldap server: [ldap: error code 49 - 80090308: ldaperr: dsid-0c0903d9, comment: acceptsecuritycontext error, data 52e, v2580] note logged authenticator (not ldaploginmodule above
...so @ length, question -- why ldaploginmodule (apparently) not throw failedloginexception when user fails authenticated? i'd think what's needed--does disagree? there additional bit of configuration ldaploginmodule needs in order effective?
has else had issue jboss fuse v6.2.1 or karaf v2.4? able resolve within version? if not, resolved up-leveling newer version of either?
thanks, hans
though not exact answer question asked, following effective workaround.
instead of using ldaploginmodule directly, create class extends , @override login() method--which returns boolean... boolean set false if user being searched not exist, or has provided incorrect password. thus, call super.login() , if result false, throw failedloginexception.
Comments
Post a Comment