Special Characters in DN or Bind Credentials login-config.xm

[balbaroy]

We are trying to get Ldap authentication working with OpenKM. In our login-config.xml, if I specify a username with no special characters in either the username or password I can log into openKM, however our AD administrator account has a - in the username and the password has uppercase and lower case letters as well it starts with an = and has a - and * in it. I am assuming there is some problem here encoding either the username or the password.

Below is our login-config.xml file, I have changed the actual username and password but kept the general idea of how they are formatted.

Code: Select all

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://ldapURL:636</module-option>
      <module-option name="java.naming.security.protocol">ssl</module-option>
      <module-option name="bindDN">CN=Username-test,ou=Accounts,dc=test,dc=test,dc=edu</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">=Tdf2-s1*3045</module-option>
      <module-option name="baseCtxDN">ou=Accounts,dc=test,dc=test,dc=edu</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">ou=Accounts,dc=test,dc=test,dc=edu</module-option>
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleRecursion">0</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option name="java.naming.referral">follow</module-option>
      <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module> 
  </authentication>
</application-policy>

[jllort]

For what I understand with this login-config.xml configuration some users can login and other not ? is that ?

[balbaroy]

I am referencing the username and password used in the login-config.xml file, if I use a username say user10 and password 123456 I can log into OpenKM. Problem is user10 does not have read / search permissions in AD so I cannot get the roles of other users. If I remove the comment for the default Role, then anyone can log in as a user assuming the provide correct login credentials at the OpenKM login screen. If I switch the username in the login-config.xml to our AD admin account: USER-Test, Password =T23-v9*408 (Username and password are fake, but this is the same type of characters used in the real one) and try to log into OpenKM I get Authentication Error and my server log has this:

Code: Select all

2011-11-14 15:32:10,904 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] abort
2011-11-14 15:32:10,904 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] Login failure
javax.security.auth.login.FailedLoginException: [b]Password Incorrect/Password Required[/b]
	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
	at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
	at javax.naming.InitialContext.init(Unknown Source)
	at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
	at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:544)
	at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:342)
	at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:232)
	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
	... 26 more

Looks like it is not correctly passing the password as shown in the bolded area. Is one of the characters in the password need to be escaped out somehow? I am also curious if this will handle users that try to login with special characters in their passwords.

[balbaroy]

Well, I found the solution to my problem. It was not the characters in the password, the admin account was in another ou, not the accounts so this is what was causing the issue. Problem solved! But now I have another issue, but ill start another thread for that.

[pavila]

Yes, please open another thread.