users@glassfish.java.net

Re: Using Glassfish Ldap(s) Auth Realm without certificates

From: <glassfish_at_javadesktop.org>
Date: Tue, 27 Nov 2007 07:45:00 PST

Thank you for your response.

> Which version of GlassFish are you using?
I use "Glassfish v2ur8"
But when I get this to work, I am going to update glassfish to the latest release :)

I don't think my problem depends on this bugfix, but I realised, that I had been using the wrong certificate.

After using the programm "InstallCert.java" from this blog
http://blogs.sun.com/andreas/entry/no_more_unable_to_find

I could import the right certificate from the server, and it worked.

Then I tested some user, but had to realize I have another problem.
My "test-user" worked, but others not.
As far as I could determine, the problem is concerning the DN of the member object.

The test users name is Foo Bar. The DN would be:
"CN=Foo Bar,OU=Users,OU=MyBusiness,DC=test,DC=lan"
If I use his account, the corresponding group is found and he is logged in.
"[#|2007-11-27T16:18:24.378+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-9080-1;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=9e384724-6954-4086-a353-375dbba59831;|[Web-Security] Checking Web Permission with Principals : test, Mobile Users, Remote Web Workplace Users, glassfishGroup|#]"

A normal Users DN is:
"CN=Bar\, Foo,OU=Users,OU=MyBusiness,DC=test,DC=lan"
If I use this account I only get:

"[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;MethodName=findAndBind;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|LDAP: Group memberships found: |#]"

In my opinion the problem is the escaped comma in the CN part.

Is there a way to solve this, without editing the whole AD (which I certainly could not and want to do ;) ) ?

My next step would be to change the filters in glassfish to search for a member and if he is in a group instead of searching for a member of a group. (see below for the actual filter)

actual search filter:
<property name="search-filter" value="(&amp;(objectClass=user)(sAMAccountName=%s))"/>
<property name="group-search-filter" value="(&amp;(objectClass=group)(member=%d))"/>
<property name="group-base-dn" value="ou=Security Groups,ou=MyBusiness,dc=test,dc=lan"/>
<property name="group-target" value="cn"/>
<property name="jaas-context" value="ldapRealm"/>
<property name="base-dn" value="ou=Users,ou=MyBusiness,dc=test,dc=lan"/>


---
The Log:
...
[#|2007-11-27T16:21:36.814+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPasswordLogin;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|Logging in user [test] into realm: powerRealm using JAAS module: ldapRealm|#]
[#|2007-11-27T16:21:36.814+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=initialize;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule|#]
[#|2007-11-27T16:21:37.093+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;MethodName=userSearch;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|search: baseDN: ou=Users,ou=MyBusiness,dc=test,dc=lan  filter: (&(objectClass=user)(sAMAccountName=test))|#]
[#|2007-11-27T16:21:37.112+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;MethodName=userSearch;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|Found user DN: CN=Bar\, Foo,ou=Users,ou=MyBusiness,dc=test,dc=lan|#]
[#|2007-11-27T16:21:37.311+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;MethodName=findAndBind;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|LDAP:Group search filter: (&(objectClass=group)(member=CN=Bar\, Foo,ou=Users,ou=MyBusiness,dc=test,dc=lan))|#]
[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;MethodName=findAndBind;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|LDAP: Group memberships found: |#]
[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;MethodName=findAndBind;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|LDAP: login succeeded for: test|#]
[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=login;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|JAAS login complete.|#]
[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.appserv.security.AppservPasswordLoginModule;MethodName=commit;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|JAAS authentication committed.|#]
[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPasswordLogin;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|Password login succeeded for : test|#]
[#|2007-11-27T16:21:37.321+0100|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=16;_ThreadName=httpSSLWorkerThread-9080-0;ClassName=com.sun.enterprise.security.auth.LoginContextDriver;MethodName=doPasswordLogin;_RequestID=f82eb321-77eb-41aa-84e6-886d61819b2e;|Set security context as user: test|#]
...
[Message sent by forum member 'fryingpan' (fryingpan)]
http://forums.java.net/jive/thread.jspa?messageID=247367