Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap authentication problem #100

Open
GoogleCodeExporter opened this issue May 23, 2015 · 1 comment
Open

ldap authentication problem #100

GoogleCodeExporter opened this issue May 23, 2015 · 1 comment
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. trying to use ldap auth.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
RHEL6 and WebPasswordSafe 1.3

Please provide any additional information below.
I'm trying to configure ldap auth without success. 
This is my webpasswordsafe-service.xml config:
<bean id="authenticator"
        class="net.webpasswordsafe.server.plugin.authentication.IPLockoutAuthenticator">
        <property name="authenticator" ref="userLockoutAuthenticator" />
        <property name="failedLoginThreshold" value="10" />
        <property name="lockoutLength" value="1440" />
        <property name="whitelist">
            <set>
                <value>127.0.0.1</value>
            </set>
        </property>
    </bean>

    <bean id="userLockoutAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.UserLockoutAuthenticator">
        <property name="authenticator" ref="multiAuthenticator" />
        <property name="failedLoginThreshold" value="5" />
        <property name="whitelist">
            <set>
                <value>admin</value>
            </set>
        </property>
    </bean>

    <bean id="localAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.LocalAuthenticator">
    </bean>


    <bean id="multiAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.CompositeAuthenticator">
        <property name="authenticators">
            <list>
                <map>
                    <entry key="users">
                        <list>
                            <value>admin</value>
                        </list>
                    </entry>
                    <entry key="authenticator" value-ref="localAuthenticator"></entry>
                </map>
                <map>
                    <entry key="anyUser" value="true" />
                    <entry key="authenticator" value-ref="ldapAuthenticator"></entry>
                </map>
            </list>
        </property>
    </bean>
<!--
    <bean id="demoAuthenticator"
 class="net.webpasswordsafe.server.plugin.authentication.DemoAuthenticator">
        <property name="demoPassword" value="demo" />
    </bean>
    -->
    <bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="referral" value="follow" />
        <property name="url" value="ldap://10.11.201.51:389" />
        <property name="userDn" value="cn=web_user,OU=Users,dc=emsa,dc=local" />
        <property name="password" value="1q2w3e4R" />
    </bean>
    <bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <constructor-arg ref="authnContextSource" />
    </bean>
    <bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
        <property name="ldapTemplate" ref="authnLdapTemplate" />
        <property name="filter" value="(&amp;(objectclass=person)(uid=$1))" />
        <property name="base" value="OU=Users,dc=emsa,dc=local" />
    </bean>
<!--
    <bean id="rsaAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.RsaSecurIdAuthenticator">
        <property name="configPath" value="/usr/local/rsa/rsa_api.properties" />
    </bean>
    -->

And this is the error I'm getting:
2013-10-18 15:22:40,014 DEBUG [http-bio-8080-exec-10]: Not persistent object, 
merge is not needed : emsa\web_user
2013-10-18 15:22:40,018 DEBUG [http-bio-8080-exec-10]: ldap 
filter=(&(objectclass=person)(uid=emsa\web_user))
2013-10-18 15:22:44,596 INFO  [http-bio-8080-exec-10]: No results found for 
search, base: 'dc=emsa,dc=local'; filter: 
'(&(objectclass=person)(uid=emsa\web_user))'.
2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: LdapAuthenticator: login 
success for emsa\web_user? false
2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: CompositeAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:22:44,597 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, [email protected], activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
2013-10-18 15:22:44,599 DEBUG [http-bio-8080-exec-10]: 
UserLockoutAuthenticator: login success for emsa\web_user? false
2013-10-18 15:22:44,599 DEBUG [http-bio-8080-exec-10]: IPLockoutAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:22:44,601 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.AuditLog{message=authentication failed, id=74, 
username=emsa\web_user, eventDate=Fri Oct 18 15:22:40 WEST 2013, target=, 
action=login, ipaddress=10.112.91.25, success=false}
2013-10-18 15:22:44,605 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, [email protected], activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
2013-10-18 15:28:41,959 DEBUG [http-bio-8080-exec-13]: Not persistent object, 
merge is not needed : emsa\web_user
2013-10-18 15:28:41,963 DEBUG [http-bio-8080-exec-13]: ldap 
filter=(&(objectclass=person)(uid=emsa\web_user))
2013-10-18 15:28:41,967 DEBUG [http-bio-8080-exec-13]: LdapAuthenticator: login 
success for emsa\web_user? false
2013-10-18 15:28:41,967 DEBUG [http-bio-8080-exec-13]: CompositeAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:28:41,968 DEBUG [http-bio-8080-exec-13]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, [email protected], activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
2013-10-18 15:28:41,969 DEBUG [http-bio-8080-exec-13]: 
UserLockoutAuthenticator: login success for emsa\web_user? false
2013-10-18 15:28:41,969 DEBUG [http-bio-8080-exec-13]: IPLockoutAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:28:41,971 DEBUG [http-bio-8080-exec-13]: 
net.webpasswordsafe.common.model.AuditLog{message=authentication failed, id=77, 
username=emsa\web_user, eventDate=Fri Oct 18 15:28:41 WEST 2013, target=, 
action=login, ipaddress=10.112.91.25, success=false}

Original issue reported on code.google.com by [email protected] on 18 Oct 2013 at 2:58
@GoogleCodeExporter
Copy link
Author 

Possibly too late for the original poster, but maybe this will help someone 
else. Here is commentary of the log entries as I understand them:

2013-10-18 15:22:40,018 DEBUG [http-bio-8080-exec-10]: ldap 
filter=(&(objectclass=person)(uid=emsa\web_user))
--- The ldap will be searched for an object where objectclass=person and the 
uid=emsa\web_user
--- The fact that you are searching on the uid attribute suggests your ldap 
server is something other than microsoft active directory, since uid is not 
used by default on that directory platform

2013-10-18 15:22:44,596 INFO  [http-bio-8080-exec-10]: No results found for 
search, base: 'dc=emsa,dc=local'; filter: 
'(&(objectclass=person)(uid=emsa\web_user))'.
--- Searching the ldap directory with a base of dc=emsa,dc=local, for a user 
where uid=emsa\web_user failed. Possibly the uid syntax you are using is wrong 
for your directory; no user could be found where uid=emsa\web_user. It is also 
possible that the user you configured in webpasswordsafe-service.xml (property 
name="userDn"...) does not her permission to read the uid attribute of the user 
that has emsa\web_user set. 

2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: LdapAuthenticator: login 
success for emsa\web_user? false
--- Ldap authenticator concluded the login was unsuccessful

2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: CompositeAuthenticator: 
login success for emsa\web_user? false
--- Composite authenticator concluded the login was unsuccessful

2013-10-18 15:22:44,597 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, [email protected], activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
--- A user was found in the webpasswordsafe user database with username 
matching emsa\web_user, but was not logged in due to failing the authentication 
stage

If you are using openldap or similar, a possible next step would be to query 
the actual uid value of the account you are attempting to log in with. The page:
https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ld
apsearch.html
might help to get you started with that if you are not familiar with the process

If you happen to be using microsoft active directory, there are a couple of 
changes to  consider:
1) in webpasswordsafe-service.xml, change the filter to:
<property name="filter" value="(&(objectclass=person)(sAMAccountName=$1))" />
2) configure your users in webpasswordsafe to use only the sAMAccountName - in 
this case "web_user"

Original comment by [email protected] on 24 May 2014 at 4:45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter