1

我在 debian 6 vm (192.168.1.150:389) 上设置了 OpenLdap

我已经使用 Jboss AS7.1 创建了一个 JSF 项目,并且正在尝试针对上面的 ldap 服务器进行身份验证。问题是 jboss 显示一条消息,指示我的密码无效,所以我不知道如何继续调试这个问题,因为我看不到其他相关输出。

我已经为 org.jboss.security 配置了 TRACE 调试级别

我尝试了无数教程,但没有任何相关错误,我无法继续调试它。

除了提供错误的密码之外,还有什么会导致上述错误(密码错误)?这是一些输出和配置文件。如果我忘记了,我会附上您要求的任何内容。

我的 jboss Standalone.xml 配置如下:

319                 <security-domain name="CrudJSFRealm">
320                     <authentication>
321                         <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
322                             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
323                             <module-option name="java.naming.provider.url" value="ldap://192.168.1.150:389"/>
324                             <module-option name="java.naming.security.authentication" value="simple"/>
325                             <module-option name="bindDN" value="cn=admin"/>
326                             <module-option name="bindCredential" value="passwd"/>
327 
328                             <module-option name="baseCtxDN" value="ou=People,dc=nps2,dc=local"/>
329                             <module-option name="rolesCtxDN" value="ou=Roles,dc=nps2,dc=local"/>
330 
331                             <module-option name="baseFilter" value="(uid={0})"/><!--ok-->
332                             <module-option name="roleFilter" value="(member={1})"/><!--ok-->
333                             <module-option name="roleAttributeID" value="cn"/><!--ok-->
334                             <module-option name="roleAttributeIsDN" value="false"/>
335                             <module-option name="uidAttributeID" value="member"/>
336                             <module-option name="roleNameAttributeID" value="cn"/>
337 
338                             <module-option name="roleRecursion" value="0"/><!--ok-->
339                             <module-option name="allowEmptyPasswords" value="false"/>
340                             <!--<module-option name="throwValidateError" value="true"/>-->
341                             <module-option name="java.naming.referral" value="follow"/>
342                         </login-module>
343                     </authentication>
344                 </security-domain>

我在 jboss-web.xml 文件中正确引用了 CrudJSFRealm,因为正在使用 ldap 连接:

<!-- Realm that will be used -->
<security-domain>java:/jaas/CrudJSFRealm</security-domain>

这是我的openldap结构:

dn: dc=nps2,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: nps2.local
dc: nps2

dn: ou=People,dc=nps2,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit

dn: uid=sm0ke,ou=People,dc=nps2,dc=local
uid: sm0ke
cn: Dimitrios Kordas
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15149
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/sm0ke
gecos: Dimitrios Kordas,,,
userPassword:: ***

# Roles, nps2.local
dn: ou=Roles,dc=nps2,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Roles

# users, Roles, nps2.local
dn: cn=users,ou=Roles,dc=nps2,dc=local
objectClass: top
objectClass: groupOfNames
member: uid=sm0ke,ou=People,dc=nps2,dc=local
member: uid=nobody,ou=People,dc=nps2,dc=local
cn: users

# root, Roles, nps2.local
dn: cn=root,ou=Roles,dc=nps2,dc=local
objectClass: top
objectClass: groupOfNames
member: uid=sm0ke,ou=People,dc=nps2,dc=local
member: uid=nobody,ou=People,dc=nps2,dc=local
cn: root

所以基本上我有2个用户(sm0ke和nobody)和2个角色root和用户。每个角色都有一个成员属性。

这是尝试在我的 JSF 项目中通过身份验证时的输出:

14:30:32,196 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
14:30:32,204 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /CrudJSF/j_security_check
14:30:32,206 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'sm0ke'
14:30:32,211 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:sm0ke, cache entry: null
14:30:32,211 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=sm0ke
14:30:32,213 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(CrudJSFRealm), size=5
14:30:32,216 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(CrudJSFRealm), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(uid={0})
name=uidAttributeID, value=member
name=java.naming.referral, value=follow
name=bindDN, value=cn=admin
name=rolesCtxDN, value=ou=Roles,dc=nps2,dc=local
name=roleNameAttributeID, value=cn
name=roleRecursion, value=0
name=baseCtxDN, value=ou=People,dc=nps2,dc=local
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.authentication, value=simple
name=allowEmptyPasswords, value=false
name=roleFilter, value=(member={1})
name=java.naming.provider.url, value=ldap://192.168.1.150:389
name=bindCredential, value=****
name=roleAttributeIsDN, value=false
name=roleAttributeID, value=cn

14:30:32,226 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) initialize
14:30:32,227 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Security domain: CrudJSFRealm
14:30:32,228 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) login
14:30:32,230 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Logging into LDAP server, env={uidAttributeID=member, baseFilter=(uid={0}), allowEmptyPasswords=false, java.naming.referral=follow, java.naming.security.credentials=***, jboss.security.security_domain=CrudJSFRealm, java.naming.security.authentication=simple, baseCtxDN=ou=People,dc=nps2,dc=local, roleAttributeIsDN=false, rolesCtxDN=ou=Roles,dc=nps2,dc=local, java.naming.security.principal=cn=admin, roleRecursion=0, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(member={1}), java.naming.provider.url=ldap://192.168.1.150:389, roleNameAttributeID=cn, roleAttributeID=cn, bindDN=cn=admin, bindCredential=***}
14:30:32,251 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Bad password for username=sm0ke
14:30:32,253 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) abort
14:30:32,253 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
    at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [classes.jar:1.6.0_33]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [classes.jar:1.6.0_33]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [classes.jar:1.6.0_33]
    at java.lang.reflect.Method.invoke(Method.java:597) [classes.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [classes.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [classes.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [classes.jar:1.6.0_33]
    at java.security.AccessController.doPrivileged(Native Method) [classes.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [classes.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [classes.jar:1.6.0_33]
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
    at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
    at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
    at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
    at java.lang.Thread.run(Thread.java:680) [classes.jar:1.6.0_33]

14:30:32,272 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, false
14:30:32,273 TRACE [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/CrudJSF]] (http--127.0.0.1-8080-1) Username sm0ke NOT successfully authenticated
14:30:32,481 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/CrudJSF].[Faces Servlet]] (http--127.0.0.1-8080-1)  Disabling the response for futher output
14:30:32,486 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/CrudJSF].[Faces Servlet]] (http--127.0.0.1-8080-1)  The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response
14:30:32,495 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test ??/CrudJSF/j_security_check
14:30:32,504 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
14:30:32,506 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
14:30:32,514 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
14:30:32,515 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /CrudJSF/javax.faces.resource/main.css.xhtml
14:30:32,518 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,522 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,527 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,528 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,529 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,530 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,531 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - ADMIN Only]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,532 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Restricted Area - USER and ADMIN]' against GET /javax.faces.resource/main.css.xhtml --> false
14:30:32,533 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   No applicable constraint located
14:30:32,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Not subject to any constraint
14:30:32,538 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
14:30:32,538 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
4

1 回答 1

0

我刚刚发现我的 bindDN 不完整。我把它改成了完整的:“cn=admin,dc=nps2,dc=local”,它起作用了。

但是,当日志中没有适当的输出时很难发现。

于 2012-08-16T13:27:41.773 回答