I'm trying to authenticate users against LDAP for an application deployed in Jboss. Users authenticate fine, but for the user field, I have to enter the full name, with the username it does not work.
I wonder if the problem is the LDAP configuration or if I'm leaving any configuration parameter in the login-config.xml
This is the code of the login-config.xml:
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://ldap-server-ip:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">CN=</module-option>
<module-option name="principalDNSuffix">,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL</module-option>
<module-option name="baseCtxDN">ou=LIMIT - CECOMASA,dc=LIMIT_CECOMASA,dc=LOCAL</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="rolesCtxDN">ou=LIMIT - CECOMASA,dc=LIMIT_CECOMASA,dc=LOCAL</module-option>
<module-option name="roleFilter">(member={0})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<!-- module-option name="roleAttributeIsDN">true</module-option -->
<module-option name="searchTimeLimit">10000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
and this is the LDIF info of my user on the LDAP server:
dn: CN=Andreu Serra,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Andreu Serra
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=LIMIT_CECOMASA,DC=LO
CAL
accountExpires: 9223372036854775807
badPasswordTime: 130576882951482672
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: Andreu Serra
distinguishedName: CN=Andreu Serra,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,D
C=LIMIT_CECOMASA,DC=LOCAL
givenName: Andreu
homeMDB:: Q049QWxtYWPDqW4gZGVsIGJ1esOzbiAoU0VSVkVSMDApLENOPVByaW1lciBncnVwby
BkZSBhbG1hY2VuYW1pZW50byxDTj1JbmZvcm1hdGlvblN0b3JlLENOPVNFUlZFUjAwLENOPVNlc
nZlcnMsQ049UHJpbWVyIGdydXBvIGFkbWluaXN0cmF0aXZvLENOPUFkbWluaXN0cmF0aXZlIEdy
b3VwcyxDTj1MSU1JVCAtIENFQ09NQVNBLENOPU1pY3Jvc29mdCBFeGNoYW5nZSxDTj1TZXJ2aWN
lcyxDTj1Db25maWd1cmF0aW9uLERDPUxJTUlUX0NFQ09NQVNBLERDPUxPQ0FM
homeMTA: CN=Microsoft MTA,CN=SERVER00,CN=Servers,CN=Primer grupo administrat
ivo,CN=Administrative Groups,CN=LIMIT - CECOMASA,CN=Microsoft Exchange,CN=S
ervices,CN=Configuration,DC=LIMIT_CECOMASA,DC=LOCAL
lastLogoff: 0
lastLogon: 130578294930208368
legacyExchangeDN: /o=LIMIT - CECOMASA/ou=Primer grupo administrativo/cn=Reci
pients/cn=andreus
logonCount: 481
mail: [email protected]
mailNickname: andreus
mDBUseDefaults: TRUE
memberOf: CN=RSC_ADMIN,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECO
MASA,DC=LOCAL
memberOf: CN=TerminalServer,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL
memberOf: CN=Dept. Programari,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIM
IT_CECOMASA,DC=LOCAL
msExchALObjectVersion: 57
msExchHomeServerName: /o=LIMIT - CECOMASA/ou=Primer grupo administrativo/cn=
Configuration/cn=Servers/cn=SERVER00
msExchMailboxGuid:: Xff5XoFGiUyq6szgBxtZbw==
msExchMailboxSecurityDescriptor:: AQAE77+9eAAAAO+/vQAAAAAAAAAUAAAABABkAAEAAA
AAAhQAAwACAAEBAAAAAAAFCgAAAEkATQBJAFQAXwBDAEUAQwBPAE0AQQBTAEEALwBjAG4APQBDA
G8AbgBmAGkAZwB1AHIAYQB0AGkAbwBuAC8AYwBuAD0AAADvv70BAQUAAAAAAAUVAAAA77+9Cu+/
vRF877+9JA1DFwoy77+9AQAAAQUAAAAAAAUVAAAA77+9Cu+/vRF877+9JA1DFwoy77+9AQAA
msExchPoliciesIncluded: {C2EA965C-E5EE-4990-9447-1B5A7745E80C},{26491CFC-9E5
0-4857-861B-0CB8DF22B5D7}
msExchUserAccountControl: 0
name: Andreu Serra
objectGUID:: R0ByiBmTN0WR4x/c6bruEw==
objectSid:: AQUAAAAAAAUVAAAAuwraEXzrJA1DFwoyqgcAAA==
primaryGroupID: 513
proxyAddresses: smtp:andreus@LIMIT_CECOMASA.LOCAL
proxyAddresses: X400:c=us;a= ;p=LIMIT - CECOMASA;o=Exchange;s=Serra;g=Andreu
;
proxyAddresses: SMTP:[email protected]
pwdLastSet: 130410870859571872
sAMAccountName: andreus
sAMAccountType: 805306368
showInAddressBook: CN=Lista global de direcciones predeterminada,CN=All Glob
al Address Lists,CN=Address Lists Container,CN=LIMIT - CECOMASA,CN=Microsof
t Exchange,CN=Services,CN=Configuration,DC=LIMIT_CECOMASA,DC=LOCAL
showInAddressBook: CN=Todos los usuarios,CN=All Address Lists,CN=Address Lis
ts Container,CN=LIMIT - CECOMASA,CN=Microsoft Exchange,CN=Services,CN=Confi
guration,DC=LIMIT_CECOMASA,DC=LOCAL
sn: Serra
textEncodedORAddress: c=us;a= ;p=LIMIT - CECOMASA;o=Exchange;s=Serra;g=Andre
u;
userAccountControl: 66048
userPrincipalName: andreus@LIMIT_CECOMASA.LOCAL
uSNChanged: 5052147
uSNCreated: 5052138
whenChanged: 20140404121211.0Z
whenCreated: 20140404121125.0Z
The only problem is that I have type Andres Serra / password in the authentication popup and not andreus / password as would be expected. I've tried a thousand combinations for the login-module, I hope 1001 will be the good one.
What happened was that the LDAP was misconfigured. Normally the LDAP user identifier (uid) is used to form the DN (Distinguished Name), but in our LDAP short name is used. Fortunately, in the LDAP client that worked as supposed.