search

google-code-export / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 3 forks source link

ldap authentication problem #100

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. trying to use ldap auth.
2.
3.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
RHEL6 and WebPasswordSafe 1.3

Please provide any additional information below.
I'm trying to configure ldap auth without success. 
This is my webpasswordsafe-service.xml config:
<bean id="authenticator"
        class="net.webpasswordsafe.server.plugin.authentication.IPLockoutAuthenticator">
        <property name="authenticator" ref="userLockoutAuthenticator" />
        <property name="failedLoginThreshold" value="10" />
        <property name="lockoutLength" value="1440" />
        <property name="whitelist">
            <set>
                <value>127.0.0.1</value>
            </set>
        </property>
    </bean>

    <bean id="userLockoutAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.UserLockoutAuthenticator">
        <property name="authenticator" ref="multiAuthenticator" />
        <property name="failedLoginThreshold" value="5" />
        <property name="whitelist">
            <set>
                <value>admin</value>
            </set>
        </property>
    </bean>

    <bean id="localAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.LocalAuthenticator">
    </bean>

    <bean id="multiAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.CompositeAuthenticator">
        <property name="authenticators">
            <list>
                <map>
                    <entry key="users">
                        <list>
                            <value>admin</value>
                        </list>
                    </entry>
                    <entry key="authenticator" value-ref="localAuthenticator"></entry>
                </map>
                <map>
                    <entry key="anyUser" value="true" />
                    <entry key="authenticator" value-ref="ldapAuthenticator"></entry>
                </map>
            </list>
        </property>
    </bean>
<!--
    <bean id="demoAuthenticator"
 class="net.webpasswordsafe.server.plugin.authentication.DemoAuthenticator">
        <property name="demoPassword" value="demo" />
    </bean>
    -->
    <bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="referral" value="follow" />
        <property name="url" value="ldap://10.11.201.51:389" />
        <property name="userDn" value="cn=web_user,OU=Users,dc=emsa,dc=local" />
        <property name="password" value="1q2w3e4R" />
    </bean>
    <bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <constructor-arg ref="authnContextSource" />
    </bean>
    <bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
        <property name="ldapTemplate" ref="authnLdapTemplate" />
        <property name="filter" value="(&amp;(objectclass=person)(uid=$1))" />
        <property name="base" value="OU=Users,dc=emsa,dc=local" />
    </bean>
<!--
    <bean id="rsaAuthenticator"
        class="net.webpasswordsafe.server.plugin.authentication.RsaSecurIdAuthenticator">
        <property name="configPath" value="/usr/local/rsa/rsa_api.properties" />
    </bean>
    -->

And this is the error I'm getting:
2013-10-18 15:22:40,014 DEBUG [http-bio-8080-exec-10]: Not persistent object, 
merge is not needed : emsa\web_user
2013-10-18 15:22:40,018 DEBUG [http-bio-8080-exec-10]: ldap 
filter=(&(objectclass=person)(uid=emsa\web_user))
2013-10-18 15:22:44,596 INFO  [http-bio-8080-exec-10]: No results found for 
search, base: 'dc=emsa,dc=local'; filter: 
'(&(objectclass=person)(uid=emsa\web_user))'.
2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: LdapAuthenticator: login 
success for emsa\web_user? false
2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: CompositeAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:22:44,597 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, email=webpassword@emsa.europa.eu, activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
2013-10-18 15:22:44,599 DEBUG [http-bio-8080-exec-10]: 
UserLockoutAuthenticator: login success for emsa\web_user? false
2013-10-18 15:22:44,599 DEBUG [http-bio-8080-exec-10]: IPLockoutAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:22:44,601 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.AuditLog{message=authentication failed, id=74, 
username=emsa\web_user, eventDate=Fri Oct 18 15:22:40 WEST 2013, target=, 
action=login, ipaddress=10.112.91.25, success=false}
2013-10-18 15:22:44,605 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, email=webpassword@emsa.europa.eu, activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
2013-10-18 15:28:41,959 DEBUG [http-bio-8080-exec-13]: Not persistent object, 
merge is not needed : emsa\web_user
2013-10-18 15:28:41,963 DEBUG [http-bio-8080-exec-13]: ldap 
filter=(&(objectclass=person)(uid=emsa\web_user))
2013-10-18 15:28:41,967 DEBUG [http-bio-8080-exec-13]: LdapAuthenticator: login 
success for emsa\web_user? false
2013-10-18 15:28:41,967 DEBUG [http-bio-8080-exec-13]: CompositeAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:28:41,968 DEBUG [http-bio-8080-exec-13]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, email=webpassword@emsa.europa.eu, activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
2013-10-18 15:28:41,969 DEBUG [http-bio-8080-exec-13]: 
UserLockoutAuthenticator: login success for emsa\web_user? false
2013-10-18 15:28:41,969 DEBUG [http-bio-8080-exec-13]: IPLockoutAuthenticator: 
login success for emsa\web_user? false
2013-10-18 15:28:41,971 DEBUG [http-bio-8080-exec-13]: 
net.webpasswordsafe.common.model.AuditLog{message=authentication failed, id=77, 
username=emsa\web_user, eventDate=Fri Oct 18 15:28:41 WEST 2013, target=, 
action=login, ipaddress=10.112.91.25, success=false}

Original issue reported on code.google.com by quintas....@gmail.com on 18 Oct 2013 at 2:58

GoogleCodeExporter commented 9 years ago 
Possibly too late for the original poster, but maybe this will help someone 
else. Here is commentary of the log entries as I understand them:

2013-10-18 15:22:40,018 DEBUG [http-bio-8080-exec-10]: ldap 
filter=(&(objectclass=person)(uid=emsa\web_user))
--- The ldap will be searched for an object where objectclass=person and the 
uid=emsa\web_user
--- The fact that you are searching on the uid attribute suggests your ldap 
server is something other than microsoft active directory, since uid is not 
used by default on that directory platform

2013-10-18 15:22:44,596 INFO  [http-bio-8080-exec-10]: No results found for 
search, base: 'dc=emsa,dc=local'; filter: 
'(&(objectclass=person)(uid=emsa\web_user))'.
--- Searching the ldap directory with a base of dc=emsa,dc=local, for a user 
where uid=emsa\web_user failed. Possibly the uid syntax you are using is wrong 
for your directory; no user could be found where uid=emsa\web_user. It is also 
possible that the user you configured in webpasswordsafe-service.xml (property 
name="userDn"...) does not her permission to read the uid attribute of the user 
that has emsa\web_user set. 

2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: LdapAuthenticator: login 
success for emsa\web_user? false
--- Ldap authenticator concluded the login was unsuccessful

2013-10-18 15:22:44,596 DEBUG [http-bio-8080-exec-10]: CompositeAuthenticator: 
login success for emsa\web_user? false
--- Composite authenticator concluded the login was unsuccessful

2013-10-18 15:22:44,597 DEBUG [http-bio-8080-exec-10]: 
net.webpasswordsafe.common.model.User{id=6, username=emsa\web_user, 
lastLogin=null, email=webpassword@emsa.europa.eu, activeFlag=true, 
authnPassword=<uninitialized>, dateCreated=2013-10-18 15:22:20.0, type=U, 
groups=<uninitialized>, fullname=Web Password User}
--- A user was found in the webpasswordsafe user database with username 
matching emsa\web_user, but was not logged in due to failing the authentication 
stage

If you are using openldap or similar, a possible next step would be to query 
the actual uid value of the account you are attempting to log in with. The page:
https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ld
apsearch.html
might help to get you started with that if you are not familiar with the process

If you happen to be using microsoft active directory, there are a couple of 
changes to  consider:
1) in webpasswordsafe-service.xml, change the filter to:
<property name="filter" value="(&(objectclass=person)(sAMAccountName=$1))" />
2) configure your users in webpasswordsafe to use only the sAMAccountName - in 
this case "web_user"

Original comment by e...@tunedglobal.com on 24 May 2014 at 4:45