hello i have one question i datahub using ldap then i was wr DataHub #getting-started

hello i have one question i datahub using ldap t...

gifted-arm-43579

08/31/2021, 12:05 AM

hello i have one question i datahub using ldap then i was write jaas.conf file but got thie error how to change configuration?

Copy code

WHZ-Authentication {
  com.sun.security.auth.module.LdapLoginModule REQUIRED
  userProvider="ldap://[host]:[port]/ou=ldap/"
  authIdentity="{USERNAME}"
  userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
  javax.security.auth.login.name=[auth id]
  javax.security.auth.login.password=[auth pw]
  tryFirstPass="true"
  debug="true"
  useSSL="false";
};

error

Copy code

[LdapLoginModule] authentication-first mode; SSL disabled
                [LdapLoginModule] user provider: ldap://[host]:[port]/ou=ldap/
                [LdapLoginModule] tryFirstPass failed: javax.security.auth.login.FailedLoginException: No password was supplied
                [LdapLoginModule] attempting to authenticate user: datahub
                [LdapLoginModule] authentication failed
                [LdapLoginModule] aborted authentication
23:42:12 [application-akka.actor.default-dispatcher-5] ERROR controllers.AuthenticationController - Authentication error
javax.naming.AuthenticationException: javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server

loud-island-88694

08/31/2021, 4:50 AM

@big-carpet-38439 ^

boundless-student-48844

11/18/2021, 7:36 AM

Hi @gifted-arm-43579, can I check if you managed to pass BIND DN and BIND password to JAAS config? I also encountered same error

Copy code

javax.naming.AuthenticationException: javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server

boundless-student-48844

11/18/2021, 11:09 AM

Managed to get it working with LDAP authentication. If company LDAP server doesn’t support anonymous bind, use

authentication-only

mode from the

LdapLoginModule

. Here’s the working jaas.conf without providing credentials for LDAP bind account. FYI, we are using JumpCloud LDAP.

Copy code

WHZ-Authentication {
      com.sun.security.auth.module.LdapLoginModule sufficient
      userProvider="<ldaps://ldap.jumpcloud.com:636>"
      authIdentity="uid={USERNAME},ou=Users,o=<org_id>,dc=jumpcloud,dc=com"
      java.naming.security.authentication="simple"
      debug="false"
      useSSL="true";
    };

In short, since we can’t pass username and password for bind account to jaas, we can only use

authentication-only

mode by specifying distinguished name in

authIdentity

and removing

userFilter

. By this way, LDAP directory is not searched and bind account is thus not required. Ref: https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html

Copy code

In authentication-first mode, authentication is attempted using the supplied username and password and then the LDAP directory is searched. If authentication is successful then a search is performed using the supplied username in conjunction with a specified search filter. To enable this mode, set the authIdentity and the userFilter options. Use authentication-first mode when accessing an LDAP directory that has been configured to disallow anonymous searches.

In authentication-only mode, authentication is attempted using the supplied username and password. The LDAP directory is not searched because the user's distinguished name is already known. To enable this mode, set the authIdentity option to a valid distinguished name and omit the userFilter option. Use authentication-only mode when the user's distinguished name is known in advance.

big-carpet-38439

11/18/2021, 4:55 PM

@boundless-student-48844 So happy you got this working. Is there any chance you could add a brief section to the JaaS Authentication Doc to detail your configuration?

polite-flower-25924

11/18/2021, 7:10 PM

I guess wrong mention @big-carpet-38439 🙂

big-carpet-38439

11/18/2021, 8:27 PM

Omg

big-carpet-38439

11/18/2021, 8:27 PM

@polite-flower-25924 Were you recently working on this also?

big-carpet-38439

11/18/2021, 8:27 PM

Or is my memory completely shot

polite-flower-25924

11/18/2021, 8:28 PM

Sorry 🙈 We are always working with Okta.

big-carpet-38439

11/19/2021, 6:33 PM

Okay so memory is shot no worries

big-carpet-38439

11/19/2021, 6:33 PM

LOL

😄 1

cool-actor-73767

05/20/2022, 12:56 AM

@gifted-arm-43579 About LDAP authentication using JAAS on datahub. Did you succeed?

kind-scientist-44426

09/14/2022, 5:43 AM

@boundless-student-48844 we tried to follow the steps which you mentioned for authentication-only mode, pls find below our sample Jaas.conf

Copy code

WHZ-Authentication {
      com.sun.security.auth.module.LdapLoginModule sufficient
      userProvider="ldap://<localhost>:389"
      authIdentity="uid=cdatahubadmin,ou=users,dc=company,dc=com"
      java.naming.security.authentication="simple"
      debug="true"
      useSSL="false";
    };

Can you pls help me out with this ldap authentication ?

kind-scientist-44426

09/14/2022, 1:00 PM

PFB the logs

Copy code

ERROR application - The submitted callback is of type: class javax.security.auth.callback.PasswordCallback : javax.security.auth.callback.PasswordCallback@4700a227
12:58:14 [application-akka.actor.default-dispatcher-12822] WARN  o.e.j.j.spi.PropertyFileLoginModule - Exception starting propertyUserStore /etc/datahub/plugins/frontend/auth/user.props 
12:58:14 [application-akka.actor.default-dispatcher-12822] ERROR application - The submitted callback is of type: class javax.security.auth.callback.NameCallback : javax.security.auth.callback.NameCallback@3c9fd61e
12:58:14 [application-akka.actor.default-dispatcher-12822] ERROR application - The submitted callback is of type: class org.eclipse.jetty.jaas.callback.ObjectCallback : org.eclipse.jetty.jaas.callback.ObjectCallback@1e9b4d77
12:58:14 [application-akka.actor.default-dispatcher-12822] WARN  application - The submitted callback is unsupported! 
12:58:14 [application-akka.actor.default-dispatcher-12822] ERROR application - The submitted callback is of type: class javax.security.auth.callback.PasswordCallback : javax.security.auth.callback.PasswordCallback@16bf7c05
12:58:14 [application-akka.actor.default-dispatcher-12822] ERROR application - The submitted callback is of type: class javax.security.auth.callback.NameCallback : javax.security.auth.callback.NameCallback@3725bdd7
12:58:14 [application-akka.actor.default-dispatcher-12822] ERROR application - The submitted callback is of type: class org.eclipse.jetty.jaas.callback.ObjectCallback : org.eclipse.jetty.jaas.callback.ObjectCallback@7548a20b
12:58:14 [application-akka.actor.default-dispatcher-12822] WARN  application - The submitted callback is unsupported! 
12:58:14 [application-akka.actor.default-dispatcher-12822] ERROR application - The submitted callback is of type: class javax.security.auth.callback.PasswordCallback : javax.security.auth.callback.PasswordCallback@31fcb920

average-dinner-25106

11/11/2022, 4:22 AM

@boundless-student-48844 Hi. I am now interested in your old question : how to pass bind dn and its password to jaas.conf file. Did you find the answer? What I guess is "javax.security.auth.login.name" and "javax.security.auth.login.password" but it fails to work

boundless-student-48844

11/16/2022, 2:08 PM

hey @average-dinner-25106, we don’t pass in the bind DN and its password. Haven’t explored further after above approach using authentication-only mode works for us. Probably can try bypass bind DN & password too?

average-dinner-25106

11/17/2022, 1:26 AM

@boundless-student-48844 I've found the configuration of bind dn and password : java.naming.security.principal and java.naming.security.credentials. I could login using AD account after adding them to jaas.conf.

15 Views

Open in Slack

Previous Next