Bonita 5.10.2 community LDAP

1
0
-1

Hi,

i want to use ldap authentification in user xp, i have used this article http://priyankacool10.wordpress.com/2012/07/25/how-to-configure-ldap-with-bonita-user-xp/

but : -when i extract data from active directory using ldap connector, there is not "uid" atribute , so i have used "cn" instead

authIdentity="cn={USERNAME},ou=......." userFilter="(&(cn={USERNAME}))"

-how can i edit this method :

public boolean isUserAdmin(String username) throws UserNotFoundException { if (username.equals("106160")) { return true; } else { return false; } }

106160 must be replaced by the admin ?

anyone have an idea ?

thank you

Comments

Submitted by antoine.mottier on Wed, 10/15/2014 - 15:59

106160 is the username of the user that have administrator privilege. You should replace it with the username of one of your LDAP user.

If you have trouble to successfully configure LDAP authentication, please share the full content of your log files. Also, if you need help for JAAS configuration file creation, please provide information as listed in Before you start section of official documentation (it's for version 6, but information needed are pretty much the same).

Submitted by user11 on Wed, 10/15/2014 - 16:31

Thank you antoine,

1-the ldap is like this :

for exemple : john smith

*sAMAccountName = jonhs

*distinguishedName = cn = smith\, john,ou = users, ou = sites, ou = xxx, dc = xxx, dc =xxx, dc= com

*to connect to others applications : johns

2-jaas standard file :

BonitaAuth {

com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://hote:389/ou=users,ou=sites,ou=xxx,dc=xxx,dc=xxx,dc=com" authIdentity="{USERNAME}" userFilter="(samAccountName={USERNAME})" useSSL=false debug=true };

3-i test this in devlopement environment : with h2 database

Submitted by antoine.mottier on Wed, 10/15/2014 - 18:50

In order to help you to get a correct JAAS file it would be really helpful if you can get information as listed here: http://documentation.bonitasoft.com/active-directoryldap-authentication-...

From here, my best guess would be that you should replace: authIdentity="{USERNAME}" with authIdentity="{USERNAME}@mydomain.com" (replace mydomain.com with your actual domain name)

Also, if you want to test your JAAS file outside Bonita you can use this small LDAP testing tool. To run the tool, open a command window and type java -jar ldap-tool.jar. Note that just when you run this tool, the JAAS login context need to be named BonitaAuthentication-1 instead of BonitaAuth (because the tool is designed for Bonita 6).

Submitted by user11 on Wed, 10/15/2014 - 22:03

Thank you Antoine , i will test it

Submitted by user11 on Fri, 10/17/2014 - 11:00

Hi antoine,

i have downloaded the ldap-tool.jar, and i read "before you start", in my case : It is not possible to build the DN , the username to authenticate is like this : smithj and the DN = cn smith, john, ...,

when i run the ldap-tool i get these exceptions :

Exception in thread "main" java.lang.SecurityException: Erreur de configuration : Ligne 10 : attendu [option key] at com.sun.security.auth.login.ConfigFile.(ConfigFile.java:110) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct

orAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC onstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at java.lang.Class.newInstance(Class.java:374) at javax.security.auth.login.Configuration$3.run(Configuration.java:264)

    at javax.security.auth.login.Configuration$3.run(Configuration.java:260)

    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.Configuration.getConfiguration(Configuratio

n.java:259) at javax.security.auth.login.LoginContext$1.run(LoginContext.java:254) at javax.security.auth.login.LoginContext$1.run(LoginContext.java:252) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.init(LoginContext.java:251) at javax.security.auth.login.LoginContext.(LoginContext.java:418) at com.bonitaSoft.toolLdap.Main.scenario(Main.java:121) at com.bonitaSoft.toolLdap.Main.main(Main.java:50) Caused by: java.io.IOException: Erreur de configuration : Ligne 10 : attendu [option key] at com.sun.security.auth.login.ConfigFile.match(ConfigFile.java:550) at com.sun.security.auth.login.ConfigFile.parseLoginEntry(ConfigFile.jav a:439) at com.sun.security.auth.login.ConfigFile.readConfig(ConfigFile.java:383 ) at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:283) at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:219) at com.sun.security.auth.login.ConfigFile.(ConfigFile.java:108) ... 16 more

Submitted by antoine.mottier on Fri, 10/17/2014 - 11:12

I should have catch this earlier: error is due to a missing semicolon after the last option of your JAAS context configuration (e.g. after debug=true).

So you should have a configuration similar to the following one (note the semicolon after the last option and semicolon after the last curly brace):

  1. BonitaAuthentication-1 {
  2. com.sun.security.auth.module.LdapLoginModule sufficient
  3. userProvider="ldap://localhost:389/CN=Users,DC=MyDomain,DC=com"
  4. userFilter="(&(objectClass=user)(userPrincipalName={USERNAME}@mydomain.com))"
  5. authIdentity="{USERNAME}@mydomain.com"
  6. debug=true
  7. useSSL=false;
  8. };

Remember to change the login context name from BonitaAuthentication-1 to BonitaAuth for Bonita 5.10.2.

Submitted by user11 on Fri, 10/17/2014 - 11:52

Thank you Antoine,

It works whith the ldap-tool ! , but not with bonita portal, i get org.ow2.bonita.util.BonitaRuntimeException

for information i have configured bonita with mysql , and ldap doesn't contain bonita users , how bonita will reconize ldap users ?

log

oct. 17, 2014 11:50:12 AM org.ow2.bonita.util.AccessorUtil discoverContext Infos: Property: org.ow2.bonita.api-type has not been specified for api-type. Trying to autodetect it. oct. 17, 2014 11:50:12 AM org.ow2.bonita.util.AccessorUtil discoverContext Infos: org.ow2.bonita.util.AccessorUtil called from server side. Using Standard context. oct. 17, 2014 11:50:12 AM org.ow2.bonita.env.BonitaEnvironmentParser getInstance Infos: parsing bindings from resource url: jar:file:/C:/bos/BOS-5.10.2-Tomcat-6.0.35/lib/bonita/bonita-server-5.10.2.jar!/bonita.wire.bindings.xml oct. 17, 2014 11:50:12 AM org.ow2.bonita.util.Misc showProblems Grave: error : couldn't interpret the dom model : org.ow2.bonita.env.WireException: couldn't get type of 'authentication-service': Bonita Error: bp_RU_2 couldn't load class com.sun.security.auth.SimpleLdapAuth

. Cause: org.ow2.bonita.env.WireException: couldn't get type of 'authentication-service': Bonita Error: bp_RU_2 couldn't load class com.sun.security.auth.SimpleLdapAuth

oct. 17, 2014 11:50:12 AM org.apache.catalina.core.StandardWrapperValve invoke Grave: "Servlet.service()" pour la servlet org.bonitasoft.console.security.server.CredentialsEncryptionServlet/security/credentialsencryption a généré une exception org.ow2.bonita.util.BonitaRuntimeException: Bonita Error: bp_Pa_1 errors during parsing of environment: error : couldn't interpret the dom model : org.ow2.bonita.env.WireException: couldn't get type of 'authentication-service': Bonita Error: bp_RU_2 couldn't load class com.sun.security.auth.SimpleLdapAuth

at org.ow2.bonita.util.Misc.showProblems(Misc.java:1975)
at org.ow2.bonita.env.BonitaEnvironmentParser.parseEnvironmentFactoryFromXmlString(BonitaEnvironmentParser.java:88)
at org.ow2.bonita.env.GlobalEnvironmentFactory.getEnvironmentFactory(GlobalEnvironmentFactory.java:112)
at org.ow2.bonita.facade.APIInterceptor.invoke(APIInterceptor.java:186)
at com.sun.proxy.$Proxy0.generateTemporaryToken(Unknown Source)
at org.bonitasoft.console.security.server.api.impl.CredentialsEncryptionAPIImpl.generateTemporaryToken(CredentialsEncryptionAPIImpl.java:157)
at org.bonitasoft.console.security.server.CredentialsEncryptionServlet.doPost(CredentialsEncryptionServlet.java:127)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.bonitasoft.forms.server.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:122)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.bonitasoft.console.security.SessionFixationValve.invoke(SessionFixationValve.java:77)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:744)
Submitted by user11 on Fri, 10/17/2014 - 12:08

I find in the log that the class SimpleLdapAuth is not loaded because i have copied the jar , and when i

copied the class it works ,

Thank you for your help

1 answer

1
+1
-1
This one is the BEST answer!

For reference, here is a sum up of issues and solutions:

  • JAAS syntax file was incorrect (missing semicolon). You can refer to examples provide in v6 documentation (syntax as not changed).
  • Authentication Service JAAS implementation was not properly include. The Bonita Engine need to be able to load the com.sun.security.auth.SimpleLdapAuth class. So you should either put the jar file that include the class in your Application Server library folder or include the file in Bonita web application.

Comments

Submitted by user11 on Fri, 10/17/2014 - 15:00

thank you Antoine

Notifications