CCE UI LDAP authorisation

Arturs_Djatlo2 · July 24, 2015, 11:47am

Hello,

I can`t connect LADP with CCE. (LADP successfully works for IS and WMS)
CCE version 9.7

…/profiles/CCE/configuration/security/jaas.config

Default {
// SSOS login module for SAML signed assertion validation
com.softwareag.security.idp.saml.lm.SAMLAssertValidatorLoginModule sufficient;

    // Internal repository login module (java based)
    com.softwareag.security.jaas.login.internal.InternalLoginModule required
    template_section=INTERNAL
    logCallback=true
    internalRepository="@path:osgi.configuration.area/security/users.txt"
            create_group_principal=true
    groupRepositoryPath="@path:osgi.configuration.area/security/groups.txt";
    // Role repository login module

    com.softwareag.security.authz.store.jaas.login.RoleLoginModule optional
    storage_location="@path:osgi.configuration.area/security/roles.txt";
                    com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule optional
                    url="ldap://************"
                    prin="CN=******"
                    cred="********"
                    gidprop="CN"
                    uidprop="CN"
                    usecaching="false"
                    userrootdn="dc=win,dc=int,dc=kn"
                    mattr="memberOf"
                    memberinfoingroups=false
                    grouprootdn="ou=b2b,ou=application,ou=1client,dc=ger,dc=win,dc=int,dc=kn"
                    groupobjclass="group"
                    personobjclass="person"
                    creategroups=true;

};

Logs:
[com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule] 2015-07-24 11:50:22,895 ERROR: Authentication failed
[com.softwareag.security.sin.is.ldap.ConfiguredServer] 2015-07-24 11:50:22,897 ERROR: No LDAP context url ldap://***************
[com.softwareag.security.sin.is.ldap.LDAPUserManagerV2] 2015-07-24 11:50:22,898 WARN : PooledContext.poolReturn: underlying LDAP connection is broken. Releaseing this PooledContext: available true,alias ldap://*****,url ldap://,prin CN=*******,cred present, but not shown,timeout 5000,use affices false,dn prefix ,dn suffix ,use caching false,uidprop CN,user root dn dc=win,dc=int,dc=kn,person object class person,gidprop CN,group root dn ou=b2b,ou=application,ou=1client,dc=ger,dc=win,dc=int,dc=kn,group object class group,default group null,member attr memberOf,member info in groups false,no prin is anon true,do not bind false

Cant find where Im wrong.

Veselin_Vasilev · July 27, 2015, 11:44am

Hi Arturs,
JAAS executes login modules one after another.
When login module is optional, authentication is continues to next login module no matter what is the result of each step.
When login module is sufficient, authentication stops if login module returns success.
When login module is required or requisite, authentication stops if login module returns error.
I would recommend to change your InternalLoginModule to optional so when you try to login with LDAP user it does not fails.
Then move RoleLoginModule after LDAPLoginModule because LDAP still needs roles.
At last do not forget to add the LDAP user you want to log in with to @pathsgi.configuration.area/security/roles.txt

Please let me know if this helps.

Best Regards,
Veselin