I found the solution.
It was the roles.filter here's the config for the Apache DS.
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="karaf" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username=uid=admin,ou=system
connection.password=secret
connection.protocol=
connection.url=ldap://localhost:10389
user.base.dn=ou=users,ou=system
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=ou=roles,ou=system
role.name.attribute=cn
role.filter=(&(objectClass=groupOfNames)(member=uid=%u,ou=users,ou=system))
role.search.subtree=true
authentication=simple
</jaas:module>
</jaas:config>
</blueprint>
Mike Tod
949-230-5319 direct
***@foundationmedicine.com
-----Original Message-----
From: Mike Tod [mailto:***@foundationmedicine.com]
Sent: Monday, February 13, 2017 9:47 AM
To: ***@servicemix.apache.org
Subject: RE: Servicemix 7.0 LDAP and the webconsole
I have narrowed this issue down a bit I have a local copy of Servicemix 7.0 and Apache DS setup for testing I can authenticate using the client but not the webconsole. I suspect it has to do with the roles configuration.
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="karaf" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username=uid=admin,ou=system
connection.password=secret
connection.protocol=
connection.url=ldap://localhost:10389
user.base.dn=ou=users,ou=system
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=ou=roles,ou=system
role.name.attribute=cn
role.filter=(member:=uid=%u)
role.search.subtree=true
authentication=simple
</jaas:module>
</jaas:config>
</blueprint>
I'm getting the following error when I enable DEBUG in the security log.
Note the ': N O T I M P L E M E N T E D Y E T !] I'm not sure what that’s about I thought this was supported with this release of Servicemix.
2017-02-13 09:40:32,081 | DEBUG | /system/console | HttpServiceContext | 212 - org.ops4j.pax.web.pax-web-jetty - 4.3.0 | Handling request for [/system/console] using http context [org.a
***@5348f26]
2017-02-13 09:40:32,090 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Get the user DN.
2017-02-13 09:40:32,111 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Looking for the user in LDAP with
2017-02-13 09:40:32,111 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | base DN: ou=users,ou=system
2017-02-13 09:40:32,111 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | filter: (uid=janedoe)
2017-02-13 09:40:32,114 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Found the user DN.
2017-02-13 09:40:32,115 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Bind user (authentication).
2017-02-13 09:40:32,115 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Set the security principal for uid=janedoe,ou=users,ou=system
2017-02-13 09:40:32,115 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Binding the user.
2017-02-13 09:40:32,118 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | User janedoe successfully bound.
2017-02-13 09:40:32,121 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | Looking for the user roles in LDAP with
2017-02-13 09:40:32,122 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | base DN: ou=roles,ou=system
2017-02-13 09:40:32,122 | DEBUG | /system/console | LDAPLoginModule | 116 - org.apache.karaf.jaas.modules - 4.0.8 | filter: (member:=uid=janedoe)
2017-02-13 09:40:32,126 | ERROR | /system/console | JaasSecurityProvider | 224 - org.apache.karaf.webconsole.console - 4.0.8 | General Security Exception
javax.security.auth.login.LoginException: Can't get user janedoe roles: [LDAP: error code 1 - OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 7
SearchRequest
baseDn : 'ou=roles,ou=system'
filter : '(member-false-EXTENSIBLE-null-0x75 0x69 0x64 0x3D 0x6A 0x61 0x6E 0x65 0x64 0x6F 0x65 :[?])'
scope : whole subtree
typesOnly : false
Size Limit : no limit
Time Limit : no limit
Deref Aliases : deref Always
attributes :
***@b7e7bbb6 ManageDsaITImpl Control
Type OID : '2.16.840.1.113730.3.4.2'
Criticality : 'false'
'
: N O T I M P L E M E N T E D Y E T !]
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin(LDAPLoginModule.java:157)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:54)
at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.8.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.8.0_101]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[:1.8.0_101]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_101]
at java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_101]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)[:1.8.0_101]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)[:1.8.0_101]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)[:1.8.0_101]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)[:1.8.0_101]
at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_101]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.8.0_101]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)[:1.8.0_101]
at org.apache.felix.webconsole.internal.servlet.JaasSecurityProvider.doAuthenticate(JaasSecurityProvider.java:118)[224:org.apache.karaf.webconsole.console:4.0.8]
at org.apache.felix.webconsole.internal.servlet.JaasSecurityProvider.authenticate(JaasSecurityProvider.java:184)[224:org.apache.karaf.webconsole.console:4.0.8]
at org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)[224:org.apache.karaf.webconsole.console:4.0.8]
at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[212:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)[187:org.eclipse.jetty.security:9.2.19.v20160908]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:287)[212:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[189:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)[212:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.Server.handle(Server.java:499)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[188:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)[180:org.eclipse.jetty.io:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[191:org.eclipse.jetty.util:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[191:org.eclipse.jetty.util:9.2.19.v20160908]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_101]
2017-02-13 09:40:32,128 | DEBUG | /system/console | HttpServiceResponseWrapper | 212 - org.ops4j.pax.web.pax-web-jetty - 4.3.0 | Response status set to [401]
Mike Tod
949-230-5319 direct
***@foundationmedicine.com
-----Original Message-----
From: Mike Tod [mailto:***@foundationmedicine.com]
Sent: Friday, February 10, 2017 3:36 PM
To: ***@servicemix.apache.org
Subject: RE: Servicemix 7.0 LDAP and the webconsole
I used this as a guide https://access.redhat.com/documentation/en-US/Fuse_ESB_Enterprise/7.1/html/Security_Guide/files/ESBLDAPTutorialConfigAdminAuthz.html
Seemed to work up to the Web part I can't find any specifics on the config.
Thanks
Mike Tod
***@foundationmedicine.com
-----Original Message-----
From: Jean-Baptiste Onofré [mailto:***@nanthrax.net]
Sent: Friday, February 10, 2017 3:31 PM
To: ***@servicemix.apache.org
Cc: ***@servicemix.apache.org
Subject: Re: Servicemix 7.0 LDAP and the webconsole
All depends the roles you have on LDAP or the role mapping.
Webconsole expects admin as role.
Regards
JB
Post by Mike TodI'm working with Servicemix 7.0 and LDAP I have it working for the
client but can't seem to get LDAP working on the Webconsole.
Seems like the roles are not working correctly with the web but I have no log's to dig into.
Does anyone have LDAP working with the Web Console?
If so can you give me some tips?
Thanks
Mike Tod
This communication and any files transmitted with it may contain
information that is considered to be confidential, privileged and
exempt from disclosure under applicable law. This message is intended
for Foundation Medicine-affiliated use and that of the intended
recipient only and may contain information that is protected by
Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR
164.500. This communication is intended solely for the use of intended
recipient. If you are not the intended recipient, you are hereby
notified that any use, dissemination or copying of this communication
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately and delete this message
immediately. Thank you for your cooperation.
This communication and any files transmitted with it may contain information that is considered to be confidential, privileged and exempt from disclosure under applicable law. This message is intended for Foundation Medicine-affiliated use and that of the intended recipient only and may contain information that is protected by Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR § 164.500. This communication is intended solely for the use of intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this message immediately. Thank you for your cooperation.
This communication and any files transmitted with it may contain information that is considered to be confidential, privileged and exempt from disclosure under applicable law. This message is intended for Foundation Medicine-affiliated use and that of the intended recipient only and may contain information that is protected by Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR § 164.500. This communication is intended solely for the use of intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this message immediately. Thank you for your cooperation.
This communication and any files transmitted with it may contain information that is considered to be confidential, privileged and exempt from disclosure under applicable law. This message is intended for Foundation Medicine-affiliated use and that of the intended recipient only and may contain information that is protected by Foundation Medicine policies and the HIPAA Privacy Rule, 45 CFR § 164.500. This communication is intended solely for the use of intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this message immediately. Thank