Subscribe
Accepted Solution

WFA using non AD LDAP

[ Edited ]

Is it possible to connect WFA to a virtual directory services instance that is not an MS AD implementation?  My customer is no longer allowing direct connections to AD servers, and I need to bind to a secure LDAP implementation provided by a third party vendor.

 

ldaps://<server>:<port> appears to allow the connection, but the user is not able to log in.  My assumption is because normally the credentials are being passed through to AD which allows a connection, whereas with VDS solution the individual users are not allowed to authenticate.

 

using ldaps://<server>:<port> I get the following error:

 

(domain/user/server/port info manually removed)

 

2014-11-18 15:39:20,253 INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) Looking up user ‘<DOMAIN>\<USER> in LDAP servers

2014-11-18 15:39:20,269 INFO  [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting LDAP context for server 'ldaps://<LDAP_SERVER>:<PORT>'

2014-11-18 15:39:20,706 INFO  [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting default naming context

2014-11-18 15:39:20,738 ERROR [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) null: java.lang.NullPointerException

        at com.netapp.wfa.ldap.LdapWrapper.getDefaultNamingContext(LdapWrapper.java:198) [ldap-login-module-0.5.jar:]

        at com.netapp.wfa.ldap.LdapWrapper.findUserInLdap(LdapWrapper.java:105) [ldap-login-module-0.5.jar:]

        at com.netapp.wfa.ldap.LdapLoginModule.validatePassword(LdapLoginModule.java:67) [ldap-login-module-0.5.jar:]

        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]

        at sun.reflect.GeneratedMethodAccessor331.invoke(Unknown Source) [:1.7.0_25]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]

        at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_25]

        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_25]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]

        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:416) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:518) [jbossweb-7.0.13.Final.jar:]

        at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)

        at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:801)

        at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)

        at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:842)

        at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

        at org.jboss.threads.JBossThread.run(JBossThread.java:122)

 

Thank you,

Scott

 

 

Re: WFA using non AD LDAP

You requirement is valid but WFA as of 3.0 can't work with any other Directory server other than Microsoft Active Directory. I'll try to see if I can manage a workaround.

 

It may be available in a future release. 

 

 

sinhaa

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: WFA using non AD LDAP

[ Edited ]

Thank you,

    I would like to pose this as an RFE.  We worked with the customer and built the POC, showed it and pushed it into production, using AD LDAP.  Then they started blocking access to AD LDAP connections before a new set jobs of were added and effectively set us back.  So while we met all the requirements at the time, with the change I have no other options currently.

 

EDIT: My Apologies, I am still on WFA version 2.1 and had not even read the 3.0 release notes, it would have answered my question!

 

Thank you for your time!

Scott

Re: WFA using non AD LDAP

Also, FWIW... WFA 4.0 (build 3858982) does not support LDAP either. What's the deal with removing LDAP support? OCUM7 supports it too!

Re: WFA using non AD LDAP

@jauling_chou

 

No, its not true. WFA 4.0completely supports Active Directory LDAP login.

 

What problem are you facing?

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: WFA using non AD LDAP

Nowhere in my post did I write anything about Active Directory. I only , and this thread is titled WFA using non AD LDAP, so why are you even mentioning AD? I Wonder if @sinhaa found a workaround?

Re: WFA using non AD LDAP

@jauling_chou

 

Active Directory also works on LDAP protocol.

 

WFA as of 4.0 doesn't support other directory servers like OpenLDAP. 

 

Workaround.. I had tried when this post was originally submitted ( ~2 years back) without success. Let me try again. 

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.