WFA using non AD LDAP

cscott — Tue, 18 Nov 2014 20:44:25 GMT

Is it possible to connect WFA to a virtual directory services instance that is not an MS AD implementation? My customer is no longer allowing direct connections to AD servers, and I need to bind to a secure LDAP implementation provided by a third party vendor.

ldaps://<server>:<port> appears to allow the connection, but the user is not able to log in. My assumption is because normally the credentials are being passed through to AD which allows a connection, whereas with VDS solution the individual users are not allowed to authenticate.

using ldaps://<server>:<port> I get the following error:

(domain/user/server/port info manually removed)

2014-11-18 15:39:20,253 INFO [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) Looking up user ‘<DOMAIN>\<USER> in LDAP servers

2014-11-18 15:39:20,269 INFO [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting LDAP context for server 'ldaps://<LDAP_SERVER>:<PORT>'

2014-11-18 15:39:20,706 INFO [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting default naming context

2014-11-18 15:39:20,738 ERROR [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) null: java.lang.NullPointerException

at com.netapp.wfa.ldap.LdapWrapper.getDefaultNamingContext(LdapWrapper.java:198) [ldap-login-module-0.5.jar:]

at com.netapp.wfa.ldap.LdapWrapper.findUserInLdap(LdapWrapper.java:105) [ldap-login-module-0.5.jar:]

at com.netapp.wfa.ldap.LdapLoginModule.validatePassword(LdapLoginModule.java:67) [ldap-login-module-0.5.jar:]

at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]

at sun.reflect.GeneratedMethodAccessor331.invoke(Unknown Source) [:1.7.0_25]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]

at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_25]

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_25]

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_25]

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_25]

at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25]

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_25]

at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_25]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]

at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:416) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:518) [jbossweb-7.0.13.Final.jar:]

at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)

at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:801)

at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)

at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:842)

at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

at org.jboss.threads.JBossThread.run(JBossThread.java:122)

Thank you,

Scott

Re: WFA using non AD LDAP

sinhaa — Wed, 19 Nov 2014 03:04:42 GMT

You requirement is valid but WFA as of 3.0 can't work with any other Directory server other than Microsoft Active Directory. I'll try to see if I can manage a workaround.

It may be available in a future release.

sinhaa

Re: WFA using non AD LDAP

cscott — Wed, 19 Nov 2014 13:51:37 GMT

Thank you,

I would like to pose this as an RFE. We worked with the customer and built the POC, showed it and pushed it into production, using AD LDAP. Then they started blocking access to AD LDAP connections before a new set jobs of were added and effectively set us back. So while we met all the requirements at the time, with the change I have no other options currently.

EDIT: My Apologies, I am still on WFA version 2.1 and had not even read the 3.0 release notes, it would have answered my question!

Thank you for your time!

Scott

Re: WFA using non AD LDAP

jauling_chou — Fri, 23 Sep 2016 11:13:05 GMT

Also, FWIW... WFA 4.0 (build 3858982) does not support LDAP either. What's the deal with removing LDAP support? OCUM7 supports it too!

Re: WFA using non AD LDAP

sinhaa — Sun, 25 Sep 2016 06:30:20 GMT

@jauling_chou

No, its not true. WFA 4.0completely supports Active Directory LDAP login.

What problem are you facing?

sinhaa

Re: WFA using non AD LDAP

jauling_chou — Mon, 26 Sep 2016 10:39:57 GMT

Nowhere in my post did I write anything about Active Directory. I only , and this thread is titled WFA using non AD LDAP, so why are you even mentioning AD? I Wonder if @sinhaa found a workaround?

Re: WFA using non AD LDAP

sinhaa — Tue, 27 Sep 2016 03:47:57 GMT

@jauling_chou

Active Directory also works on LDAP protocol.

WFA as of 4.0 doesn't support other directory servers like OpenLDAP.

Workaround.. I had tried when this post was originally submitted ( ~2 years back) without success. Let me try again.

sinhaa

topic Re: WFA using non AD LDAP in Active IQ Unified Manager Discussions

WFA using non AD LDAP

Re: WFA using non AD LDAP

Re: WFA using non AD LDAP

Re: WFA using non AD LDAP

Re: WFA using non AD LDAP

Re: WFA using non AD LDAP

Re: WFA using non AD LDAP