Active IQ Unified Manager Discussions

WFA using non AD LDAP

cscott
6,629 Views

Is it possible to connect WFA to a virtual directory services instance that is not an MS AD implementation?  My customer is no longer allowing direct connections to AD servers, and I need to bind to a secure LDAP implementation provided by a third party vendor.

 

ldaps://<server>:<port> appears to allow the connection, but the user is not able to log in.  My assumption is because normally the credentials are being passed through to AD which allows a connection, whereas with VDS solution the individual users are not allowed to authenticate.

 

using ldaps://<server>:<port> I get the following error:

 

(domain/user/server/port info manually removed)

 

2014-11-18 15:39:20,253 INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) Looking up user ‘<DOMAIN>\<USER> in LDAP servers

2014-11-18 15:39:20,269 INFO  [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting LDAP context for server 'ldaps://<LDAP_SERVER>:<PORT>'

2014-11-18 15:39:20,706 INFO  [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting default naming context

2014-11-18 15:39:20,738 ERROR [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) null: java.lang.NullPointerException

        at com.netapp.wfa.ldap.LdapWrapper.getDefaultNamingContext(LdapWrapper.java:198) [ldap-login-module-0.5.jar:]

        at com.netapp.wfa.ldap.LdapWrapper.findUserInLdap(LdapWrapper.java:105) [ldap-login-module-0.5.jar:]

        at com.netapp.wfa.ldap.LdapLoginModule.validatePassword(LdapLoginModule.java:67) [ldap-login-module-0.5.jar:]

        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]

        at sun.reflect.GeneratedMethodAccessor331.invoke(Unknown Source) [:1.7.0_25]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]

        at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_25]

        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_25]

        at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_25]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]

        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:416) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:518) [jbossweb-7.0.13.Final.jar:]

        at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)

        at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:801)

        at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)

        at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:842)

        at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

        at org.jboss.threads.JBossThread.run(JBossThread.java:122)

 

Thank you,

Scott

 

 

1 ACCEPTED SOLUTION

sinhaa
6,616 Views

You requirement is valid but WFA as of 3.0 can't work with any other Directory server other than Microsoft Active Directory. I'll try to see if I can manage a workaround.

 

It may be available in a future release. 

 

 

sinhaa

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

6 REPLIES 6

sinhaa
6,617 Views

You requirement is valid but WFA as of 3.0 can't work with any other Directory server other than Microsoft Active Directory. I'll try to see if I can manage a workaround.

 

It may be available in a future release. 

 

 

sinhaa

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

cscott
6,602 Views

Thank you,

    I would like to pose this as an RFE.  We worked with the customer and built the POC, showed it and pushed it into production, using AD LDAP.  Then they started blocking access to AD LDAP connections before a new set jobs of were added and effectively set us back.  So while we met all the requirements at the time, with the change I have no other options currently.

 

EDIT: My Apologies, I am still on WFA version 2.1 and had not even read the 3.0 release notes, it would have answered my question!

 

Thank you for your time!

Scott

jauling_chou
5,616 Views

Also, FWIW... WFA 4.0 (build 3858982) does not support LDAP either. What's the deal with removing LDAP support? OCUM7 supports it too!

sinhaa
5,591 Views

@jauling_chou

 

No, its not true. WFA 4.0completely supports Active Directory LDAP login.

 

What problem are you facing?

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

jauling_chou
5,556 Views

Nowhere in my post did I write anything about Active Directory. I only , and this thread is titled WFA using non AD LDAP, so why are you even mentioning AD? I Wonder if @sinhaa found a workaround?

sinhaa
5,524 Views

@jauling_chou

 

Active Directory also works on LDAP protocol.

 

WFA as of 4.0 doesn't support other directory servers like OpenLDAP. 

 

Workaround.. I had tried when this post was originally submitted ( ~2 years back) without success. Let me try again. 

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public