JBoss AD Login Module configuration

When configuring the JBOSS Ldap login module one, of the parameters is the ldap url that Jboss will use to connect to the Active Directory.

Anyway, when doing an all products in a server install (Jboss + AD + DB on same machine), I blindly enter the following URL for the LDAP connection. ldap://localhost:389 …

This is big troubles, because, using this URL the LDAP login module was always unable to authenticate users with the following error:

ldapctx javax.naming.PartialResultException: Unprocessed Continuation

It took me a while to solve the issue, and it’s quite simple.

First make sure that the domain name is able to be resolved, namely by the command ping domain.com or nslookup domain.com. The domain name must be the Active Directory configured domain name that the LDAP login module is going to connect to make user validation. If the above commands fail, just add the domain name and the AD IP to the hosts file.

Then replace the url from ldap://localhost:389 or from ldap://invalidADname:port to ldap://domain.com:389 and a follow reference configuration line.

Things must look like these now:

<application-policy name=”MyApplicationDomain”>
<authentication>
<login-module code=”org.jboss.security.auth.spi.LdapExtLoginModule” flag=”required” >
<module-option name=”java.naming.provider.url”>ldap://domain.com:389</module-option>
<module-option name=”java.naming.referral”>follow</module-option>
<module-option name=”java.naming.security.authentication”>simple</module-option>


</authentication>

Issue solved…

Advertisements

How to get the AD LDAP DN name from an user

Some times we need to have the full distinguished LDAP name for an Active directory user.

There are at least two ways to accomplish this goal:

1st) Running the command dsquery user -name ADUSERNAME where ADUSERNAME is the name of the user on the AD

2nd) Running the command ldifde -f users.txt where all LDAP data from AD is dumped into the file named users.txt

Active Directory LDAP Errors

Something I’ve copied from here: http://forum.java.sun.com/thread.jspa?messageID=4227692

Thanks Dave!

Just to find it easily:

Common Active Directory LDAP bind errors:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 – user not found
DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e – invalid credentials
DEC: 1326 – ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 – not permitted to logon at this time
DEC: 1328 – ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 – not permitted to logon from this workstation
DEC: 1329 – ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 – password expired
DEC: 1330 – ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] – PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 – account disabled
DEC: 1331 – ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] – ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 – account expired
DEC: 1793 – ERROR_ACCOUNT_EXPIRED (The user’s account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] – ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 – user must reset password
DEC: 1907 – ERROR_PASSWORD_MUST_CHANGE (The user’s password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] – MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 – account locked out
DEC: 1909 – ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] – LOCKOUT
NOTE: Returns even if invalid password is presented.