Bug 1118368
Summary: | Unable to clone repository using ssh issue with LDAP on Tomcat | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] JBoss BPMS Platform 6 | Reporter: | Martin Weiler <mweiler> | ||||
Component: | Business Central | Assignee: | Marco Rietveld <mrietvel> | ||||
Status: | CLOSED EOL | QA Contact: | Lukáš Petrovický <lpetrovi> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.0.1 | CC: | alazarot, kverlaen, lpetrovi, manstis, mweiler | ||||
Target Milestone: | ER5 | ||||||
Target Release: | 6.1.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1214292 (view as bug list) | Environment: | |||||
Last Closed: | 2020-03-27 20:00:30 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1103237 | ||||||
Bug Blocks: | 1214292 | ||||||
Attachments: |
|
Description
Martin Weiler
2014-07-10 14:22:30 UTC
Created attachment 917105 [details]
Config files to reproduce the issue
Archive: config.files.zip
Length Date Time Name
--------- ---------- ----- ----
8749 07-09-2014 10:59 ldap.ldif
7054 07-10-2014 16:20 server.xml
--------- -------
15803 2 files
ldap.ldif can be used to set up LDAP structure, eg. on OpenDS.
server.xml contains JNDIRealm corresponding to this LDAP structure.
Workaround is to use org.jboss.security.auth.spi.LdapExtLoginModule from EAP: 1. Copy picketbox-<version>.jar from EAP 6 to $TOMCAT_HOME/lib 2. Edit webapps/business-central/WEB-INF/classes/login.config, and define LdapExtLoginModule with correct settings, eg: ApplicationRealm { org.jboss.security.auth.spi.LdapExtLoginModule required java.naming.provider.url="ldap://127.0.0.1:1389" java.naming.security.authentication="simple" bindDN="cn=Directory Manager" bindCredential="password" baseCtxDN="ou=People,DC=example,DC=com" baseFilter="(CN={0})" rolesCtxDN="OU=Roles,DC=example,DC=com" roleFilter="(member={1})" roleAttributeID="CN" throwValidateError="true" searchScope="ONELEVEL_SCOPE" allowEmptyPasswords="true" defaultRole="user"; }; Is it possible to share all your tomcat config? I maybe missing something in my local configs... Besides the config files available in the attachment, the only other change applied was to webapps/business-central/WEB-INF/classes/login.config, as per BZ 1103237: ApplicationRealm { org.apache.catalina.realm.JAASMemoryLoginModule REQUIRED debug=true; }; Ping me on IRC (nick: mweiler) if you are still having problems to reproduce. Thanks! @porcelli. I've noticed it is not possible to git clone ssh://user@host/repo on our Tomcat distributions *at all*.. even with no LDAP configuration :( fix added to provide custom login module that utilized realms configured in tomcat as it should provide the best flexible solution for JAAS based authentication. tested with LDAP and default user base in memory realms. Please make sure that following property is set and points to login.config file delivered with tomcat distribution war. -Djava.security.auth.login.config=$CATALINA_HOME/webapps/kie-drools-wb/WEB-INF/classes/login.config kie-wb-distributions master: https://github.com/droolsjbpm/kie-wb-distributions/commit/8aa6aceacb6e6f76f346954bfb669cc06ae6c4c0 6.2.x: https://github.com/droolsjbpm/kie-wb-distributions/commit/d85ed4ee0bf646df2ba9350b5b8df37e3ae9d001 This is currently blocked by regression - bug 1103237. Commits for this issue might be actually the cause of the regression. Tomas, take a look at comment here https://bugzilla.redhat.com/show_bug.cgi?id=1103237#c13 Verified on BPMS 6.1.0 ER5 (running on EWS 2.1) using both tomcat-users.xml and LDAP Maciej, thanks a lot for your last comment to bug 1103237. It helped me to find the cause of my problems and enable me to verify this issue. The documentation needs to be changed. There are instructions to create $TOMCAT_DIR/bin/setenv.sh file with the following content: CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=RuleFlow -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry" After this BZ is fixed, it should also set 'java.security.auth.login.config' property and look like this: CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=Full -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry -Djava.security.auth.login.config=$CATALINA_HOME/webapps/business-central/WEB-INF/classes/login.config" Note that besides adding this new property, also Designer perspective needs to be changed. Right now, there is RuleFlow as default while it should be Full in BPM Suite. |