Bug 1118368 - Unable to clone repository using ssh issue with LDAP on Tomcat
Summary: Unable to clone repository using ssh issue with LDAP on Tomcat
Keywords:
Status: VERIFIED
Alias: None
Product: JBoss BPMS Platform 6
Classification: Retired
Component: Business Central
Version: 6.0.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ER5
: 6.1.0
Assignee: Maciej Swiderski
QA Contact: Lukáš Petrovický
URL:
Whiteboard:
Depends On: 1103237
Blocks: 1214292
TreeView+ depends on / blocked
 
Reported: 2014-07-10 14:22 UTC by Martin Weiler
Modified: 2018-12-06 17:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1214292 (view as bug list)
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)
Config files to reproduce the issue (3.54 KB, application/zip)
2014-07-10 14:23 UTC, Martin Weiler
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1068662 None None None Never
Red Hat Bugzilla 1103237 None None None Never

Internal Links: 1068662 1103237

Description Martin Weiler 2014-07-10 14:22:30 UTC
Description of problem:
Using BPMS 6.0.2 on Tomcat / EWS 2.0, it is not possible to git clone over ssh when the users are stored in LDAP. Only the authentication at the business-central web application is working with the JNDIRealm defined in server.xml. 

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Deploy BPMS 6.0.2 on EWS 2.0 as per the Installation Guide
2. Change $TOMCAT_HOME/conf/server.xml to use JNDIRealm instead of UserDatabaseRealm 
3. Edit business-central/WEB-INF/classes/login.config (as per https://bugzilla.redhat.com/show_bug.cgi?id=1103237)
4. Start the server
5. Clone the repository using a user from LDAP:
$ git clone ssh://ldapuser@localhost:8001/repository1

Actual results:
Cloning fails due to failed authentication.

Expected results:
Cloning works with user from LDAP.


Additional info:

Note 1: git clone ssh works with a user defined in tomcat-users.xml

Note 2: Defining JNDIRealm in business-central/WEB-INF/classes/login.config fails with an ArrayIndexOutOfBoundsException, apparently as the JNDIRealm does not have an initialize() method:

java.lang.ArrayIndexOutOfBoundsException: 114
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:771)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
	at org.uberfire.security.server.auth.source.JAASAuthenticationSource.authenticate(JAASAuthenticationSource.java:66)

This error is swallowed in JAASAuthenticationSource:
https://github.com/uberfire/uberfire/blob/master/uberfire-security/uberfire-security-server/src/main/java/org/uberfire/security/server/auth/source/JAASAuthenticationSource.java#L69

Note 3: With BPMS on EAP, the following system property can be used to define the security domain with the LDAP login module:

<property name="org.uberfire.domain" value="LDAPAuth"/>

Comment 1 Martin Weiler 2014-07-10 14:23:46 UTC
Created attachment 917105 [details]
Config files to reproduce the issue

Archive:  config.files.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     8749  07-09-2014 10:59   ldap.ldif
     7054  07-10-2014 16:20   server.xml
---------                     -------
    15803                     2 files

ldap.ldif can be used to set up LDAP structure, eg. on OpenDS.

server.xml contains JNDIRealm corresponding to this LDAP structure.

Comment 2 Martin Weiler 2014-07-11 12:16:24 UTC
Workaround is to use org.jboss.security.auth.spi.LdapExtLoginModule from EAP:

1. Copy picketbox-<version>.jar from EAP 6 to $TOMCAT_HOME/lib

2. Edit webapps/business-central/WEB-INF/classes/login.config, and define LdapExtLoginModule with correct settings, eg:

ApplicationRealm {
    org.jboss.security.auth.spi.LdapExtLoginModule required
    java.naming.provider.url="ldap://127.0.0.1:1389" 
    java.naming.security.authentication="simple"
    bindDN="cn=Directory Manager"
    bindCredential="password"
    baseCtxDN="ou=People,DC=example,DC=com"
    baseFilter="(CN={0})"
    rolesCtxDN="OU=Roles,DC=example,DC=com"
    roleFilter="(member={1})"
    roleAttributeID="CN"
    throwValidateError="true"
    searchScope="ONELEVEL_SCOPE"
    allowEmptyPasswords="true"
    defaultRole="user";
};

Comment 6 Alexandre Porcelli 2015-01-14 13:11:57 UTC
Is it possible to share all your tomcat config? I maybe missing something in my local configs...

Comment 7 Martin Weiler 2015-01-14 15:11:24 UTC
Besides the config files available in the attachment, the only other change applied was to webapps/business-central/WEB-INF/classes/login.config, as per BZ 1103237:

ApplicationRealm {
    org.apache.catalina.realm.JAASMemoryLoginModule REQUIRED debug=true;
};

Ping me on IRC (nick: mweiler) if you are still having problems to reproduce. Thanks!

Comment 8 manstis 2015-02-03 12:44:01 UTC
@porcelli. I've noticed it is not possible to git clone ssh://user@host/repo on our Tomcat distributions *at all*.. even with no LDAP configuration :(

Comment 9 Maciej Swiderski 2015-02-04 12:17:39 UTC
fix added to provide custom login module that utilized realms configured in tomcat as it should provide the best flexible solution for JAAS based authentication.

tested with LDAP and default user base in memory realms.

Please make sure that following property is set and points to login.config file delivered with tomcat distribution war.
-Djava.security.auth.login.config=$CATALINA_HOME/webapps/kie-drools-wb/WEB-INF/classes/login.config

kie-wb-distributions
master:
https://github.com/droolsjbpm/kie-wb-distributions/commit/8aa6aceacb6e6f76f346954bfb669cc06ae6c4c0

6.2.x:
https://github.com/droolsjbpm/kie-wb-distributions/commit/d85ed4ee0bf646df2ba9350b5b8df37e3ae9d001

Comment 10 Zuzana Krejčová 2015-02-23 11:16:28 UTC
This is currently blocked by regression - bug 1103237. Commits for this issue might be actually the cause of the regression.

Comment 11 Maciej Swiderski 2015-02-23 17:26:56 UTC
Tomas,

take a look at comment here https://bugzilla.redhat.com/show_bug.cgi?id=1103237#c13

Comment 12 Tomas Livora 2015-03-03 17:00:58 UTC
Verified on BPMS 6.1.0 ER5 (running on EWS 2.1) using both tomcat-users.xml and LDAP

Maciej, thanks a lot for your last comment to bug 1103237. It helped me to find the cause of my problems and enable me to verify this issue.


The documentation needs to be changed. There are instructions to create $TOMCAT_DIR/bin/setenv.sh file with the following content:

CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=RuleFlow -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry"

After this BZ is fixed, it should also set 'java.security.auth.login.config' property and look like this:

CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=Full -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry -Djava.security.auth.login.config=$CATALINA_HOME/webapps/business-central/WEB-INF/classes/login.config"

Note that besides adding this new property, also Designer perspective needs to be changed. Right now, there is RuleFlow as default while it should be Full in BPM Suite.


Note You need to log in before you can comment on or make changes to this bug.