Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-3540

[update-docs] Unable to clone repository using ssh issue with LDAP on Tomcat

XMLWordPrintable

      Please add following note into the installation guide for Tomcat:

      Create setenv.sh (must be readable) file under $TOMCAT_HOME/bin with following content:

      CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Djava.security.auth.login.config=$CATALINA_HOME/webapps/business-central/WEB-INF/classes/login.config -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=RuleFlow -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry"

      Without setting java.security.auth.login.config property, the ssh clone of git repository doesn't work!

      +++ This bug was initially created as a clone of Bug #1118368 +++

      Description of problem:
      Using BPMS 6.0.2 on Tomcat / EWS 2.0, it is not possible to git clone over ssh when the users are stored in LDAP. Only the authentication at the business-central web application is working with the JNDIRealm defined in server.xml.

      Version-Release number of selected component (if applicable):

      How reproducible:
      always

      Steps to Reproduce:
      1. Deploy BPMS 6.0.2 on EWS 2.0 as per the Installation Guide
      2. Change $TOMCAT_HOME/conf/server.xml to use JNDIRealm instead of UserDatabaseRealm
      3. Edit business-central/WEB-INF/classes/login.config (as per https://bugzilla.redhat.com/show_bug.cgi?id=1103237)
      4. Start the server
      5. Clone the repository using a user from LDAP:
      $ git clone ssh://ldapuser@localhost:8001/repository1

      Actual results:
      Cloning fails due to failed authentication.

      Expected results:
      Cloning works with user from LDAP.

      Additional info:

      Note 1: git clone ssh works with a user defined in tomcat-users.xml

      Note 2: Defining JNDIRealm in business-central/WEB-INF/classes/login.config fails with an ArrayIndexOutOfBoundsException, apparently as the JNDIRealm does not have an initialize() method:

      java.lang.ArrayIndexOutOfBoundsException: 114
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:771)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
      at org.uberfire.security.server.auth.source.JAASAuthenticationSource.authenticate(JAASAuthenticationSource.java:66)

      This error is swallowed in JAASAuthenticationSource:
      https://github.com/uberfire/uberfire/blob/master/uberfire-security/uberfire-security-server/src/main/java/org/uberfire/security/server/auth/source/JAASAuthenticationSource.java#L69

      Note 3: With BPMS on EAP, the following system property can be used to define the security domain with the LDAP login module:

      <property name="org.uberfire.domain" value="LDAPAuth"/>

      — Additional comment from Martin Weiler on 2014-07-10 10:23:46 EDT —

      Archive: config.files.zip
      Length Date Time Name
      --------- ---------- ----- ----
      8749 07-09-2014 10:59 ldap.ldif
      7054 07-10-2014 16:20 server.xml
      --------- -------
      15803 2 files

      ldap.ldif can be used to set up LDAP structure, eg. on OpenDS.

      server.xml contains JNDIRealm corresponding to this LDAP structure.

      — Additional comment from Martin Weiler on 2014-07-11 08:16:24 EDT —

      Workaround is to use org.jboss.security.auth.spi.LdapExtLoginModule from EAP:

      1. Copy picketbox-<version>.jar from EAP 6 to $TOMCAT_HOME/lib

      2. Edit webapps/business-central/WEB-INF/classes/login.config, and define LdapExtLoginModule with correct settings, eg:

      ApplicationRealm {
      org.jboss.security.auth.spi.LdapExtLoginModule required
      java.naming.provider.url="ldap://127.0.0.1:1389"
      java.naming.security.authentication="simple"
      bindDN="cn=Directory Manager"
      bindCredential="password"
      baseCtxDN="ou=People,DC=example,DC=com"
      baseFilter="(CN=

      {0}

      )"
      rolesCtxDN="OU=Roles,DC=example,DC=com"
      roleFilter="(member=

      {1}

      )"
      roleAttributeID="CN"
      throwValidateError="true"
      searchScope="ONELEVEL_SCOPE"
      allowEmptyPasswords="true"
      defaultRole="user";
      };

      — Additional comment from Alessandro Lazarotti on 2014-07-24 15:23:54 EDT —

      Adding it to Roll Up patch as the Bug 1068662 have this one as part of the fix

      — Additional comment from Alessandro Lazarotti on 2014-08-05 16:28:01 EDT —

      I've added this BZ to roll up patch because Kris asked about it at https://bugzilla.redhat.com/show_bug.cgi?id=1068662#c14.
      However looking the description of Bug 1068662 it seems not really related to Bug 1118368. Anton have mentioned the git/ssh problem at https://bugzilla.redhat.com/show_bug.cgi?id=1068662#c10 and Michel replied about that, but his fix does not depend of Bug 1118368.

      Given that, instead of changing the BZ to MODIFIED we can remove it from the roll up list and so it can be fixed in the future.

      — Additional comment from Alessandro Lazarotti on 2015-01-12 19:39:02 EST —

      this is an old issue that need to be addressed to 6.1 release. Adding gss_prioritized in white board

      — Additional comment from Alexandre Porcelli on 2015-01-14 08:11:57 EST —

      Is it possible to share all your tomcat config? I maybe missing something in my local configs...

      — Additional comment from Martin Weiler on 2015-01-14 10:11:24 EST —

      Besides the config files available in the attachment, the only other change applied was to webapps/business-central/WEB-INF/classes/login.config, as per BZ 1103237:

      ApplicationRealm {
      org.apache.catalina.realm.JAASMemoryLoginModule REQUIRED debug=true;
      };

      Ping me on IRC (nick: mweiler) if you are still having problems to reproduce. Thanks!

      — Additional comment from on 2015-02-03 07:44:01 EST —

      @porcelli. I've noticed it is not possible to git clone ssh://user@host/repo on our Tomcat distributions at all.. even with no LDAP configuration

      — Additional comment from Maciej Swiderski on 2015-02-04 07:17:39 EST —

      fix added to provide custom login module that utilized realms configured in tomcat as it should provide the best flexible solution for JAAS based authentication.

      tested with LDAP and default user base in memory realms.

      Please make sure that following property is set and points to login.config file delivered with tomcat distribution war.
      -Djava.security.auth.login.config=$CATALINA_HOME/webapps/kie-drools-wb/WEB-INF/classes/login.config

      kie-wb-distributions
      master:
      https://github.com/droolsjbpm/kie-wb-distributions/commit/8aa6aceacb6e6f76f346954bfb669cc06ae6c4c0

      6.2.x:
      https://github.com/droolsjbpm/kie-wb-distributions/commit/d85ed4ee0bf646df2ba9350b5b8df37e3ae9d001

      — Additional comment from Zuzana Krejčová on 2015-02-23 06:16:28 EST —

      This is currently blocked by regression - bug 1103237. Commits for this issue might be actually the cause of the regression.

      — Additional comment from Maciej Swiderski on 2015-02-23 12:26:56 EST —

      Tomas,

      take a look at comment here https://bugzilla.redhat.com/show_bug.cgi?id=1103237#c13

      — Additional comment from Tomas Livora on 2015-03-03 12:00:58 EST —

      Verified on BPMS 6.1.0 ER5 (running on EWS 2.1) using both tomcat-users.xml and LDAP

      Maciej, thanks a lot for your last comment to bug 1103237. It helped me to find the cause of my problems and enable me to verify this issue.

      The documentation needs to be changed. There are instructions to create $TOMCAT_DIR/bin/setenv.sh file with the following content:

      CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=RuleFlow -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry"

      After this BZ is fixed, it should also set 'java.security.auth.login.config' property and look like this:

      CATALINA_OPTS="-Xmx512M -XX:MaxPermSize=512m -Dbtm.root=$CATALINA_HOME -Dbitronix.tm.configuration=$CATALINA_HOME/conf/btm-config.properties -Dorg.jbpm.designer.perspective=Full -Djbpm.tsr.jndi.lookup=java:comp/env/TransactionSynchronizationRegistry -Djava.security.auth.login.config=$CATALINA_HOME/webapps/business-central/WEB-INF/classes/login.config"

      Note that besides adding this new property, also Designer perspective needs to be changed. Right now, there is RuleFlow as default while it should be Full in BPM Suite.

              gsheldon_jira Gemma Hilton (Inactive)
              rhn-support-agiertli Anton Giertli
              Jiří Locker Jiří Locker (Inactive)
              Petr Penicka Petr Penicka (Inactive)
              Jiří Locker Jiří Locker (Inactive)
              Alessandro Lazarotti, brms-docs brms-docs (Inactive), Kris Verlaenen, Maciej Swiderski (Inactive), Martin Weiler (Inactive), Michael Anstis, Tomáš Livora (Inactive), Zuzka Krejčová (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: