I have a web application which is deployed in Jboss7. Everything is working fine except one thing. We have two different AD/LDAP servers, one for UAT and other one for Production users. UAT AD/LDAP users are able to login, however Production AD/LDAP users are not able to login.
security-domain in standalone.xml - UAT LDAP configuration
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://XXX.XXX.XX.XX:389/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="principalDNPrefix" value="CN="/>
<module-option name="principalDNSuffix" value=",CN=Users,DC=CISLAB,DC=TP,DC=EDU,DC=IN"/>
<module-option name="rolesCtxDN" value="CN=Users,DC=CISLAB,DC=TP,DC=EDU,DC=IN"/>
<module-option name="uidAttributeID" value="member"/>
<module-option name="matchOnUserDN" value="false"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
</login-module>
</authentication>
security-domain in standalone.xml - Production LDAP configuration
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://XXX.XXX.XX.XX:389/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="CN=ESA AD Account,OU=Special Accounts,DC=TP,DC=EDU,DC=IN"/>
<module-option name="bindCredential" value="XXX"/>
<module-option name="baseCtxDN" value="CN=Users,DC=TP,DC=EDU,DC=IN"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="CN=Users,DC=TP,DC=EDU,DC=IN"/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="sAMAccountName"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="defaultRole" value="user"/>
<module-option name="roleNameAttributeID" value="CN"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
</authentication>
server.log
12:11:07,002 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (https_executor-threads - 2) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]
Everything is same, if I modified the standalone.xml with Production LDAP server then users are not able login to the application.
Could anyone please let me know why this is happening or anyone faced similar issue. Thanks for your help.
bindDN & bindCredential properties are part of LdapExtLoginModule class and initially we had only extend LdapLoginModule class. Later we extended LdapExtLoginModule class also. And finally issue had been resolved.
<module-option name="bindDN" value="CN=ESA AD Account,OU=Special Accounts,DC=TP,DC=EDU,DC=IN"/>
<module-option name="bindCredential" value="XXX"/>