Teiid VDB LDAP Login Module Error

Latest response

Hello, we are currently running into issues when configuring LDAP authentication for a deployed VDB, we would like to enter our active directory username and password when logging into the VDB. We have successful configured LDAP authentication for admin console, but running into errors during server start up.

I have been able to successfully configure authentication for the admin console at hostname:9990. I have done so by with the following changes to Standalone.xml we can provide our active directory user/pass and log in to the admin console.

Below are defined security domain which we are running into issues. And a security realm which is working.

This is the error we are receiving

ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) Exception during createSubject() for java:/refresh: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
        at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
        at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
        at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_121]
        at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
        at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
        at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:318)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:122)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
<datasource jndi-name="java:/refresh" pool-name="refresh" enabled="true">
  <connection-url>jdbc:teiid:refresh@mm://hostname:31000</connection-url>
   <driver>teiid</driver>
   <security>
      <security-domain>test_ldap_security_domain</security-domain>
    </security>
</datasource>

<security-domain name="test_ldap_security_domain">
   <authentication>
         <login-module code="LdapExtended" flag="sufficient">
             <module-option name="java.naming.provider.url" value="ldap://hostname:389" />
             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
             <module-option name="java.naming.security.authentication" value="simple" />
             <module-option name="bindDN" value="adminusername" />
             <module-option name="bindCredential" value="adminpassword" />
             <module-option name="distinguishedNameAttribute" value="sAMAccountName" />
             <module-option name="baseFilter" value="(sAMAccountName={0})" />  
             <module-option name="baseCtxDN" value="dc=main" />
             </login-module>
     </authentication>
</security-domain>



<security-realm name="ldap-security-realm">
    <authentication>
        <ldap connection="ldap-connection" base-dn="dc=main">
             <advanced-filter filter="(&amp;(sAMAccountName={0}))"/>
         </ldap>
     </authentication>
 </security-realm>

<outbound-connections>
    <ldap name="ldap-connection" url="ldap://hostname:389" search-dn="adminusername" search-credential="adminpassword"/>
 </outbound-connections>

Responses

Hello, Your error message didn't get attached to the discussion. By default the teiid subsystem transports use the teiid-security domain[1] you will need to switch them to use your test_ldap_security_domain[2]

[1]

<subsystem xmlns="urn:jboss:domain:teiid:1.0">
                <async-thread-pool>teiid-async</async-thread-pool>
                <policy-decider-module>org.jboss.teiid</policy-decider-module>
                <resultset-cache infinispan-container="teiid-cache"/>
                <preparedplan-cache infinispan-container="teiid-cache"/>
                <distributed-cache jgroups-stack="udp"/>
                <transport name="embedded"/>
                <transport name="odata">
                    <authentication security-domain="teiid-security"/>
                </transport>
                <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
                    <authentication security-domain="teiid-security"/>
                </transport>
                <transport name="odbc" socket-binding="teiid-odbc" protocol="pg">
                    <authentication security-domain="teiid-security"/>
                    <ssl mode="disabled"/>
                </transport>

[2]
<subsystem xmlns="urn:jboss:domain:teiid:1.0">
                <async-thread-pool>teiid-async</async-thread-pool>
                <policy-decider-module>org.jboss.teiid</policy-decider-module>
                <resultset-cache infinispan-container="teiid-cache"/>
                <preparedplan-cache infinispan-container="teiid-cache"/>
                <distributed-cache jgroups-stack="udp"/>
                <transport name="embedded"/>
                <transport name="odata">
                    <authentication security-domain="test_ldap_security_domain"/>
                </transport>
                <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
                    <authentication security-domain="test_ldap_security_domain"/>
                </transport>
                <transport name="odbc" socket-binding="teiid-odbc" protocol="pg">
                    <authentication security-domain="test_ldap_security_domain"/>
                    <ssl mode="disabled"/>
                </transport>

Hello, thanks for your response. However I still get the same error after making those changes.

ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) Exception during createSubject() for java:/refresh: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
        at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
        at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
        at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_121]
        at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
        at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
        at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:318)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:122)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]

You should log a support ticket so they can check your configuration and trace logs to see where the authentication is failing

Hello, I do not have support. Is there any way I can still receive assistance for this issue?