Teiid VDB LDAP Login Module Error

Latest response

Hello, we are currently running into issues when configuring LDAP authentication for a deployed VDB, we would like to enter our active directory username and password when logging into the VDB. We have successful configured LDAP authentication for admin console, but running into errors during server start up.

I have been able to successfully configure authentication for the admin console at hostname:9990. I have done so by with the following changes to Standalone.xml we can provide our active directory user/pass and log in to the admin console.

Below are defined security domain which we are running into issues. And a security realm which is working.

This is the error we are receiving

ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) Exception during createSubject() for java:/refresh: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
        at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
        at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
        at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_121]
        at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
        at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
        at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:318)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:122)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
<datasource jndi-name="java:/refresh" pool-name="refresh" enabled="true">
  <connection-url>jdbc:teiid:refresh@mm://hostname:31000</connection-url>
   <driver>teiid</driver>
   <security>
      <security-domain>test_ldap_security_domain</security-domain>
    </security>
</datasource>

<security-domain name="test_ldap_security_domain">
   <authentication>
         <login-module code="LdapExtended" flag="sufficient">
             <module-option name="java.naming.provider.url" value="ldap://hostname:389" />
             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
             <module-option name="java.naming.security.authentication" value="simple" />
             <module-option name="bindDN" value="adminusername" />
             <module-option name="bindCredential" value="adminpassword" />
             <module-option name="distinguishedNameAttribute" value="sAMAccountName" />
             <module-option name="baseFilter" value="(sAMAccountName={0})" />  
             <module-option name="baseCtxDN" value="dc=main" />
             </login-module>
     </authentication>
</security-domain>



<security-realm name="ldap-security-realm">
    <authentication>
        <ldap connection="ldap-connection" base-dn="dc=main">
             <advanced-filter filter="(&amp;(sAMAccountName={0}))"/>
         </ldap>
     </authentication>
 </security-realm>

<outbound-connections>
    <ldap name="ldap-connection" url="ldap://hostname:389" search-dn="adminusername" search-credential="adminpassword"/>
 </outbound-connections>

Responses