Created by John McMahon, last modified by Alex Thottunkel on Jan 30, 2023
Purpose (problem description)

The purpose of this page is to assist in helping with problems when setting up LDAP on the CAST Engineering Dashboard. This guide is intended as a supplement for issues you may have after you have followed the basic instructions in the CAST documentation for your release.

Observed in CAST AIP
Release
Yes/No
8.3.x(tick)
Observed on RDBMS
RDBMS
Yes/No
CSS(tick)
Step by Step scenario
  1. Configure LDAP settings in web.xml
  2. Launch the dashboard
  3. Login using the LDAP credentials
Action Plan
  1. Relevant Inputs
  2. Verify the configuration to avoid LDAP connection issues
  3.  Activate the JAAS trace on dashboard logs and check for errors  
  4. Contact CAST Technical Support with relevant inputs. For CAST support Transmit the problem to the R&D.

  

Relevant Input

  • web.xml file from the deployed CAST dashboard application
  • Screenshots showing the error - it may be something like this image:


  • Screenshots from the LDAP server showing the user, group, OU, and domain for the <proxy_user>.<naming_service> being configured - make sure that all details can be clearly shown. It should look something like this with all details being visible:


  • The web application server logs with JAAS tracing (logger.level.JAAS parameter set to 0 in the web.xml), so that the LDAP messages can be seen in the logs
Verify the configuration to avoid LDAP connection issues

 Verify the configuration to avoid LDAP connection issues
 

See the basic steps below that can assist in troubleshooting LDAP Dashboard Connections:

 
    • Check the dashboard operation prior to turning on LDAP, especially with the user that you are planning on using in your LDAP environment.
    • Ask the person who is adding the CAST information to active directory to provide you with detailed screenshots showing the user, domain, the OUs, and the group that are associated with the entry being added to LDAP to understand how things have been set up in active directory
    • Verify the LDAP server connection from the web application server. You may even be able to enter the LDAP server in a browser session to confirm you can connect to it fine, by entering the value in your web.xml file which is something like LDAP://<LDAP_server1>:389 . Some companies may have multiple LDAP servers, so make sure you are connected to the proper one that is associated with the information you were provided. 
    • Keep it small to begin with, especially if you are new to LDAP or setting up LDAP in an unfamiliar environment, so don't start with advanced options until the basic one work.
    • Verify your web.xml settings, then re-verify them
    • Validate  validate Authentication and Authorization by following the page CAST Engineering Dashboard - WAR Deployment - LDAP - How to validate the Authentication and Authorization

If the above verification does not solve your issue then go to next step to activate the JAAS traces and investigate from the logs

Activate the JAAS trace on dashboard logs and check for errors

Activate the JAAS trace on dashboard logs and check for errors 


Turn on JAAS tracing by setting the parameter logger.level.JAAS to 0 in the web.xml.  This will allow you to see details on the LDAP steps performed in the dashboard.
Check the JAAS log entries in your web application server logs.  For Tomcat, these will by default be in the logs for standard output (stdout).  You may have to check your web.xml log configuration settings as well as your web application server settings if you are not seeing these entries.  Remember to re-deploy the web application after any changes to the web.xml file. Set it back to the default of 2 once your configuration has been tested and confirmed.

For a normal LDAP run, you'll see something like this in the JAAS logs:

  • [INFO]:    [JAAS] LDAP authorization active
  • [INFO]:    [JAAS] LDAP default user domain appended: <userid>@****.*********.*****
  • [INFO]:    [JAAS] Security principal : <userid>@********.************.*********
  • [INFO]:    [JAAS] LDAP OU search filter: OU=<OU_name1> OU=<OU_name2>
  • [INFO]:    [JAAS] search LDAP for a proxy user to access webgoat_central repository
  • [INFO]:    [JAAS] Creating new LDAP context.
  • [INFO]:    [JAAS] LDAP Search base: DC=*****,DC=********,DC=*******
  • [INFO]:    [JAAS] LDAP Search initiated
  • [INFO]:    [JAAS] LDAP Search completed
  • [INFO]:    [JAAS] LDAP Search result processing.
  • [INFO]:    [JAAS] LDAP proxy user found
  • [INFO]:    [JAAS] LDAP group configuration search
  • [INFO]:    [JAAS] LDAP group the user is member of : CN=WebGoat_Manager.webgoat_central,OU=<OU_name1> OU=<OU_name2>,DC=****,DC=*********,DC=******
  • [INFO]:    [JAAS] LDAP compatible group the user is member of : CN=WebGoat_Manager.webgoat_central,OU=<OU_name1> OU=<OU_name2>,DC=****,DC=*******,DC=*****
  • [INFO]:    [JAAS] LDAP proxy user : <user name>
 

The JAAS log information allows you to check the below problems:

 
  1. Problem searching directory: <LDAP_server>:3892
      If you are able to contact the LDAP server.  A bad LDAP server setting could show up with a message like this in the log.

  2. Problem logging to directory: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
    If a user was found on the LDAP server.  A bad user message could show up something like this in the log.

  3. What your matching dashboard user and authority level is that has been set in the dashboard:  WebGoat_Manager on webgoat_central in the example above.  This validates the group the user belongs to on the LDAP system and the privileges the user has.  These permissions are configured on the dashboard.  Please see the dashboard documentation for creating users, as well as assigning privileges to users.

  4. No LDAP proxy user found.
    If there's a problem with the database name not matching  group, you would see an error like this in the log

  5. Problem logging to directory: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
    What your domain is: ****.********.COM  in the example above.  You may need to be careful with case here.  An improper setting would show up with a message like this in the log:What your database name is: webgoat_central in the example above.  Check here that it is the same case in the initial part as it is in the group comparison part
  6. LDAP: error code 34 - Invalid DN syntax
    You may see this error when you have your LDAP server that you are connecting to not integrated with your Active Directory service. This can be confirmed with help from your LDAP administration team.

  7. Login module Authentication attempt failed with unknown exception: java.io.IOException: F:\\apache-tomcat-7.0.32-windows-x86\\apache-tomcat-7.0.32\\conf\\login.config (No such file or directory)
    You may see this error when you have either upgraded your tomcat version or moved to a new server with a different configuration. In this case, your tomcat files will be in a different location and you will need to modify the values for the new configuration in the web.xml file. In this case, the parameter security.auth.login.config would need to be updated to reflect the proper value in the current configuration or server.


If this action does not provide solution for your problem then go to next step.

 

  

Notes/comments


Related Pages

CAST Engineering Dashboard - Error - JAAS Problem logging to directory LDAP error code 49 - 80090308