1 2 3 4 Previous Next 45 Replies Latest reply: Jul 11, 2009 6:25 PM by RathinaGanesh MeenashiSundaram RSS

Single Sign On with LDAP  Examples

Praveen Mohan Mohanan Newbie

Hi...All,

We will have multiple application deployed on the same JBOSS App server.
I want to have the SSO capability between the application(s).

I have been searching the JBoss documentation for examples on having the SSO enabled with LDAP. But in vain.

Can you please tell me the basic steps to enable the SSO with LDAP (with examples would be great)

Any pointers are appreciated.

Regards,

P

  • 2. Re: Single Sign On with LDAP  Examples
    Thomas Cremers Newbie

    I have been on big quest as well to get this working. The documentation leaves a lot to be desired but here is what I did to get it working.

    First a basic LDAP schema

    # Base
    dn: dc=foo,dc=bar
    dc: foo
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: Foo Bar
    
    # Ldap admin user
    dn: cn=admin, dc=foo,dc=bar
    userPassword:: secret
    description: LDAP administrator
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    
    # People ou where we attach the users
    dn: ou=People, dc=foo,dc=bar
    ou: People
    objectClass: top
    objectClass: organizationalUnit
    
    # A basic inetOrgPerson
    dn: cn=Test User,ou=People, dc=foo,dc=bar
    sn: Test
    userPassword:: secret
    mail: test@foo.bar
    displayName: Test User
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    uid: test
    cn: Test User
    
    # The ou where we attach roles/groups
    dn: ou=roles, dc=foo,dc=bar
    ou: roles
    objectClass: top
    objectClass: organizationalUnit
    
    # A test group member of roles ou
    dn: cn=TestGroup,ou=roles, dc=foo,dc=bar
    ou: TestGroup
    objectClass: top
    objectClass: groupOfUniqueNames
    uniqueMember: cn=Test User,ou=People
    cn: TestGroup
    


    Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap schema above this would look like this:

    <?xml version='1.0' encoding='ISO-8859-1'?>
    
    <jboss-sso>
     <identity-management>
     <login>
     <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">
     <property name="connectionURL"> jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000</property>
     <property name="username">cn=admin,dc=foo,dc=bar</property>
     <property name="password">secret</property>
     <!-- ou that contains all your inetOrgPersons -->
     <property name="identityOu">People</property>
     <!-- ou that contains your groups -->
     <property name="roleOu">roles</property>
     </provider>
     </login>
     <!--login>
     <provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>
     </login-->
     </identity-management>
     <sso-processor>
     <processor class="org.jboss.security.saml.JBossSingleSignOn">
     <!-- Conf this to your sso jboss server -->
     <property name="trustServer">http://sso-jboss.domain.com:8080/federate/trust</property>
     </processor>
     </sso-processor>
    </jboss-sso>
    


    Really importend here is to verify then you have set identityOU and roleOU to the right values. If there is an error here you will get "No such object" jdbc errors witch of course is an ldap error telling you it can't find the ou. I use openldap and set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier.

    If you tail the ldap log and start the sso service you should see jboss-sso connecting and scanning in the roles. If so and you can confirm the sso startup in the jboss server.log you are done.

    Hope this helpt



  • 3. Re: Single Sign On with LDAP  Examples
    Nandhakumar K Newbie

    Hi buddy,

    Thanks for the post.


    I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..

    when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.

    But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..

    I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).

    Please tell me why this error comes and give me solution to resolve this one.


  • 4. Re: Single Sign On with LDAP  Examples
    Nandhakumar K Newbie

    Hi,

    Also, please tell me the purpose of the SSO Trust Server



    Thanks,
    Nandhu.

  • 5. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    I have the same problem - when I try to log on to the test application I receive an error "The specified account has not been activated-...".
    My question here is: What does it means and how can I activate user

    @tamilnandhu:
    About the error for user "admin": The user admin is specified in "dc=foo,dc=bar", not in "ou=People, dc=foo,dc=bar". So, for the application this user does not exist.

    Regards!

  • 6. Re: Single Sign On with LDAP  Examples
    Alejandro Montenegro Novice

     

    "tamilnandhu" wrote:
    Hi buddy,

    Thanks for the post.


    I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..

    when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.

    But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..

    I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).

    Please tell me why this error comes and give me solution to resolve this one.




    Set :
    sn=true
    that will activate the user

  • 7. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    Thank you aamonten, but if it is not secret, what does it mean:
    sn=true

    To put it into user dn? Or ???

    Please, do not hide the truth.

  • 8. Re: Single Sign On with LDAP  Examples
    Alejandro Montenegro Novice

    Actually I have not a lot experience with LDAP, so I'm not sure if sn has a special meaning. But by looking at the source I discovered that it checks if sn=true the account is activated, anything different than true and it would be deactivated.

    regards
    Alejandro

  • 9. Re: Single Sign On with LDAP  Examples
    Alejandro Montenegro Novice

     

    "yyovkov" wrote:
    Thank you aamonten, but if it is not secret, what does it mean:
    sn=true

    To put it into user dn? Or ???

    Please, do not hide the truth.


    Sorry, I didn't understood exactly what was your question. take a look at thomascremers LDAP schema above in the thread.

  • 10. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    I found what you want to say.
    User entry should contain:
    --- cut ---
    dn: cn=Test User,ou=People, dc=foo,dc=bar
    ...
    sn: true
    ...
    --- cut ---

    I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
    " Login Failed.....".

    How can I use other attribute, different than "sn" to mark user as active?

  • 11. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    I found what you want to say.
    User entry should contain:
    --- cut ---
    dn: cn=Test User,ou=People, dc=foo,dc=bar
    ...
    sn: true
    ...
    --- cut ---

    I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
    " Login Failed.....".

    Which file contains the requirements that "sn" should be set up to "true"? Yes, this field is dedicated for other information. If this is hardcoded, we have to inform developers.

    aamonten, thank you for your help!

  • 12. Re: Single Sign On with LDAP  Examples
    Mauricio Salatino Master

    sn in ldap means Surname but seams that the developers use that field to indicate that the account is activeted or not, so if you put this value in the ldap schema file in true your account will be activated.. I think that developers use this field beacause is a standard field in all ldap directory servers.

  • 13. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    OK, salaboy21.
    That is good, but even that, the SSO test application doesn't work.

  • 14. Re: Single Sign On with LDAP  Examples
    Mauricio Salatino Master

    Another thing that you could look is the user name in the sso.cfg.xml
    mine for open ldap is
    cn=admin,dc=nodomain
    look for the dc=nodomain
    And yes .. sn is hardcoded
    look at the following lines in the LDAPLoginProvider.java:

    ;

     String cour = rs.getString("sn");
     boolean active = (new Boolean(cour)).booleanValue();
    



1 2 3 4 Previous Next