1 2 3 4 Previous Next 45 Replies Latest reply on Jul 11, 2009 6:25 PM by rathinaganesh

    Single Sign On with LDAP  Examples

    pmohanan

      Hi...All,

      We will have multiple application deployed on the same JBOSS App server.
      I want to have the SSO capability between the application(s).

      I have been searching the JBoss documentation for examples on having the SSO enabled with LDAP. But in vain.

      Can you please tell me the basic steps to enable the SSO with LDAP (with examples would be great)

      Any pointers are appreciated.

      Regards,

      P

        • 1. Re: Single Sign On with LDAP  Examples
          javawings

          dittos

          • 2. Re: Single Sign On with LDAP  Examples
            thomascremers

            I have been on big quest as well to get this working. The documentation leaves a lot to be desired but here is what I did to get it working.

            First a basic LDAP schema

            # Base
            dn: dc=foo,dc=bar
            dc: foo
            objectClass: top
            objectClass: dcObject
            objectClass: organization
            o: Foo Bar
            
            # Ldap admin user
            dn: cn=admin, dc=foo,dc=bar
            userPassword:: secret
            description: LDAP administrator
            objectClass: simpleSecurityObject
            objectClass: organizationalRole
            cn: admin
            
            # People ou where we attach the users
            dn: ou=People, dc=foo,dc=bar
            ou: People
            objectClass: top
            objectClass: organizationalUnit
            
            # A basic inetOrgPerson
            dn: cn=Test User,ou=People, dc=foo,dc=bar
            sn: Test
            userPassword:: secret
            mail: test@foo.bar
            displayName: Test User
            objectClass: top
            objectClass: person
            objectClass: organizationalPerson
            objectClass: inetOrgPerson
            uid: test
            cn: Test User
            
            # The ou where we attach roles/groups
            dn: ou=roles, dc=foo,dc=bar
            ou: roles
            objectClass: top
            objectClass: organizationalUnit
            
            # A test group member of roles ou
            dn: cn=TestGroup,ou=roles, dc=foo,dc=bar
            ou: TestGroup
            objectClass: top
            objectClass: groupOfUniqueNames
            uniqueMember: cn=Test User,ou=People
            cn: TestGroup
            


            Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap schema above this would look like this:

            <?xml version='1.0' encoding='ISO-8859-1'?>
            
            <jboss-sso>
             <identity-management>
             <login>
             <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">
             <property name="connectionURL"> jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000</property>
             <property name="username">cn=admin,dc=foo,dc=bar</property>
             <property name="password">secret</property>
             <!-- ou that contains all your inetOrgPersons -->
             <property name="identityOu">People</property>
             <!-- ou that contains your groups -->
             <property name="roleOu">roles</property>
             </provider>
             </login>
             <!--login>
             <provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>
             </login-->
             </identity-management>
             <sso-processor>
             <processor class="org.jboss.security.saml.JBossSingleSignOn">
             <!-- Conf this to your sso jboss server -->
             <property name="trustServer">http://sso-jboss.domain.com:8080/federate/trust</property>
             </processor>
             </sso-processor>
            </jboss-sso>
            


            Really importend here is to verify then you have set identityOU and roleOU to the right values. If there is an error here you will get "No such object" jdbc errors witch of course is an ldap error telling you it can't find the ou. I use openldap and set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier.

            If you tail the ldap log and start the sso service you should see jboss-sso connecting and scanning in the roles. If so and you can confirm the sso startup in the jboss server.log you are done.

            Hope this helpt



            • 3. Re: Single Sign On with LDAP  Examples
              tamilnandhu

              Hi buddy,

              Thanks for the post.


              I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..

              when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.

              But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..

              I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).

              Please tell me why this error comes and give me solution to resolve this one.


              • 4. Re: Single Sign On with LDAP  Examples
                tamilnandhu

                Hi,

                Also, please tell me the purpose of the SSO Trust Server



                Thanks,
                Nandhu.

                • 5. Re: Single Sign On with LDAP  Examples
                  yyovkov

                  I have the same problem - when I try to log on to the test application I receive an error "The specified account has not been activated-...".
                  My question here is: What does it means and how can I activate user

                  @tamilnandhu:
                  About the error for user "admin": The user admin is specified in "dc=foo,dc=bar", not in "ou=People, dc=foo,dc=bar". So, for the application this user does not exist.

                  Regards!

                  • 6. Re: Single Sign On with LDAP  Examples
                    aamonten

                     

                    "tamilnandhu" wrote:
                    Hi buddy,

                    Thanks for the post.


                    I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..

                    when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.

                    But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..

                    I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).

                    Please tell me why this error comes and give me solution to resolve this one.




                    Set :
                    sn=true
                    that will activate the user

                    • 7. Re: Single Sign On with LDAP  Examples
                      yyovkov

                      Thank you aamonten, but if it is not secret, what does it mean:
                      sn=true

                      To put it into user dn? Or ???

                      Please, do not hide the truth.

                      • 8. Re: Single Sign On with LDAP  Examples
                        aamonten

                        Actually I have not a lot experience with LDAP, so I'm not sure if sn has a special meaning. But by looking at the source I discovered that it checks if sn=true the account is activated, anything different than true and it would be deactivated.

                        regards
                        Alejandro

                        • 9. Re: Single Sign On with LDAP  Examples
                          aamonten

                           

                          "yyovkov" wrote:
                          Thank you aamonten, but if it is not secret, what does it mean:
                          sn=true

                          To put it into user dn? Or ???

                          Please, do not hide the truth.


                          Sorry, I didn't understood exactly what was your question. take a look at thomascremers LDAP schema above in the thread.

                          • 10. Re: Single Sign On with LDAP  Examples
                            yyovkov

                            I found what you want to say.
                            User entry should contain:
                            --- cut ---
                            dn: cn=Test User,ou=People, dc=foo,dc=bar
                            ...
                            sn: true
                            ...
                            --- cut ---

                            I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
                            " Login Failed.....".

                            How can I use other attribute, different than "sn" to mark user as active?

                            • 11. Re: Single Sign On with LDAP  Examples
                              yyovkov

                              I found what you want to say.
                              User entry should contain:
                              --- cut ---
                              dn: cn=Test User,ou=People, dc=foo,dc=bar
                              ...
                              sn: true
                              ...
                              --- cut ---

                              I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
                              " Login Failed.....".

                              Which file contains the requirements that "sn" should be set up to "true"? Yes, this field is dedicated for other information. If this is hardcoded, we have to inform developers.

                              aamonten, thank you for your help!

                              • 12. Re: Single Sign On with LDAP  Examples
                                salaboy21

                                sn in ldap means Surname but seams that the developers use that field to indicate that the account is activeted or not, so if you put this value in the ldap schema file in true your account will be activated.. I think that developers use this field beacause is a standard field in all ldap directory servers.

                                • 13. Re: Single Sign On with LDAP  Examples
                                  yyovkov

                                  OK, salaboy21.
                                  That is good, but even that, the SSO test application doesn't work.

                                  • 14. Re: Single Sign On with LDAP  Examples
                                    salaboy21

                                    Another thing that you could look is the user name in the sso.cfg.xml
                                    mine for open ldap is
                                    cn=admin,dc=nodomain
                                    look for the dc=nodomain
                                    And yes .. sn is hardcoded
                                    look at the following lines in the LDAPLoginProvider.java:

                                    ;

                                     String cour = rs.getString("sn");
                                     boolean active = (new Boolean(cour)).booleanValue();
                                    



                                    1 2 3 4 Previous Next