1 2 3 4 Previous Next 45 Replies Latest reply: Jul 11, 2009 6:25 PM by RathinaGanesh MeenashiSundaram Go to original post RSS
  • 30. Re: Single Sign On with LDAP  Examples
    Mauricio Salatino Master

    First of all..

     <!--module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">HEX</module-option-->
    
    


    did you comment out the hash algorithm?? (with <!--)
    second try to remove hash encoding property..
    and third.. browse your LDAP store.. and show me(post it here) your hashed password with MD5..

    I'm thinking that posibble have the same problem that i have with OpenDS.. (OpenDS use a schema that append the hash algorithm used to the hash password. Ex: {SHA}jk432lkj432j4j32l432.. do you look something like this in Fedora DS?

  • 31. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    Hi Salaboy21:

    1. Yes, I have commented out the hash algorithm line. To be sure, that it is commented out in proper way I remove it from the file.
    2. I made the same with hash encoding
    3. Here is the password: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

    This is how it look in all LDAP servers {HASHMechanism}Values...
    So you should be aware of that. This is usefull if you do not know which hash algorithm is used to encode the password. In other words you do not need to specify which is the password for the users, but you can take this field from LDAP and work with proper hash algorithm for any user. Because, there are possibility one user password to use MD5, and other SHA-1...

  • 32. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    Hi salaboy21,
    is there any progress with this issue?
    Should I log the bug in jira?

  • 33. Re: Single Sign On with LDAP  Examples
    Mauricio Salatino Master

    Yeap.. i have fix this bug...
    you must download and compile SSO from the trunk.. i can help you to do this...
    and test it with any DS..
    Let me know if you are using the trunk version (you must do an update)...
    Then you must find a new class named HashAlgorithmRemoverLDAPIdentityProvider.java..
    this class is the solution of this problem..

    Let me know if something goes wrong...
    I recommend you to only try local sign on with this class..
    Because another fix is needed to cross domain sign on.. (i already wrote this but no
    do the commit yet...)

    Thanks!

  • 34. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    Hi salaboy21,

    can you give me some basic steps how to download and compile SSO from trunk? I do not have such experience. But I want to test LDAP interoperatability

    Thank you for you effort!

  • 35. Re: Single Sign On with LDAP  Examples
    Mauricio Salatino Master

    I wrote this steps in my personal blog...(but unfortunately are in spanish)
    But i think you can figure out how to install JBoss SSO with some basic (language neutral)
    step like:
    1) Check out the sources with an svn Client (apt-get install subversion (or svn))

    svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk/

    2) edit the file ocal.properties
    vi local.properties

    change:


    deploy.dir=default
    jboss.home=/home//<jboss-4.2.2.GA>

    3) then complile in
    <jboss-sso>/components/build/
    Run:

    ant installSSO

    and in:
    ../jboss_federation_server/

    ant deploy-exploded

    This are the basics...
    then look in my blog the next steps of configuration..
    ask me in my blog if you don't understand something..
    http://salaboy.wordpress.com/2008/03/31/jboss-sso-tune-in-development-draft/

  • 36. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    hi salaboy21,
    unfortunately there is a lot of java classess dependencies which I can not deal with. I am not able to compile this java source for myself and test it.
    When we can expect to have compiled binary version of the packages?

  • 37. Re: Single Sign On with LDAP  Examples
    Sohil Shah Master

    Try this-

    Do a svn checkout: svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk

    then go to trunk/components/build

    and type ant clean main

    This should create all the binaries you need under trunk/component/output-jars

    Hope this helps

    Thanks

  • 38. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    Hi Sohil,

    thank you, this realy works.

    I will send in short time (few days) if the new version works fine with LDAP.

    Regards,
    Yovko Yovkov

  • 39. Re: Single Sign On with LDAP  Examples
    Yovko Yovkov Newbie

    Hi again,

    again it is a little bit different. I compiled successfully the trunk, but I am not sure which package contain jboss sso, so I am not able to proceed with test.

    This is the list of file in output-jars:
    jboss-federation-server.ear
    jboss-federation-server.jar
    jboss-federation-server.sar
    jboss-federation-server.war
    jboss-identity-management.jar
    jboss-saml.jar
    jboss-security-common.jar
    jboss-sso-portal.jar
    jboss-sso-test.ear
    jboss-sso-tomcat5.jar
    test.war

    Which one should be deployed to test LDAP connection?

  • 40. Re: Single Sign On with LDAP  Examples
    Mauricio Salatino Master

    BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS

    If you configure trunk/components/build/local.properties
    with your deploy directory and your jboss install dir..
    then you canri
    run ant installSSO in trunk/components/build
    and all that you need will be copied to your deploy directory...

    Then you need to go to trunk/components/jboss_federation_server
    and run ant deploy-exploded

    At this point you have jboss-sso.sar and jboss_federation_server.ear
    in your deploy directory...
    Now all you need is copy from trunk/components/output-jars/
    the file called jboss-sso-test.ear to your deploy directory
    and you can test SSO with LDAP

    BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS

  • 41. Re: Single Sign On with LDAP  Examples
    RathinaGanesh MeenashiSundaram Newbie

    Greetings,

    I am trying to do the same thing, Install Federated SSO and test it.
    I am using
    Jboss-4.2.2.GA on Windows XP
    OpenDS-1.2.0 on FreeBSD
    I have set up the OpenDS for the testuser login.
    Previously, I got the error as testuser is not activated. So, I took out the source from the trunk mentioned above. Updated the trunk and build the sso sar and ear files.

    The security-config.xml inside the jboss-sso-test.ear\META-INF looks like this

    
    <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth
    security domain used by the security-spec test case
    -->
    <policy>
     <application-policy name="jboss-sso">
     <authentication>
     <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
     <module-option name="unauthenticatedIdentity">guest</module-option>
     <module-option name="password-stacking">useFirstPass</module-option>
     <!--module-option name="hashAlgorithm">MD5</module-option>
     <module-option name="hashEncoding">HEX</module-option-->
     <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
     </login-module>
     <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
     <module-option name="unauthenticatedIdentity">guest</module-option>
     <module-option name="password-stacking">useFirstPass</module-option>
     <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
     </login-module>
     </authentication>
     </application-policy>
    </policy>
    
    



    The sso.cfg.xml file under jboss-sso.sar looks like this
    
     <login>
     <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.HashAlgorithmRemoverLDAPIdentityProvider">
     <property name="connectionURL">
     jdbc:ldap://10.10.60.4:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000
     </property>
     <property name="username">uid=admin,dc=jboss,dc=com</property>
     <property name="password">jbossrocks</property>
     <property name="identityOu">People</property>
     <property name="roleOu">roles</property>
     </provider>
     </login>
    
    


    and this is how it looks like in the ldapsearch

    /usr/local/OpenDS-1.2.0/bin/ldapsearch -s sub -b cn=testuser,ou=People,dc=jboss,dc=com "(objectclass=*)"
    dn: cn=testuser,ou=People,dc=jboss,dc=com
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: top
    mail: [EMAIL PROTECTED]
    uid: test
    cn: testuser
    displayName: Test User
    sn: true
    



    When I try to use testuser and secret as login and password, I get login failed on the jsp. I am not getting any errors on the jboss server log.
    On the OpenDS log, I see the following message.

    
    [29/Jun/2009:11:19:54 -0700] CONNECT conn=176 from=10.10.1.145:3241 to=10.10.60.4:389 protocol=LDAP
    [29/Jun/2009:11:19:54 -0700] BIND REQ conn=176 op=0 msgID=19 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
    [29/Jun/2009:11:19:54 -0700] BIND RES conn=176 op=0 msgID=19 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
    [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=176 op=1 msgID=20 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn"
    [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=176 op=1 msgID=20 result=0 nentries=1 etime=2
    [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=176 op=2 msgID=21
    [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=176 reason="Client Unbind"
    [29/Jun/2009:11:19:54 -0700] CONNECT conn=177 from=10.10.1.145:3242 to=10.10.60.4:389 protocol=LDAP
    [29/Jun/2009:11:19:54 -0700] BIND REQ conn=177 op=0 msgID=22 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
    [29/Jun/2009:11:19:54 -0700] BIND RES conn=177 op=0 msgID=22 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
    [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=177 op=1 msgID=23 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber"
    [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=177 op=1 msgID=23 result=0 nentries=1 etime=1
    [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=177 op=2 msgID=24
    [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=177 reason="Client Unbind"
    [29/Jun/2009:11:19:54 -0700] CONNECT conn=178 from=10.10.1.145:3243 to=10.10.60.4:389 protocol=LDAP
    [29/Jun/2009:11:19:54 -0700] BIND REQ conn=178 op=0 msgID=25 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
    [29/Jun/2009:11:19:54 -0700] BIND RES conn=178 op=0 msgID=25 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
    [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=178 op=1 msgID=26 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn"
    [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=178 op=1 msgID=26 result=0 nentries=1 etime=1
    [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=178 op=2 msgID=27
    [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=178 reason="Client Unbind"
    [29/Jun/2009:11:19:54 -0700] CONNECT conn=179 from=10.10.1.145:3244 to=10.10.60.4:389 protocol=LDAP
    [29/Jun/2009:11:19:54 -0700] BIND REQ conn=179 op=0 msgID=28 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
    [29/Jun/2009:11:19:54 -0700] BIND RES conn=179 op=0 msgID=28 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
    [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=179 op=1 msgID=29 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber"
    [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=179 op=1 msgID=29 result=0 nentries=1 etime=1
    [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=179 op=2 msgID=30
    [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=179 reason="Client Unbind"
    
    


    Am I making some mistake here? I am struck with this. I am not able to proceed further. Any pointers or help on this would be really great.

    Thanks,
    Ganesh.


  • 42. Re: Single Sign On with LDAP  Examples
    Wolfgang Knauf Master

    Hi Ganesh,

    did you verify that your login module is used by JBoss? Did you activate logging of the security layer (follow the sticky post "FAQ - READ THIS BEFORE POSTING" in this forum, question 4 in the FAQ)?

    Maybe you just did not post it, but I think you need a DynamicLoginConfig so that JBoss will find your own "security-config.xml": http://www.jboss.org/community/wiki/DynamicLoginConfig

    Hope this helps

    Wolfgang

  • 43. Re: Single Sign On with LDAP  Examples
    RathinaGanesh MeenashiSundaram Newbie

    Thanks Wolfgang.
    I did turn on the log and got the following message.

    2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso
    2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest
    2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login
    2009-07-07 11:14:31,290 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester
    2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] initialize, instance=@21101046
    2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso
    2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest
    2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login
    2009-07-07 11:14:31,321 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester
    2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort
    2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort
    2009-07-07 11:14:31,321 TRACE [org.jboss.security.plugins.JaasSecurityManager.jboss-sso] Login failure
    javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
     at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
    


    I guess, the jboss-sso.sar is connecting to the OpenDS ldap server. However, in the test application ear file, it is not validating the password correctly.
    You have mentioned something about the DynamicLoginConfig. I am using the DynamicLoginConfig, as you can see in the jboss-sso-test.ear file under jboss-service.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <server>
     <!-- hooking in a login module for the standalone version of JSF Forums -->
     <!-- The custom JAAS login configuration that installs
     a Configuration capable of dynamically updating the
     config settings
     -->
     <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
     name="jboss.security.tests:service=LoginConfig">
     <attribute name="AuthConfig">META-INF/security-config.xml</attribute>
     <depends optional-attribute-name="LoginConfigService">
     jboss.security:service=XMLLoginConfig
     </depends>
     <depends optional-attribute-name="SecurityManagerService">
     jboss.security:service=JaasSecurityManager
     </depends>
     </mbean>
    </server>
    


    For the DynamicLoginConfig, the following is the AuthConfig, I am using.
    I am not sure, if this is correct. BTW, I did not modify anything in the jboss-sso-test.ear file, after building from the jboss trunk.

    <?xml version='1.0'?>
    <!DOCTYPE policy PUBLIC
     "-//JBoss//DTD JBOSS Security Config 3.0//EN"
     "http://www.jboss.org/j2ee/dtd/security_config.dtd">
    
    <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth
    security domain used by the security-spec test case
    -->
    <policy>
     <application-policy name="jboss-sso">
     <authentication>
     <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
     <module-option name="unauthenticatedIdentity">guest</module-option>
     <module-option name="password-stacking">useFirstPass</module-option>
     <!--module-option name="hashAlgorithm">MD5</module-option>
     <module-option name="hashEncoding">HEX</module-option-->
     <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
     </login-module>
     <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
     <module-option name="unauthenticatedIdentity">guest</module-option>
     <module-option name="password-stacking">useFirstPass</module-option>
     <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
     </login-module>
     </authentication>
     </application-policy>
    </policy>
    


    Do, I need to do something in the <JBOSS_HOME>/server/default/conf/login-config.xml
    Or is it trying to use the encrypted password or something.
    Did someone get this jboss-sso-test.ear working?

    Thanks,
    Ganesh.

  • 44. Re: Single Sign On with LDAP  Examples
    Wolfgang Knauf Master

    Hi,

    I have to admit I don't know SSO, I had used only "simple" login modules up to now.
    Digging around the docs, I found that "org.jboss.security.idm.UsernameAndPasswordLoginModule" uses a "provider" attribute ( http://fisheye.jboss.org/viewrep/JBossSSO/dev/trunk/components/jboss_identity_management/src/main/org/jboss/security/idm/UsernameAndPasswordLoginModule.java ). If this is not present, it takes the default provider from a "jboss.sso:service=IdentityManager" MBean. Did you change there anything?

    Maybe you could enhance the TRACE logging so that the LoginProvider logging is output, too.

    But I fear I cannot help you much further.

    Wolfgang