1 2 3 4 Previous Next 45 Replies Latest reply: Jul 11, 2009 6:25 PM by RathinaGanesh MeenashiSundaram RSS

    Single Sign On with LDAP  Examples

    Praveen Mohan Mohanan Newbie

      Hi...All,

      We will have multiple application deployed on the same JBOSS App server.
      I want to have the SSO capability between the application(s).

      I have been searching the JBoss documentation for examples on having the SSO enabled with LDAP. But in vain.

      Can you please tell me the basic steps to enable the SSO with LDAP (with examples would be great)

      Any pointers are appreciated.

      Regards,

      P

        • 2. Re: Single Sign On with LDAP  Examples
          Thomas Cremers Newbie

          I have been on big quest as well to get this working. The documentation leaves a lot to be desired but here is what I did to get it working.

          First a basic LDAP schema

          # Base
          dn: dc=foo,dc=bar
          dc: foo
          objectClass: top
          objectClass: dcObject
          objectClass: organization
          o: Foo Bar
          
          # Ldap admin user
          dn: cn=admin, dc=foo,dc=bar
          userPassword:: secret
          description: LDAP administrator
          objectClass: simpleSecurityObject
          objectClass: organizationalRole
          cn: admin
          
          # People ou where we attach the users
          dn: ou=People, dc=foo,dc=bar
          ou: People
          objectClass: top
          objectClass: organizationalUnit
          
          # A basic inetOrgPerson
          dn: cn=Test User,ou=People, dc=foo,dc=bar
          sn: Test
          userPassword:: secret
          mail: test@foo.bar
          displayName: Test User
          objectClass: top
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          uid: test
          cn: Test User
          
          # The ou where we attach roles/groups
          dn: ou=roles, dc=foo,dc=bar
          ou: roles
          objectClass: top
          objectClass: organizationalUnit
          
          # A test group member of roles ou
          dn: cn=TestGroup,ou=roles, dc=foo,dc=bar
          ou: TestGroup
          objectClass: top
          objectClass: groupOfUniqueNames
          uniqueMember: cn=Test User,ou=People
          cn: TestGroup
          


          Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap schema above this would look like this:

          <?xml version='1.0' encoding='ISO-8859-1'?>
          
          <jboss-sso>
           <identity-management>
           <login>
           <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">
           <property name="connectionURL"> jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000</property>
           <property name="username">cn=admin,dc=foo,dc=bar</property>
           <property name="password">secret</property>
           <!-- ou that contains all your inetOrgPersons -->
           <property name="identityOu">People</property>
           <!-- ou that contains your groups -->
           <property name="roleOu">roles</property>
           </provider>
           </login>
           <!--login>
           <provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>
           </login-->
           </identity-management>
           <sso-processor>
           <processor class="org.jboss.security.saml.JBossSingleSignOn">
           <!-- Conf this to your sso jboss server -->
           <property name="trustServer">http://sso-jboss.domain.com:8080/federate/trust</property>
           </processor>
           </sso-processor>
          </jboss-sso>
          


          Really importend here is to verify then you have set identityOU and roleOU to the right values. If there is an error here you will get "No such object" jdbc errors witch of course is an ldap error telling you it can't find the ou. I use openldap and set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier.

          If you tail the ldap log and start the sso service you should see jboss-sso connecting and scanning in the roles. If so and you can confirm the sso startup in the jboss server.log you are done.

          Hope this helpt



          • 3. Re: Single Sign On with LDAP  Examples
            Nandhakumar K Newbie

            Hi buddy,

            Thanks for the post.


            I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..

            when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.

            But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..

            I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).

            Please tell me why this error comes and give me solution to resolve this one.


            • 4. Re: Single Sign On with LDAP  Examples
              Nandhakumar K Newbie

              Hi,

              Also, please tell me the purpose of the SSO Trust Server



              Thanks,
              Nandhu.

              • 5. Re: Single Sign On with LDAP  Examples
                Yovko Yovkov Newbie

                I have the same problem - when I try to log on to the test application I receive an error "The specified account has not been activated-...".
                My question here is: What does it means and how can I activate user

                @tamilnandhu:
                About the error for user "admin": The user admin is specified in "dc=foo,dc=bar", not in "ou=People, dc=foo,dc=bar". So, for the application this user does not exist.

                Regards!

                • 6. Re: Single Sign On with LDAP  Examples
                  Alejandro Montenegro Novice

                   

                  "tamilnandhu" wrote:
                  Hi buddy,

                  Thanks for the post.


                  I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..

                  when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.

                  But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..

                  I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).

                  Please tell me why this error comes and give me solution to resolve this one.




                  Set :
                  sn=true
                  that will activate the user

                  • 7. Re: Single Sign On with LDAP  Examples
                    Yovko Yovkov Newbie

                    Thank you aamonten, but if it is not secret, what does it mean:
                    sn=true

                    To put it into user dn? Or ???

                    Please, do not hide the truth.

                    • 8. Re: Single Sign On with LDAP  Examples
                      Alejandro Montenegro Novice

                      Actually I have not a lot experience with LDAP, so I'm not sure if sn has a special meaning. But by looking at the source I discovered that it checks if sn=true the account is activated, anything different than true and it would be deactivated.

                      regards
                      Alejandro

                      • 9. Re: Single Sign On with LDAP  Examples
                        Alejandro Montenegro Novice

                         

                        "yyovkov" wrote:
                        Thank you aamonten, but if it is not secret, what does it mean:
                        sn=true

                        To put it into user dn? Or ???

                        Please, do not hide the truth.


                        Sorry, I didn't understood exactly what was your question. take a look at thomascremers LDAP schema above in the thread.

                        • 10. Re: Single Sign On with LDAP  Examples
                          Yovko Yovkov Newbie

                          I found what you want to say.
                          User entry should contain:
                          --- cut ---
                          dn: cn=Test User,ou=People, dc=foo,dc=bar
                          ...
                          sn: true
                          ...
                          --- cut ---

                          I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
                          " Login Failed.....".

                          How can I use other attribute, different than "sn" to mark user as active?

                          • 11. Re: Single Sign On with LDAP  Examples
                            Yovko Yovkov Newbie

                            I found what you want to say.
                            User entry should contain:
                            --- cut ---
                            dn: cn=Test User,ou=People, dc=foo,dc=bar
                            ...
                            sn: true
                            ...
                            --- cut ---

                            I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
                            " Login Failed.....".

                            Which file contains the requirements that "sn" should be set up to "true"? Yes, this field is dedicated for other information. If this is hardcoded, we have to inform developers.

                            aamonten, thank you for your help!

                            • 12. Re: Single Sign On with LDAP  Examples
                              Mauricio Salatino Master

                              sn in ldap means Surname but seams that the developers use that field to indicate that the account is activeted or not, so if you put this value in the ldap schema file in true your account will be activated.. I think that developers use this field beacause is a standard field in all ldap directory servers.

                              • 13. Re: Single Sign On with LDAP  Examples
                                Yovko Yovkov Newbie

                                OK, salaboy21.
                                That is good, but even that, the SSO test application doesn't work.

                                • 14. Re: Single Sign On with LDAP  Examples
                                  Mauricio Salatino Master

                                  Another thing that you could look is the user name in the sso.cfg.xml
                                  mine for open ldap is
                                  cn=admin,dc=nodomain
                                  look for the dc=nodomain
                                  And yes .. sn is hardcoded
                                  look at the following lines in the LDAPLoginProvider.java:

                                  ;

                                   String cour = rs.getString("sn");
                                   boolean active = (new Boolean(cour)).booleanValue();
                                  



                                  1 2 3 4 Previous Next