1 2 3 4 Previous Next 45 Replies Latest reply on Jul 11, 2009 6:25 PM by rathinaganesh Go to original post
      • 30. Re: Single Sign On with LDAP  Examples
        salaboy21

        First of all..

         <!--module-option name="hashAlgorithm">MD5</module-option>
        <module-option name="hashEncoding">HEX</module-option-->
        
        


        did you comment out the hash algorithm?? (with <!--)
        second try to remove hash encoding property..
        and third.. browse your LDAP store.. and show me(post it here) your hashed password with MD5..

        I'm thinking that posibble have the same problem that i have with OpenDS.. (OpenDS use a schema that append the hash algorithm used to the hash password. Ex: {SHA}jk432lkj432j4j32l432.. do you look something like this in Fedora DS?

        • 31. Re: Single Sign On with LDAP  Examples
          yyovkov

          Hi Salaboy21:

          1. Yes, I have commented out the hash algorithm line. To be sure, that it is commented out in proper way I remove it from the file.
          2. I made the same with hash encoding
          3. Here is the password: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

          This is how it look in all LDAP servers {HASHMechanism}Values...
          So you should be aware of that. This is usefull if you do not know which hash algorithm is used to encode the password. In other words you do not need to specify which is the password for the users, but you can take this field from LDAP and work with proper hash algorithm for any user. Because, there are possibility one user password to use MD5, and other SHA-1...

          • 32. Re: Single Sign On with LDAP  Examples
            yyovkov

            Hi salaboy21,
            is there any progress with this issue?
            Should I log the bug in jira?

            • 33. Re: Single Sign On with LDAP  Examples
              salaboy21

              Yeap.. i have fix this bug...
              you must download and compile SSO from the trunk.. i can help you to do this...
              and test it with any DS..
              Let me know if you are using the trunk version (you must do an update)...
              Then you must find a new class named HashAlgorithmRemoverLDAPIdentityProvider.java..
              this class is the solution of this problem..

              Let me know if something goes wrong...
              I recommend you to only try local sign on with this class..
              Because another fix is needed to cross domain sign on.. (i already wrote this but no
              do the commit yet...)

              Thanks!

              • 34. Re: Single Sign On with LDAP  Examples
                yyovkov

                Hi salaboy21,

                can you give me some basic steps how to download and compile SSO from trunk? I do not have such experience. But I want to test LDAP interoperatability

                Thank you for you effort!

                • 35. Re: Single Sign On with LDAP  Examples
                  salaboy21

                  I wrote this steps in my personal blog...(but unfortunately are in spanish)
                  But i think you can figure out how to install JBoss SSO with some basic (language neutral)
                  step like:
                  1) Check out the sources with an svn Client (apt-get install subversion (or svn))

                  svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk/

                  2) edit the file ocal.properties
                  vi local.properties

                  change:


                  deploy.dir=default
                  jboss.home=/home//<jboss-4.2.2.GA>

                  3) then complile in
                  <jboss-sso>/components/build/
                  Run:

                  ant installSSO

                  and in:
                  ../jboss_federation_server/

                  ant deploy-exploded

                  This are the basics...
                  then look in my blog the next steps of configuration..
                  ask me in my blog if you don't understand something..
                  http://salaboy.wordpress.com/2008/03/31/jboss-sso-tune-in-development-draft/

                  • 36. Re: Single Sign On with LDAP  Examples
                    yyovkov

                    hi salaboy21,
                    unfortunately there is a lot of java classess dependencies which I can not deal with. I am not able to compile this java source for myself and test it.
                    When we can expect to have compiled binary version of the packages?

                    • 37. Re: Single Sign On with LDAP  Examples
                      soshah

                      Try this-

                      Do a svn checkout: svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk

                      then go to trunk/components/build

                      and type ant clean main

                      This should create all the binaries you need under trunk/component/output-jars

                      Hope this helps

                      Thanks

                      • 38. Re: Single Sign On with LDAP  Examples
                        yyovkov

                        Hi Sohil,

                        thank you, this realy works.

                        I will send in short time (few days) if the new version works fine with LDAP.

                        Regards,
                        Yovko Yovkov

                        • 39. Re: Single Sign On with LDAP  Examples
                          yyovkov

                          Hi again,

                          again it is a little bit different. I compiled successfully the trunk, but I am not sure which package contain jboss sso, so I am not able to proceed with test.

                          This is the list of file in output-jars:
                          jboss-federation-server.ear
                          jboss-federation-server.jar
                          jboss-federation-server.sar
                          jboss-federation-server.war
                          jboss-identity-management.jar
                          jboss-saml.jar
                          jboss-security-common.jar
                          jboss-sso-portal.jar
                          jboss-sso-test.ear
                          jboss-sso-tomcat5.jar
                          test.war

                          Which one should be deployed to test LDAP connection?

                          • 40. Re: Single Sign On with LDAP  Examples
                            salaboy21

                            BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS

                            If you configure trunk/components/build/local.properties
                            with your deploy directory and your jboss install dir..
                            then you canri
                            run ant installSSO in trunk/components/build
                            and all that you need will be copied to your deploy directory...

                            Then you need to go to trunk/components/jboss_federation_server
                            and run ant deploy-exploded

                            At this point you have jboss-sso.sar and jboss_federation_server.ear
                            in your deploy directory...
                            Now all you need is copy from trunk/components/output-jars/
                            the file called jboss-sso-test.ear to your deploy directory
                            and you can test SSO with LDAP

                            BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS

                            • 41. Re: Single Sign On with LDAP  Examples

                              Greetings,

                              I am trying to do the same thing, Install Federated SSO and test it.
                              I am using
                              Jboss-4.2.2.GA on Windows XP
                              OpenDS-1.2.0 on FreeBSD
                              I have set up the OpenDS for the testuser login.
                              Previously, I got the error as testuser is not activated. So, I took out the source from the trunk mentioned above. Updated the trunk and build the sso sar and ear files.

                              The security-config.xml inside the jboss-sso-test.ear\META-INF looks like this

                              
                              <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth
                              security domain used by the security-spec test case
                              -->
                              <policy>
                               <application-policy name="jboss-sso">
                               <authentication>
                               <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
                               <module-option name="unauthenticatedIdentity">guest</module-option>
                               <module-option name="password-stacking">useFirstPass</module-option>
                               <!--module-option name="hashAlgorithm">MD5</module-option>
                               <module-option name="hashEncoding">HEX</module-option-->
                               <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                               </login-module>
                               <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
                               <module-option name="unauthenticatedIdentity">guest</module-option>
                               <module-option name="password-stacking">useFirstPass</module-option>
                               <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                               </login-module>
                               </authentication>
                               </application-policy>
                              </policy>
                              
                              



                              The sso.cfg.xml file under jboss-sso.sar looks like this
                              
                               <login>
                               <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.HashAlgorithmRemoverLDAPIdentityProvider">
                               <property name="connectionURL">
                               jdbc:ldap://10.10.60.4:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000
                               </property>
                               <property name="username">uid=admin,dc=jboss,dc=com</property>
                               <property name="password">jbossrocks</property>
                               <property name="identityOu">People</property>
                               <property name="roleOu">roles</property>
                               </provider>
                               </login>
                              
                              


                              and this is how it looks like in the ldapsearch

                              /usr/local/OpenDS-1.2.0/bin/ldapsearch -s sub -b cn=testuser,ou=People,dc=jboss,dc=com "(objectclass=*)"
                              dn: cn=testuser,ou=People,dc=jboss,dc=com
                              objectClass: person
                              objectClass: inetOrgPerson
                              objectClass: organizationalPerson
                              objectClass: top
                              mail: [EMAIL PROTECTED]
                              uid: test
                              cn: testuser
                              displayName: Test User
                              sn: true
                              



                              When I try to use testuser and secret as login and password, I get login failed on the jsp. I am not getting any errors on the jboss server log.
                              On the OpenDS log, I see the following message.

                              
                              [29/Jun/2009:11:19:54 -0700] CONNECT conn=176 from=10.10.1.145:3241 to=10.10.60.4:389 protocol=LDAP
                              [29/Jun/2009:11:19:54 -0700] BIND REQ conn=176 op=0 msgID=19 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
                              [29/Jun/2009:11:19:54 -0700] BIND RES conn=176 op=0 msgID=19 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
                              [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=176 op=1 msgID=20 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn"
                              [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=176 op=1 msgID=20 result=0 nentries=1 etime=2
                              [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=176 op=2 msgID=21
                              [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=176 reason="Client Unbind"
                              [29/Jun/2009:11:19:54 -0700] CONNECT conn=177 from=10.10.1.145:3242 to=10.10.60.4:389 protocol=LDAP
                              [29/Jun/2009:11:19:54 -0700] BIND REQ conn=177 op=0 msgID=22 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
                              [29/Jun/2009:11:19:54 -0700] BIND RES conn=177 op=0 msgID=22 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
                              [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=177 op=1 msgID=23 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber"
                              [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=177 op=1 msgID=23 result=0 nentries=1 etime=1
                              [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=177 op=2 msgID=24
                              [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=177 reason="Client Unbind"
                              [29/Jun/2009:11:19:54 -0700] CONNECT conn=178 from=10.10.1.145:3243 to=10.10.60.4:389 protocol=LDAP
                              [29/Jun/2009:11:19:54 -0700] BIND REQ conn=178 op=0 msgID=25 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
                              [29/Jun/2009:11:19:54 -0700] BIND RES conn=178 op=0 msgID=25 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
                              [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=178 op=1 msgID=26 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn"
                              [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=178 op=1 msgID=26 result=0 nentries=1 etime=1
                              [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=178 op=2 msgID=27
                              [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=178 reason="Client Unbind"
                              [29/Jun/2009:11:19:54 -0700] CONNECT conn=179 from=10.10.1.145:3244 to=10.10.60.4:389 protocol=LDAP
                              [29/Jun/2009:11:19:54 -0700] BIND REQ conn=179 op=0 msgID=28 type=SIMPLE dn="uid=admin,dc=jboss,dc=com"
                              [29/Jun/2009:11:19:54 -0700] BIND RES conn=179 op=0 msgID=28 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1
                              [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=179 op=1 msgID=29 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber"
                              [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=179 op=1 msgID=29 result=0 nentries=1 etime=1
                              [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=179 op=2 msgID=30
                              [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=179 reason="Client Unbind"
                              
                              


                              Am I making some mistake here? I am struck with this. I am not able to proceed further. Any pointers or help on this would be really great.

                              Thanks,
                              Ganesh.


                              • 42. Re: Single Sign On with LDAP  Examples
                                wolfgangknauf

                                Hi Ganesh,

                                did you verify that your login module is used by JBoss? Did you activate logging of the security layer (follow the sticky post "FAQ - READ THIS BEFORE POSTING" in this forum, question 4 in the FAQ)?

                                Maybe you just did not post it, but I think you need a DynamicLoginConfig so that JBoss will find your own "security-config.xml": http://www.jboss.org/community/wiki/DynamicLoginConfig

                                Hope this helps

                                Wolfgang

                                • 43. Re: Single Sign On with LDAP  Examples

                                  Thanks Wolfgang.
                                  I did turn on the log and got the following message.

                                  2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso
                                  2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest
                                  2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login
                                  2009-07-07 11:14:31,290 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester
                                  2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] initialize, instance=@21101046
                                  2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso
                                  2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest
                                  2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login
                                  2009-07-07 11:14:31,321 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester
                                  2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort
                                  2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort
                                  2009-07-07 11:14:31,321 TRACE [org.jboss.security.plugins.JaasSecurityManager.jboss-sso] Login failure
                                  javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
                                   at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
                                   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                                   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                                   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                   at java.lang.reflect.Method.invoke(Method.java:585)
                                  


                                  I guess, the jboss-sso.sar is connecting to the OpenDS ldap server. However, in the test application ear file, it is not validating the password correctly.
                                  You have mentioned something about the DynamicLoginConfig. I am using the DynamicLoginConfig, as you can see in the jboss-sso-test.ear file under jboss-service.xml

                                  <?xml version="1.0" encoding="UTF-8"?>
                                  <server>
                                   <!-- hooking in a login module for the standalone version of JSF Forums -->
                                   <!-- The custom JAAS login configuration that installs
                                   a Configuration capable of dynamically updating the
                                   config settings
                                   -->
                                   <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
                                   name="jboss.security.tests:service=LoginConfig">
                                   <attribute name="AuthConfig">META-INF/security-config.xml</attribute>
                                   <depends optional-attribute-name="LoginConfigService">
                                   jboss.security:service=XMLLoginConfig
                                   </depends>
                                   <depends optional-attribute-name="SecurityManagerService">
                                   jboss.security:service=JaasSecurityManager
                                   </depends>
                                   </mbean>
                                  </server>
                                  


                                  For the DynamicLoginConfig, the following is the AuthConfig, I am using.
                                  I am not sure, if this is correct. BTW, I did not modify anything in the jboss-sso-test.ear file, after building from the jboss trunk.

                                  <?xml version='1.0'?>
                                  <!DOCTYPE policy PUBLIC
                                   "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                                   "http://www.jboss.org/j2ee/dtd/security_config.dtd">
                                  
                                  <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth
                                  security domain used by the security-spec test case
                                  -->
                                  <policy>
                                   <application-policy name="jboss-sso">
                                   <authentication>
                                   <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
                                   <module-option name="unauthenticatedIdentity">guest</module-option>
                                   <module-option name="password-stacking">useFirstPass</module-option>
                                   <!--module-option name="hashAlgorithm">MD5</module-option>
                                   <module-option name="hashEncoding">HEX</module-option-->
                                   <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                                   </login-module>
                                   <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient">
                                   <module-option name="unauthenticatedIdentity">guest</module-option>
                                   <module-option name="password-stacking">useFirstPass</module-option>
                                   <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                                   </login-module>
                                   </authentication>
                                   </application-policy>
                                  </policy>
                                  


                                  Do, I need to do something in the <JBOSS_HOME>/server/default/conf/login-config.xml
                                  Or is it trying to use the encrypted password or something.
                                  Did someone get this jboss-sso-test.ear working?

                                  Thanks,
                                  Ganesh.

                                  • 44. Re: Single Sign On with LDAP  Examples
                                    wolfgangknauf

                                    Hi,

                                    I have to admit I don't know SSO, I had used only "simple" login modules up to now.
                                    Digging around the docs, I found that "org.jboss.security.idm.UsernameAndPasswordLoginModule" uses a "provider" attribute ( http://fisheye.jboss.org/viewrep/JBossSSO/dev/trunk/components/jboss_identity_management/src/main/org/jboss/security/idm/UsernameAndPasswordLoginModule.java ). If this is not present, it takes the default provider from a "jboss.sso:service=IdentityManager" MBean. Did you change there anything?

                                    Maybe you could enhance the TRACE logging so that the LoginProvider logging is output, too.

                                    But I fear I cannot help you much further.

                                    Wolfgang