-
1. Re: Single Sign On with LDAP Examples
javawings Apr 13, 2007 4:08 PM (in response to pmohanan)dittos
-
2. Re: Single Sign On with LDAP Examples
thomascremers Apr 17, 2007 5:32 AM (in response to pmohanan)I have been on big quest as well to get this working. The documentation leaves a lot to be desired but here is what I did to get it working.
First a basic LDAP schema# Base dn: dc=foo,dc=bar dc: foo objectClass: top objectClass: dcObject objectClass: organization o: Foo Bar # Ldap admin user dn: cn=admin, dc=foo,dc=bar userPassword:: secret description: LDAP administrator objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin # People ou where we attach the users dn: ou=People, dc=foo,dc=bar ou: People objectClass: top objectClass: organizationalUnit # A basic inetOrgPerson dn: cn=Test User,ou=People, dc=foo,dc=bar sn: Test userPassword:: secret mail: test@foo.bar displayName: Test User objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: test cn: Test User # The ou where we attach roles/groups dn: ou=roles, dc=foo,dc=bar ou: roles objectClass: top objectClass: organizationalUnit # A test group member of roles ou dn: cn=TestGroup,ou=roles, dc=foo,dc=bar ou: TestGroup objectClass: top objectClass: groupOfUniqueNames uniqueMember: cn=Test User,ou=People cn: TestGroup
Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap schema above this would look like this:<?xml version='1.0' encoding='ISO-8859-1'?> <jboss-sso> <identity-management> <login> <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider"> <property name="connectionURL"> jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000</property> <property name="username">cn=admin,dc=foo,dc=bar</property> <property name="password">secret</property> <!-- ou that contains all your inetOrgPersons --> <property name="identityOu">People</property> <!-- ou that contains your groups --> <property name="roleOu">roles</property> </provider> </login> <!--login> <provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/> </login--> </identity-management> <sso-processor> <processor class="org.jboss.security.saml.JBossSingleSignOn"> <!-- Conf this to your sso jboss server --> <property name="trustServer">http://sso-jboss.domain.com:8080/federate/trust</property> </processor> </sso-processor> </jboss-sso>
Really importend here is to verify then you have set identityOU and roleOU to the right values. If there is an error here you will get "No such object" jdbc errors witch of course is an ldap error telling you it can't find the ou. I use openldap and set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier.
If you tail the ldap log and start the sso service you should see jboss-sso connecting and scanning in the roles. If so and you can confirm the sso startup in the jboss server.log you are done.
Hope this helpt -
3. Re: Single Sign On with LDAP Examples
tamilnandhu Mar 28, 2008 3:28 AM (in response to pmohanan)Hi buddy,
Thanks for the post.
I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..
when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.
But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..
I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).
Please tell me why this error comes and give me solution to resolve this one. -
4. Re: Single Sign On with LDAP Examples
tamilnandhu Mar 28, 2008 3:38 AM (in response to pmohanan)Hi,
Also, please tell me the purpose of the SSO Trust Server
Thanks,
Nandhu. -
5. Re: Single Sign On with LDAP Examples
yyovkov Mar 30, 2008 9:53 AM (in response to pmohanan)I have the same problem - when I try to log on to the test application I receive an error "The specified account has not been activated-...".
My question here is: What does it means and how can I activate user
@tamilnandhu:
About the error for user "admin": The user admin is specified in "dc=foo,dc=bar", not in "ou=People, dc=foo,dc=bar". So, for the application this user does not exist.
Regards! -
6. Re: Single Sign On with LDAP Examples
aamonten Apr 2, 2008 5:22 PM (in response to pmohanan)"tamilnandhu" wrote:
Hi buddy,
Thanks for the post.
I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package..
when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says "The user has not been activated-TestUser" something like this.
But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt..
I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times).
Please tell me why this error comes and give me solution to resolve this one.
Set :sn=true
that will activate the user -
7. Re: Single Sign On with LDAP Examples
yyovkov Apr 4, 2008 1:44 PM (in response to pmohanan)Thank you aamonten, but if it is not secret, what does it mean:
sn=true
To put it into user dn? Or ???
Please, do not hide the truth. -
8. Re: Single Sign On with LDAP Examples
aamonten Apr 4, 2008 2:58 PM (in response to pmohanan)Actually I have not a lot experience with LDAP, so I'm not sure if sn has a special meaning. But by looking at the source I discovered that it checks if sn=true the account is activated, anything different than true and it would be deactivated.
regards
Alejandro -
9. Re: Single Sign On with LDAP Examples
aamonten Apr 4, 2008 3:02 PM (in response to pmohanan)"yyovkov" wrote:
Thank you aamonten, but if it is not secret, what does it mean:
sn=true
To put it into user dn? Or ???
Please, do not hide the truth.
Sorry, I didn't understood exactly what was your question. take a look at thomascremers LDAP schema above in the thread. -
10. Re: Single Sign On with LDAP Examples
yyovkov Apr 4, 2008 3:33 PM (in response to pmohanan)I found what you want to say.
User entry should contain:
--- cut ---
dn: cn=Test User,ou=People, dc=foo,dc=bar
...
sn: true
...
--- cut ---
I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
" Login Failed.....".
How can I use other attribute, different than "sn" to mark user as active? -
11. Re: Single Sign On with LDAP Examples
yyovkov Apr 4, 2008 3:36 PM (in response to pmohanan)I found what you want to say.
User entry should contain:
--- cut ---
dn: cn=Test User,ou=People, dc=foo,dc=bar
...
sn: true
...
--- cut ---
I put that and error in the jboss output "user not activated" did not appear, but the web interface still not able to check password;
" Login Failed.....".
Which file contains the requirements that "sn" should be set up to "true"? Yes, this field is dedicated for other information. If this is hardcoded, we have to inform developers.
aamonten, thank you for your help! -
12. Re: Single Sign On with LDAP Examples
salaboy21 Apr 4, 2008 4:17 PM (in response to pmohanan)sn in ldap means Surname but seams that the developers use that field to indicate that the account is activeted or not, so if you put this value in the ldap schema file in true your account will be activated.. I think that developers use this field beacause is a standard field in all ldap directory servers.
-
13. Re: Single Sign On with LDAP Examples
yyovkov Apr 4, 2008 4:34 PM (in response to pmohanan)OK, salaboy21.
That is good, but even that, the SSO test application doesn't work. -
14. Re: Single Sign On with LDAP Examples
salaboy21 Apr 4, 2008 4:38 PM (in response to pmohanan)Another thing that you could look is the user name in the sso.cfg.xml
mine for open ldap is
cn=admin,dc=nodomain
look for the dc=nodomain
And yes .. sn is hardcoded
look at the following lines in the LDAPLoginProvider.java:
;String cour = rs.getString("sn"); boolean active = (new Boolean(cour)).booleanValue();