-
30. Re: Single Sign On with LDAP Examples
salaboy21 Apr 11, 2008 6:55 PM (in response to pmohanan)First of all..
<!--module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option-->
did you comment out the hash algorithm?? (with <!--)
second try to remove hash encoding property..
and third.. browse your LDAP store.. and show me(post it here) your hashed password with MD5..
I'm thinking that posibble have the same problem that i have with OpenDS.. (OpenDS use a schema that append the hash algorithm used to the hash password. Ex: {SHA}jk432lkj432j4j32l432.. do you look something like this in Fedora DS? -
31. Re: Single Sign On with LDAP Examples
yyovkov Apr 12, 2008 3:57 AM (in response to pmohanan)Hi Salaboy21:
1. Yes, I have commented out the hash algorithm line. To be sure, that it is commented out in proper way I remove it from the file.
2. I made the same with hash encoding
3. Here is the password: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
This is how it look in all LDAP servers {HASHMechanism}Values...
So you should be aware of that. This is usefull if you do not know which hash algorithm is used to encode the password. In other words you do not need to specify which is the password for the users, but you can take this field from LDAP and work with proper hash algorithm for any user. Because, there are possibility one user password to use MD5, and other SHA-1... -
32. Re: Single Sign On with LDAP Examples
yyovkov Apr 30, 2008 3:16 PM (in response to pmohanan)Hi salaboy21,
is there any progress with this issue?
Should I log the bug in jira? -
33. Re: Single Sign On with LDAP Examples
salaboy21 Apr 30, 2008 4:32 PM (in response to pmohanan)Yeap.. i have fix this bug...
you must download and compile SSO from the trunk.. i can help you to do this...
and test it with any DS..
Let me know if you are using the trunk version (you must do an update)...
Then you must find a new class named HashAlgorithmRemoverLDAPIdentityProvider.java..
this class is the solution of this problem..
Let me know if something goes wrong...
I recommend you to only try local sign on with this class..
Because another fix is needed to cross domain sign on.. (i already wrote this but no
do the commit yet...)
Thanks! -
34. Re: Single Sign On with LDAP Examples
yyovkov Apr 30, 2008 6:02 PM (in response to pmohanan)Hi salaboy21,
can you give me some basic steps how to download and compile SSO from trunk? I do not have such experience. But I want to test LDAP interoperatability
Thank you for you effort! -
35. Re: Single Sign On with LDAP Examples
salaboy21 Apr 30, 2008 6:19 PM (in response to pmohanan)I wrote this steps in my personal blog...(but unfortunately are in spanish)
But i think you can figure out how to install JBoss SSO with some basic (language neutral)
step like:
1) Check out the sources with an svn Client (apt-get install subversion (or svn))
svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk/
2) edit the file ocal.properties
vi local.properties
change:
deploy.dir=default
jboss.home=/home//<jboss-4.2.2.GA>
3) then complile in
<jboss-sso>/components/build/
Run:
ant installSSO
and in:
../jboss_federation_server/
ant deploy-exploded
This are the basics...
then look in my blog the next steps of configuration..
ask me in my blog if you don't understand something..
http://salaboy.wordpress.com/2008/03/31/jboss-sso-tune-in-development-draft/ -
36. Re: Single Sign On with LDAP Examples
yyovkov May 1, 2008 6:47 AM (in response to pmohanan)hi salaboy21,
unfortunately there is a lot of java classess dependencies which I can not deal with. I am not able to compile this java source for myself and test it.
When we can expect to have compiled binary version of the packages? -
37. Re: Single Sign On with LDAP Examples
soshah May 1, 2008 7:08 AM (in response to pmohanan)Try this-
Do a svn checkout: svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk
then go to trunk/components/build
and type ant clean main
This should create all the binaries you need under trunk/component/output-jars
Hope this helps
Thanks -
38. Re: Single Sign On with LDAP Examples
yyovkov May 9, 2008 1:47 PM (in response to pmohanan)Hi Sohil,
thank you, this realy works.
I will send in short time (few days) if the new version works fine with LDAP.
Regards,
Yovko Yovkov -
39. Re: Single Sign On with LDAP Examples
yyovkov May 10, 2008 3:26 PM (in response to pmohanan)Hi again,
again it is a little bit different. I compiled successfully the trunk, but I am not sure which package contain jboss sso, so I am not able to proceed with test.
This is the list of file in output-jars:
jboss-federation-server.ear
jboss-federation-server.jar
jboss-federation-server.sar
jboss-federation-server.war
jboss-identity-management.jar
jboss-saml.jar
jboss-security-common.jar
jboss-sso-portal.jar
jboss-sso-test.ear
jboss-sso-tomcat5.jar
test.war
Which one should be deployed to test LDAP connection? -
40. Re: Single Sign On with LDAP Examples
salaboy21 May 10, 2008 4:18 PM (in response to pmohanan)BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS
If you configure trunk/components/build/local.properties
with your deploy directory and your jboss install dir..
then you canri
run ant installSSO in trunk/components/build
and all that you need will be copied to your deploy directory...
Then you need to go to trunk/components/jboss_federation_server
and run ant deploy-exploded
At this point you have jboss-sso.sar and jboss_federation_server.ear
in your deploy directory...
Now all you need is copy from trunk/components/output-jars/
the file called jboss-sso-test.ear to your deploy directory
and you can test SSO with LDAP
BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS -
41. Re: Single Sign On with LDAP Examples
rathinaganesh Jun 29, 2009 2:34 PM (in response to pmohanan)Greetings,
I am trying to do the same thing, Install Federated SSO and test it.
I am using
Jboss-4.2.2.GA on Windows XP
OpenDS-1.2.0 on FreeBSD
I have set up the OpenDS for the testuser login.
Previously, I got the error as testuser is not activated. So, I took out the source from the trunk mentioned above. Updated the trunk and build the sso sar and ear files.
The security-config.xml inside the jboss-sso-test.ear\META-INF looks like this<!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth security domain used by the security-spec test case --> <policy> <application-policy name="jboss-sso"> <authentication> <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="password-stacking">useFirstPass</module-option> <!--module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option--> <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option> </login-module> <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option> </login-module> </authentication> </application-policy> </policy>
The sso.cfg.xml file under jboss-sso.sar looks like this<login> <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.HashAlgorithmRemoverLDAPIdentityProvider"> <property name="connectionURL"> jdbc:ldap://10.10.60.4:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000 </property> <property name="username">uid=admin,dc=jboss,dc=com</property> <property name="password">jbossrocks</property> <property name="identityOu">People</property> <property name="roleOu">roles</property> </provider> </login>
and this is how it looks like in the ldapsearch/usr/local/OpenDS-1.2.0/bin/ldapsearch -s sub -b cn=testuser,ou=People,dc=jboss,dc=com "(objectclass=*)" dn: cn=testuser,ou=People,dc=jboss,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top mail: [EMAIL PROTECTED] uid: test cn: testuser displayName: Test User sn: true
When I try to use testuser and secret as login and password, I get login failed on the jsp. I am not getting any errors on the jboss server log.
On the OpenDS log, I see the following message.[29/Jun/2009:11:19:54 -0700] CONNECT conn=176 from=10.10.1.145:3241 to=10.10.60.4:389 protocol=LDAP [29/Jun/2009:11:19:54 -0700] BIND REQ conn=176 op=0 msgID=19 type=SIMPLE dn="uid=admin,dc=jboss,dc=com" [29/Jun/2009:11:19:54 -0700] BIND RES conn=176 op=0 msgID=19 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1 [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=176 op=1 msgID=20 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn" [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=176 op=1 msgID=20 result=0 nentries=1 etime=2 [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=176 op=2 msgID=21 [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=176 reason="Client Unbind" [29/Jun/2009:11:19:54 -0700] CONNECT conn=177 from=10.10.1.145:3242 to=10.10.60.4:389 protocol=LDAP [29/Jun/2009:11:19:54 -0700] BIND REQ conn=177 op=0 msgID=22 type=SIMPLE dn="uid=admin,dc=jboss,dc=com" [29/Jun/2009:11:19:54 -0700] BIND RES conn=177 op=0 msgID=22 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1 [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=177 op=1 msgID=23 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber" [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=177 op=1 msgID=23 result=0 nentries=1 etime=1 [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=177 op=2 msgID=24 [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=177 reason="Client Unbind" [29/Jun/2009:11:19:54 -0700] CONNECT conn=178 from=10.10.1.145:3243 to=10.10.60.4:389 protocol=LDAP [29/Jun/2009:11:19:54 -0700] BIND REQ conn=178 op=0 msgID=25 type=SIMPLE dn="uid=admin,dc=jboss,dc=com" [29/Jun/2009:11:19:54 -0700] BIND RES conn=178 op=0 msgID=25 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1 [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=178 op=1 msgID=26 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn" [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=178 op=1 msgID=26 result=0 nentries=1 etime=1 [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=178 op=2 msgID=27 [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=178 reason="Client Unbind" [29/Jun/2009:11:19:54 -0700] CONNECT conn=179 from=10.10.1.145:3244 to=10.10.60.4:389 protocol=LDAP [29/Jun/2009:11:19:54 -0700] BIND REQ conn=179 op=0 msgID=28 type=SIMPLE dn="uid=admin,dc=jboss,dc=com" [29/Jun/2009:11:19:54 -0700] BIND RES conn=179 op=0 msgID=28 result=0 authDN="uid=admin,dc=jboss,dc=com" etime=1 [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=179 op=1 msgID=29 base="cn=testuser,ou=People,dc=jboss,dc=com" scope=wholeSubtree filter="(objectClass=*)" attrs="cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber" [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=179 op=1 msgID=29 result=0 nentries=1 etime=1 [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=179 op=2 msgID=30 [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=179 reason="Client Unbind"
Am I making some mistake here? I am struck with this. I am not able to proceed further. Any pointers or help on this would be really great.
Thanks,
Ganesh. -
42. Re: Single Sign On with LDAP Examples
wolfgangknauf Jun 30, 2009 4:34 AM (in response to pmohanan)Hi Ganesh,
did you verify that your login module is used by JBoss? Did you activate logging of the security layer (follow the sticky post "FAQ - READ THIS BEFORE POSTING" in this forum, question 4 in the FAQ)?
Maybe you just did not post it, but I think you need a DynamicLoginConfig so that JBoss will find your own "security-config.xml": http://www.jboss.org/community/wiki/DynamicLoginConfig
Hope this helps
Wolfgang -
43. Re: Single Sign On with LDAP Examples
rathinaganesh Jul 7, 2009 3:06 PM (in response to pmohanan)Thanks Wolfgang.
I did turn on the log and got the following message.2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso 2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest 2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login 2009-07-07 11:14:31,290 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] initialize, instance=@21101046 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login 2009-07-07 11:14:31,321 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester 2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort 2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort 2009-07-07 11:14:31,321 TRACE [org.jboss.security.plugins.JaasSecurityManager.jboss-sso] Login failure javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585)
I guess, the jboss-sso.sar is connecting to the OpenDS ldap server. However, in the test application ear file, it is not validating the password correctly.
You have mentioned something about the DynamicLoginConfig. I am using the DynamicLoginConfig, as you can see in the jboss-sso-test.ear file under jboss-service.xml<?xml version="1.0" encoding="UTF-8"?> <server> <!-- hooking in a login module for the standalone version of JSF Forums --> <!-- The custom JAAS login configuration that installs a Configuration capable of dynamically updating the config settings --> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss.security.tests:service=LoginConfig"> <attribute name="AuthConfig">META-INF/security-config.xml</attribute> <depends optional-attribute-name="LoginConfigService"> jboss.security:service=XMLLoginConfig </depends> <depends optional-attribute-name="SecurityManagerService"> jboss.security:service=JaasSecurityManager </depends> </mbean> </server>
For the DynamicLoginConfig, the following is the AuthConfig, I am using.
I am not sure, if this is correct. BTW, I did not modify anything in the jboss-sso-test.ear file, after building from the jboss trunk.<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth security domain used by the security-spec test case --> <policy> <application-policy name="jboss-sso"> <authentication> <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="password-stacking">useFirstPass</module-option> <!--module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option--> <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option> </login-module> <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option> </login-module> </authentication> </application-policy> </policy>
Do, I need to do something in the <JBOSS_HOME>/server/default/conf/login-config.xml
Or is it trying to use the encrypted password or something.
Did someone get this jboss-sso-test.ear working?
Thanks,
Ganesh. -
44. Re: Single Sign On with LDAP Examples
wolfgangknauf Jul 9, 2009 4:53 AM (in response to pmohanan)Hi,
I have to admit I don't know SSO, I had used only "simple" login modules up to now.
Digging around the docs, I found that "org.jboss.security.idm.UsernameAndPasswordLoginModule" uses a "provider" attribute ( http://fisheye.jboss.org/viewrep/JBossSSO/dev/trunk/components/jboss_identity_management/src/main/org/jboss/security/idm/UsernameAndPasswordLoginModule.java ). If this is not present, it takes the default provider from a "jboss.sso:service=IdentityManager" MBean. Did you change there anything?
Maybe you could enhance the TRACE logging so that the LoginProvider logging is output, too.
But I fear I cannot help you much further.
Wolfgang