HI Javier, It looks like you have not configured secondary user store in API Manager instance. You can get rid of the authorization issue by configuring the read-only secondary user store in APIM as well.
Since the Authorization handles in APIM instance, user store should be shared with APIM as well. Thanks Isura. On Tue, May 30, 2017 at 7:18 PM, Vazquez-Hidalgo, Javier < javier.vazquez-hida...@tdsecurities.com> wrote: > Hi Isura, > > > > In the log files, please search for “vazquj2”. That is the user who fails > to login. I’ll send the conf files shortly. After more research it seems > that APIM is looking user roles in UM_ROLES instead of UM_HYBRID_ROLES. > > > > Thanks, > > Javier > > > > *From:* Isura Karunaratne [mailto:is...@wso2.com] > *Sent:* Monday, May 29, 2017 1:24 AM > > *To:* Vazquez-Hidalgo, Javier > *Cc:* dev@wso2.org > *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0 > > > > Hi Javier, > > > > According to the apim-wso2carbon.log file, only admin user tried login to > the APIM instance and it was a success login. Please attach the log, once > the store login failure occurs. Also, attach the conf folders in each > products. > > > > Thanks > > Isura. > > > > On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier < > javier.vazquez-hida...@tdsecurities.com> wrote: > > Hi Isura, > > > > Thanks for your help! > > > > Attached to the email are both logs with “log4j.logger.org.wso2.carbon. > user.core=DEBUG” enabled. > > > > Regards, > > Javier > > > > *From:* Isura Karunaratne [mailto:is...@wso2.com] > *Sent:* Friday, May 26, 2017 3:10 AM > *To:* Vazquez-Hidalgo, Javier > *Cc:* dev@wso2.org > *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0 > > > > Hi Javier, > > > > We need additional information to analyze the issue. Attach the > wso2carbon.log file after enabling the debug logs for > org.wso2.carbon.user.core package as follows. > > > > Add following entry to /repository/conf/log4j.properties file > > > > log4j.logger.org.wso2.carbon.user.core=DEBUG > > > > > > Thanks > > Isura. > > > > On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier < > javier.vazquez-hida...@tdsecurities.com> wrote: > > Hello, > > > > I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes, > at this point I have all configurations in place with shared databases and > I added a secondary User Store (Read-Only LDAP) on the Identity Server and > I’m able to assign permissions, etc.. > > > > The problem I’m having is that when I try to login to the API Store using > a user from the secondary user store I get the following error in the login > screen: > > > > “Error! Login failed. Insufficient Privileges.” > > > > APIM Logs: > > ------------- > > > > [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred > while accessing Java Security Manager Privilege Block > > [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed. > Insufficient Privileges. > > > > IS Log: > > ----------- > > [2017-05-25 14:49:52,498] INFO {org.wso2.carbon.core.services > .util.CarbonAuthenticationUtil} - 'DOMAIN/xxx@carbon.super [-1234]' > logged in at [2017-05-25 14:49:52,497-0400] > > > > So, it seems that the user is authenticated but something is happening. > > > > Just to be clear, the user from the secondary user store has > “Internal/subscriber” role which should be sufficient to login. > > > > I also created a test user in the IS primary store and assigned > “Internal/subscriber” role and that worked fine. > > > > > > Any help or pointers is appreciated. > > > > Thanks, > > Javier Vazquez > > > > > > > > If you wish to unsubscribe from receiving commercial electronic messages > from TD Bank Group, please click here <http://www.td.com/tdoptout> or go > to the following web address: www.td.com/tdoptout > Si vous souhaitez vous désabonner des messages électroniques de nature > commerciale envoyés par Groupe Banque TD veuillez cliquer ici > <http://www.td.com/tddesab> ou vous rendre à l'adresse www.td.com/tddesab > > > NOTICE: Confidential message which may be privileged. Unauthorized > use/disclosure prohibited. If received in error, please go to > www.td.com/legal for instructions. > AVIS : Message confidentiel dont le contenu peut être privilégié. > Utilisation/divulgation interdites sans permission. Si reçu par erreur, > prière d'aller au www.td.com/francais/avis_juridique pour des > instructions. > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > > > > > -- > > *Isura Dilhara Karunaratne* > > Senior Software Engineer | WSO2 > > Email: is...@wso2.com > > Mob : +94 772 254 810 <+94%2077%20225%204810> > > Blog : http://isurad.blogspot.com/ > > > > > > > > > > > > -- > > *Isura Dilhara Karunaratne* > > Senior Software Engineer | WSO2 > > Email: is...@wso2.com > > Mob : +94 772 254 810 <+94%2077%20225%204810> > > Blog : http://isurad.blogspot.com/ > > > > > > > -- *Isura Dilhara Karunaratne* Senior Software Engineer | WSO2 Email: is...@wso2.com Mob : +94 772 254 810 <+94%2077%20225%204810> Blog : http://isurad.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
