[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Thanks Wolfgang. I really appreciate your concern to help me. Can anyone else help me? Thanks, Ganesh. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4243092#4243092 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4243092 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi, I have to admit I don't know SSO, I had used only simple login modules up to now. Digging around the docs, I found that org.jboss.security.idm.UsernameAndPasswordLoginModule uses a provider attribute ( http://fisheye.jboss.org/viewrep/JBossSSO/dev/trunk/components/jboss_identity_management/src/main/org/jboss/security/idm/UsernameAndPasswordLoginModule.java ). If this is not present, it takes the default provider from a jboss.sso:service=IdentityManager MBean. Did you change there anything? Maybe you could enhance the TRACE logging so that the LoginProvider logging is output, too. But I fear I cannot help you much further. Wolfgang View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4242546#4242546 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4242546 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Thanks Wolfgang. I did turn on the log and got the following message. | 2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso | 2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest | 2009-07-07 11:14:31,243 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login | 2009-07-07 11:14:31,290 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester | 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] initialize, instan...@21101046 | 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Security domain: jboss-sso | 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] Saw unauthenticatedIdentity=guest | 2009-07-07 11:14:31,290 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] login | 2009-07-07 11:14:31,321 DEBUG [org.jboss.security.idm.UsernameAndPasswordLoginModule] Bad password for username=tester | 2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort | 2009-07-07 11:14:31,321 TRACE [org.jboss.security.idm.UsernameAndPasswordLoginModule] abort | 2009-07-07 11:14:31,321 TRACE [org.jboss.security.plugins.JaasSecurityManager.jboss-sso] Login failure | javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required | at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) | at java.lang.reflect.Method.invoke(Method.java:585) | I guess, the jboss-sso.sar is connecting to the OpenDS ldap server. However, in the test application ear file, it is not validating the password correctly. You have mentioned something about the DynamicLoginConfig. I am using the DynamicLoginConfig, as you can see in the jboss-sso-test.ear file under jboss-service.xml | ?xml version=1.0 encoding=UTF-8? | server |!-- hooking in a login module for the standalone version of JSF Forums -- | !-- The custom JAAS login configuration that installs |a Configuration capable of dynamically updating the |config settings |-- |mbean code=org.jboss.security.auth.login.DynamicLoginConfig | name=jboss.security.tests:service=LoginConfig | attribute name=AuthConfigMETA-INF/security-config.xml/attribute | depends optional-attribute-name=LoginConfigService | jboss.security:service=XMLLoginConfig | /depends | depends optional-attribute-name=SecurityManagerService | jboss.security:service=JaasSecurityManager | /depends |/mbean | /server | For the DynamicLoginConfig, the following is the AuthConfig, I am using. I am not sure, if this is correct. BTW, I did not modify anything in the jboss-sso-test.ear file, after building from the jboss trunk. | ?xml version='1.0'? | !DOCTYPE policy PUBLIC | -//JBoss//DTD JBOSS Security Config 3.0//EN | http://www.jboss.org/j2ee/dtd/security_config.dtd; | | !-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth | security domain used by the security-spec test case | -- | policy | application-policy name=jboss-sso |authentication | login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | module-option name=unauthenticatedIdentityguest/module-option | module-option name=password-stackinguseFirstPass/module-option | !--module-option name=hashAlgorithmMD5/module-option | module-option name=hashEncodingHEX/module-option-- | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | /login-module | login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | module-option name=unauthenticatedIdentityguest/module-option | module-option name=password-stackinguseFirstPass/module-option | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | /login-module | /authentication | /application-policy | /policy | Do, I need to do something in the JBOSS_HOME/server/default/conf/login-config.xml Or is it trying to use the encrypted password or something. Did someone get this jboss-sso-test.ear working? Thanks, Ganesh. View the original post :
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi Ganesh, did you verify that your login module is used by JBoss? Did you activate logging of the security layer (follow the sticky post FAQ - READ THIS BEFORE POSTING in this forum, question 4 in the FAQ)? Maybe you just did not post it, but I think you need a DynamicLoginConfig so that JBoss will find your own security-config.xml: http://www.jboss.org/community/wiki/DynamicLoginConfig Hope this helps Wolfgang View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4240950#4240950 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4240950 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Greetings, I am trying to do the same thing, Install Federated SSO and test it. I am using Jboss-4.2.2.GA on Windows XP OpenDS-1.2.0 on FreeBSD I have set up the OpenDS for the testuser login. Previously, I got the error as testuser is not activated. So, I took out the source from the trunk mentioned above. Updated the trunk and build the sso sar and ear files. The security-config.xml inside the jboss-sso-test.ear\META-INF looks like this | | !-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth | security domain used by the security-spec test case | -- | policy | application-policy name=jboss-sso |authentication | login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | module-option name=unauthenticatedIdentityguest/module-option | module-option name=password-stackinguseFirstPass/module-option | !--module-option name=hashAlgorithmMD5/module-option | module-option name=hashEncodingHEX/module-option-- | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | /login-module | login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | module-option name=unauthenticatedIdentityguest/module-option | module-option name=password-stackinguseFirstPass/module-option | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | /login-module | /authentication | /application-policy | /policy | | The sso.cfg.xml file under jboss-sso.sar looks like this | | login | provider id=si:jboss-sso:ldap:login class=org.jboss.security.idm.ldap.HashAlgorithmRemoverLDAPIdentityProvider | property name=connectionURL | jdbc:ldap://10.10.60.4:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScopesecure:=falseconcat_atts:=truesize_limit:=1000 | /property | property name=usernameuid=admin,dc=jboss,dc=com/property | property name=passwordjbossrocks/property | property name=identityOuPeople/property | property name=roleOuroles/property | /provider | /login | | and this is how it looks like in the ldapsearch | /usr/local/OpenDS-1.2.0/bin/ldapsearch -s sub -b cn=testuser,ou=People,dc=jboss,dc=com (objectclass=*) | dn: cn=testuser,ou=People,dc=jboss,dc=com | objectClass: person | objectClass: inetOrgPerson | objectClass: organizationalPerson | objectClass: top | mail: [EMAIL PROTECTED] | uid: test | cn: testuser | displayName: Test User | sn: true | When I try to use testuser and secret as login and password, I get login failed on the jsp. I am not getting any errors on the jboss server log. On the OpenDS log, I see the following message. | | [29/Jun/2009:11:19:54 -0700] CONNECT conn=176 from=10.10.1.145:3241 to=10.10.60.4:389 protocol=LDAP | [29/Jun/2009:11:19:54 -0700] BIND REQ conn=176 op=0 msgID=19 type=SIMPLE dn=uid=admin,dc=jboss,dc=com | [29/Jun/2009:11:19:54 -0700] BIND RES conn=176 op=0 msgID=19 result=0 authDN=uid=admin,dc=jboss,dc=com etime=1 | [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=176 op=1 msgID=20 base=cn=testuser,ou=People,dc=jboss,dc=com scope=wholeSubtree filter=(objectClass=*) attrs=cn | [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=176 op=1 msgID=20 result=0 nentries=1 etime=2 | [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=176 op=2 msgID=21 | [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=176 reason=Client Unbind | [29/Jun/2009:11:19:54 -0700] CONNECT conn=177 from=10.10.1.145:3242 to=10.10.60.4:389 protocol=LDAP | [29/Jun/2009:11:19:54 -0700] BIND REQ conn=177 op=0 msgID=22 type=SIMPLE dn=uid=admin,dc=jboss,dc=com | [29/Jun/2009:11:19:54 -0700] BIND RES conn=177 op=0 msgID=22 result=0 authDN=uid=admin,dc=jboss,dc=com etime=1 | [29/Jun/2009:11:19:54 -0700] SEARCH REQ conn=177 op=1 msgID=23 base=cn=testuser,ou=People,dc=jboss,dc=com scope=wholeSubtree filter=(objectClass=*) attrs=cn,sn,userPassword,givenName,displayName,o,employeeType,title,postalAddress,mail,telephoneNumber | [29/Jun/2009:11:19:54 -0700] SEARCH RES conn=177 op=1 msgID=23 result=0 nentries=1 etime=1 | [29/Jun/2009:11:19:54 -0700] UNBIND REQ conn=177 op=2 msgID=24 | [29/Jun/2009:11:19:54 -0700] DISCONNECT conn=177 reason=Client Unbind | [29/Jun/2009:11:19:54 -0700] CONNECT conn=178 from=10.10.1.145:3243 to=10.10.60.4:389 protocol=LDAP | [29/Jun/2009:11:19:54 -0700] BIND REQ conn=178 op=0 msgID=25 type=SIMPLE
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi again, again it is a little bit different. I compiled successfully the trunk, but I am not sure which package contain jboss sso, so I am not able to proceed with test. This is the list of file in output-jars: jboss-federation-server.ear jboss-federation-server.jar jboss-federation-server.sar jboss-federation-server.war jboss-identity-management.jar jboss-saml.jar jboss-security-common.jar jboss-sso-portal.jar jboss-sso-test.ear jboss-sso-tomcat5.jar test.war Which one should be deployed to test LDAP connection? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4149944#4149944 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4149944 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS If you configure trunk/components/build/local.properties with your deploy directory and your jboss install dir.. then you canri run ant installSSO in trunk/components/build and all that you need will be copied to your deploy directory... Then you need to go to trunk/components/jboss_federation_server and run ant deploy-exploded At this point you have jboss-sso.sar and jboss_federation_server.ear in your deploy directory... Now all you need is copy from trunk/components/output-jars/ the file called jboss-sso-test.ear to your deploy directory and you can test SSO with LDAP BE SURE TO UPDATE YOUR TRUNK BEFORE FOLLOWING THIS STEPS View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4149950#4149950 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4149950 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi Sohil, thank you, this realy works. I will send in short time (few days) if the new version works fine with LDAP. Regards, Yovko Yovkov View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4149839#4149839 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4149839 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
hi salaboy21, unfortunately there is a lot of java classess dependencies which I can not deal with. I am not able to compile this java source for myself and test it. When we can expect to have compiled binary version of the packages? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4148088#4148088 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4148088 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Try this- Do a svn checkout: svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk then go to trunk/components/build and type ant clean main This should create all the binaries you need under trunk/component/output-jars Hope this helps Thanks View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4148090#4148090 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4148090 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi salaboy21, is there any progress with this issue? Should I log the bug in jira? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4147984#4147984 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4147984 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Yeap.. i have fix this bug... you must download and compile SSO from the trunk.. i can help you to do this... and test it with any DS.. Let me know if you are using the trunk version (you must do an update)... Then you must find a new class named HashAlgorithmRemoverLDAPIdentityProvider.java.. this class is the solution of this problem.. Let me know if something goes wrong... I recommend you to only try local sign on with this class.. Because another fix is needed to cross domain sign on.. (i already wrote this but no do the commit yet...) Thanks! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4147995#4147995 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4147995 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I wrote this steps in my personal blog...(but unfortunately are in spanish) But i think you can figure out how to install JBoss SSO with some basic (language neutral) step like: 1) Check out the sources with an svn Client (apt-get install subversion (or svn)) svn co http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk/ 2) edit the file ocal.properties vi local.properties change: deploy.dir=default jboss.home=/home//jboss-4.2.2.GA 3) then complile in jboss-sso/components/build/ Run: ant installSSO and in: ../jboss_federation_server/ ant deploy-exploded This are the basics... then look in my blog the next steps of configuration.. ask me in my blog if you don't understand something.. [url] http://salaboy.wordpress.com/2008/03/31/jboss-sso-tune-in-development-draft/ [/url] View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4148016#4148016 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4148016 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi salaboy21, can you give me some basic steps how to download and compile SSO from trunk? I do not have such experience. But I want to test LDAP interoperatability Thank you for you effort! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4148014#4148014 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4148014 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi Salaboy21: 1. Yes, I have commented out the hash algorithm line. To be sure, that it is commented out in proper way I remove it from the file. 2. I made the same with hash encoding 3. Here is the password: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== This is how it look in all LDAP servers {HASHMechanism}Values... So you should be aware of that. This is usefull if you do not know which hash algorithm is used to encode the password. In other words you do not need to specify which is the password for the users, but you can take this field from LDAP and work with proper hash algorithm for any user. Because, there are possibility one user password to use MD5, and other SHA-1... View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4143624#4143624 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4143624 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi Salaboy, thank you for the information about test application. Unfortunately I did not succeed. As I am very beginner in Java at all can you introduce me how does the settings must look like when the LDAP is setup to store the passwords in MD5 hash? Thank you in advance! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4143550#4143550 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4143550 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
If you are use Fedora DS and it only save the password in a MD5, try to configurate it to store it in Plain format... Today, i´m doing the integration with openDS and I found a bug with hashed passwords in a crossdomain test... If you are trying only to sign up in one domain your configuration in the test application will be something like this: login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | | module-option name=unauthenticatedIdentityguest/module-option | | module-option name=password-stackinguseFirstPass/module-option | | !--module-option name=hashAlgorithmMD5/module-option-- | | module-option name=hashUserPasswordtrue/module-option | module-option name=hashStorePasswordfalse/module-option | | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | | /login-module Note the value of hashUserPassword(true) , that cause if you in the form enter the password in plain text the LoginModule hash this password with the specified algorithm and then compare it with the Fedora DS stored password. Let me know if this configuration work for you! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4143556#4143556 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4143556 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi salaboy21, here is my security-config.xml --- cut --- ?xml version='1.0'? !DOCTYPE policy PUBLIC -//JBoss//DTD JBOSS Security Config 3.0//EN http://www.jboss.org/j2ee/dtd/security_config.dtd; !-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth security domain used by the security-spec test case -- application-policy name=jboss-sso login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient module-option name=unauthenticatedIdentityguest/module-option module-option name=password-stackinguseFirstPass/module-option !--module-option name=hashAlgorithmMD5/module-option module-option name=hashEncodingHEX/module-option-- module-option name=hashUserPasswordtrue/module-option module-option name=hashStorePasswordfalse/module-option module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option /login-module login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient module-option name=unauthenticatedIdentityguest/module-option module-option name=password-stackinguseFirstPass/module-option module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option /login-module /application-policy --- cut --- I am still not able to connect to FedoraDS. I have also tried to connect to OpenLDAP server, but with changed password of the user to be MD5 hashed, not playntext. It also did not work. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4143566#4143566 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4143566 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
First of all.. | !--module-option name=hashAlgorithmMD5/module-option | module-option name=hashEncodingHEX/module-option-- | | did you comment out the hash algorithm?? (with !--) second try to remove hash encoding property.. and third.. browse your LDAP store.. and show me(post it here) your hashed password with MD5.. I'm thinking that posibble have the same problem that i have with OpenDS.. (OpenDS use a schema that append the hash algorithm used to the hash password. Ex: {SHA}jk432lkj432j4j32l432.. do you look something like this in Fedora DS? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4143581#4143581 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4143581 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
change the configuration in the jboss-sso-test.ear/META-INF/security-config.xml | login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | | module-option name=unauthenticatedIdentityguest/module-option | | module-option name=password-stackinguseFirstPass/module-option | | !--module-option name=hashAlgorithmSHA-1/module-option-- | | module-option name=hashUserPasswordfalse/module-option | module-option name=hashStorePasswordfalse/module-option | | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | | /login-module | Pay attention to the hashAlgorithm, hashUserPassword and hashStoredPassword. Here is where you specified what password need to be hashed and what algorithm you must use... This file is under the jboss-sso-test.ear .. so you must explode the file to change it easily. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141893#4141893 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141893 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
take a look at http://www.jboss.com/index.html?module=bbop=viewtopict=133123 If you have doubts about how to use it, please do not post it at the Design of security forum, do it here. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141942#4141942 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141942 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi all, I believe I found where is the problem with jboss sso and Fedora Directory Server (FDS). Here is some short explanation: When using LDAP and you set user password, OpenLDAP server store the password as plaintext. But FDS always store this value as hashed string (SSHA, MD5 ... so on). So it means that Authentication module should be aware of how the password is stored. Btw, is JBoss SSO is actively developing or not? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141859#4141859 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141859 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Thank you aamonten, but if it is not secret, what does it mean: sn=true To put it into user dn? Or ??? Please, do not hide the truth. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141719#4141719 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141719 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Actually I have not a lot experience with LDAP, so I'm not sure if sn has a special meaning. But by looking at the source I discovered that it checks if sn=true the account is activated, anything different than true and it would be deactivated. regards Alejandro View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141726#4141726 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141726 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
yyovkov wrote : Thank you aamonten, but if it is not secret, what does it mean: | sn=true | | To put it into user dn? Or ??? | | Please, do not hide the truth. Sorry, I didn't understood exactly what was your question. take a look at thomascremers LDAP schema above in the thread. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141729#4141729 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141729 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I found what you want to say. User entry should contain: --- cut --- dn: cn=Test User,ou=People, dc=foo,dc=bar ... sn: true ... --- cut --- I put that and error in the jboss output user not activated did not appear, but the web interface still not able to check password; Login Failed.. How can I use other attribute, different than sn to mark user as active? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141736#4141736 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141736 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I found what you want to say. User entry should contain: --- cut --- dn: cn=Test User,ou=People, dc=foo,dc=bar ... sn: true ... --- cut --- I put that and error in the jboss output user not activated did not appear, but the web interface still not able to check password; Login Failed.. Which file contains the requirements that sn should be set up to true? Yes, this field is dedicated for other information. If this is hardcoded, we have to inform developers. aamonten, thank you for your help! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141737#4141737 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141737 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
sn in ldap means Surname but seams that the developers use that field to indicate that the account is activeted or not, so if you put this value in the ldap schema file in true your account will be activated.. I think that developers use this field beacause is a standard field in all ldap directory servers. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141744#4141744 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141744 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
OK, salaboy21. That is good, but even that, the SSO test application doesn't work. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141748#4141748 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141748 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Another thing that you could look is the user name in the sso.cfg.xml mine for open ldap is cn=admin,dc=nodomain look for the dc=nodomain And yes .. sn is hardcoded look at the following lines in the LDAPLoginProvider.java: ; | String cour = rs.getString(sn); | boolean active = (new Boolean(cour)).booleanValue(); | View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141750#4141750 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141750 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
with witch ldap server are you working? and what schema are you using? Beacause you must set the next variables: | property name=usernamecn=admin,dc=nodomain/property | | property name=passwordpassword/property | | property name=identityOuPeople/property | | property name=roleOuroles/property | where roles and People must be and OperationUnit (OU) in your schema. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141753#4141753 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141753 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Yes, it is hard coded at org.jboss.security.idm.ldap.LDAPIdentityProvider, this is the snippet where the active property is setted: | String cour = rs.getString(sn); | boolean active = (new Boolean(cour)).booleanValue(); | String pass = rs.getString(userPassword); | String givenName = rs.getString(givenName); | String companyName = rs.getString(o); | String companyRole = rs.getString(employeeType); | String companyTitle = rs.getString(title); | String postalAddress = rs.getString(postalAddress); | | //populate the identity | identity = new Identity(); | identity.setUserName(cn); | identity.setPassword(pass.getBytes()); | identity.setActive(active); | At this moment Mauricio (Salaboy21) and I are working on adding features and fixing bugs, so we will consider these, but need to discuss it with Sohil Shah who is the owner of the project. I will contact him. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141755#4141755 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141755 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I am currently trying to setup Fedora Directory Server. But also have tested with OpenLDAP. Yes, the fields are setup properly, I checked the LDAP logs and the server responds correctly ... But Web Application does not understand. Did you succeed to login in test app? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141757#4141757 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141757 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Yes... with openldap and opends.. with diferent configurations. Here is my schema for open ldap. | # Base | dn: dc=nodomain | dc: foo | objectClass: top | objectClass: dcObject | objectClass: organization | o: No Domain | | | # People ou where we attach the users | dn: ou=People, dc=nodomain | ou: People | objectClass: top | objectClass: organizationalUnit | | # A basic inetOrgPerson | dn: cn=user,ou=People, dc=nodomain | sn: true | userPassword: secret | mail: [EMAIL PROTECTED] | displayName: user | objectClass: top | objectClass: person | objectClass: organizationalPerson | objectClass: inetOrgPerson | uid: test | cn: user | | # The ou where we attach roles/groups | dn: ou=roles, dc=nodomain | ou: roles | objectClass: top | objectClass: organizationalUnit | | # A test group member of roles ou | dn: cn=TestGroup,ou=roles, dc=nodomain | ou: TestGroup | objectClass: top | objectClass: groupOfUniqueNames | uniqueMember: cn=user,ou=People | cn: TestGroup | Also i remember that i must explode the jboss-sso-test.ear and change the configuration in the jboss-sso-test.ear/META-INF/security-config.xml to: | login-module code=org.jboss.security.idm.UsernameAndPasswordLoginModule flag=sufficient | | module-option name=unauthenticatedIdentityguest/module-option | | module-option name=password-stackinguseFirstPass/module-option | | !--module-option name=hashAlgorithmSHA-1/module-option-- | | module-option name=hashUserPasswordfalse/module-option | module-option name=hashStorePasswordfalse/module-option | | module-option name=authenticatedRolesAuthenticated,RegisteredUsers/module-option | | /login-module Hope it helps! Let me know if you have some troubles! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141758#4141758 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141758 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
yyovkov wrote : I am currently trying to setup Fedora Directory Server. But also have tested with OpenLDAP. Yes, the fields are setup properly, I checked the LDAP logs and the server responds correctly ... | But Web Application does not understand. Did you succeed to login in test app? Yes we did it both with OpenLDAP and OpenDS.. please look at your log file if there should be any problems. JBOSS_HOME/server/default/logs/server.log View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141759#4141759 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141759 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
First, thank you for your attention. Here is the log from jboss server, during unsuccessful login: --- cut --- Apr 2008 00:14:13 2008-04-05 00:14:13,931 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] AtomicActionRecoveryModule: Second pass 2008-04-05 00:14:13,931 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_6] - TORecoveryModule - second pass 2008-04-05 00:14:13,931 DEBUG [com.arjuna.ats.jta.logging.loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.secondpass] Local XARecoveryModule - second pass --- cut --- And here is the LDAP log: --- cut -- 05/Apr/2008:00:14:03 +0300] conn=66 op=0 BIND dn=cn=Directory Manager method=128 version=3 [05/Apr/2008:00:14:03 +0300] conn=66 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [05/Apr/2008:00:14:03 +0300] conn=66 op=1 SRCH base=cn=Test User,ou=People,dc=yyovkov,dc=net scope=2 filter=(objectClass=*) attrs=cn [05/Apr/2008:00:14:03 +0300] conn=66 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Apr/2008:00:14:03 +0300] conn=66 op=2 UNBIND [05/Apr/2008:00:14:03 +0300] conn=66 op=2 fd=67 closed - U1 [05/Apr/2008:00:14:03 +0300] conn=67 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [05/Apr/2008:00:14:03 +0300] conn=67 op=0 BIND dn=cn=Directory Manager method=128 version=3 [05/Apr/2008:00:14:03 +0300] conn=67 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [05/Apr/2008:00:14:03 +0300] conn=67 op=1 SRCH base=cn=Test User,ou=People,dc=yyovkov,dc=net scope=2 filter=(objectClass=*) attrs=cn sn userPassword givenName displayName o employeeType title postalAddress mail telephoneNumber [05/Apr/2008:00:14:03 +0300] conn=67 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Apr/2008:00:14:03 +0300] conn=67 op=2 UNBIND [05/Apr/2008:00:14:03 +0300] conn=67 op=2 fd=68 closed - U1 [05/Apr/2008:00:14:03 +0300] conn=68 fd=67 slot=67 connection from 127.0.0.1 to 127.0.0.1 [05/Apr/2008:00:14:03 +0300] conn=68 op=0 BIND dn=cn=Directory Manager method=128 version=3 [05/Apr/2008:00:14:03 +0300] conn=68 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [05/Apr/2008:00:14:03 +0300] conn=68 op=1 SRCH base=cn=Test User,ou=People,dc=yyovkov,dc=net scope=2 filter=(objectClass=*) attrs=cn [05/Apr/2008:00:14:03 +0300] conn=68 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Apr/2008:00:14:03 +0300] conn=68 op=2 UNBIND [05/Apr/2008:00:14:03 +0300] conn=68 op=2 fd=67 closed - U1 [05/Apr/2008:00:14:03 +0300] conn=69 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [05/Apr/2008:00:14:03 +0300] conn=69 op=0 BIND dn=cn=Directory Manager method=128 version=3 [05/Apr/2008:00:14:03 +0300] conn=69 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [05/Apr/2008:00:14:03 +0300] conn=69 op=1 SRCH base=cn=Test User,ou=People,dc=yyovkov,dc=net scope=2 filter=(objectClass=*) attrs=cn sn userPassword givenName displayName o employeeType title postalAddress mail telephoneNumber [05/Apr/2008:00:14:03 +0300] conn=69 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Apr/2008:00:14:03 +0300] conn=69 op=2 UNBIND [05/Apr/2008:00:14:03 +0300] conn=69 op=2 fd=68 closed - U1 --- cut --- View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141763#4141763 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141763 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hm ... I think I found where is the problem. The user: cn=user... doesn't have sufficient rights to read the directory. So I will change settings into directory Tree and will post result here. Probably tomorrow. Thank you for your help! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141772#4141772 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141772 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Alejandro and Mauricio are correct. The LDAPIdentityProvider is designed to use the InetOrgPerson schema which is standard LDAP schema. However, I think the use of cn and sn in its current implementation is not correct. I would prefer to use uid instead of cn, and still not sure how to represent the activation field. using sn is confusing. I initially used these, since the LDAP repo that I was connecting with had the data setup that way. However, its time the out-of-the-box LDAP impl moves away from that semantics and uses uid and something else for representing account activation Part of the reason I have not changed it, is also keeping backward compatibility with existing users who have setup their LDAP repo based on this impl. I think the cleanest approach will be leave this LDAPIdentityProvider impl as is, and introduce a new one that maps the data in a more standard manner. I apologize for the confusion that the hackish usage of 'sn' created ;) If I were Hillary Clinton then I would say I mis-coded ;) Thanks View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141802#4141802 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141802 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Guys- You can track this issue here: http://jira.jboss.com/jira/browse/JBSSO-37 Until then when using the out-of-the-box impl make sure the 'sn' field in your repo is used to represent true' or false value that indicates whether an account is activated or not. You can ofcourse create your own IdentityProvider or extend this to fit whatever schema you have set up in your environment Thanks View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4141804#4141804 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4141804 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
tamilnandhu wrote : Hi buddy, | | Thanks for the post. | | | I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package.. | | when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says The user has not been activated-TestUser something like this. | | But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt.. | | I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times). | | Please tell me why this error comes and give me solution to resolve this one. | | | Set : sn=true that will activate the user View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=414#414 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=414 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I have the same problem - when I try to log on to the test application I receive an error The specified account has not been activated- My question here is: What does it means and how can I activate user @tamilnandhu: About the error for user admin: The user admin is specified in dc=foo,dc=bar, not in ou=People, dc=foo,dc=bar. So, for the application this user does not exist. Regards! View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4139933#4139933 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4139933 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi buddy, Thanks for the post. I tested with your post and able to create users in LDAP (verifieed with ldap browser) and tried to run the test login page which comes with the jboss-sso-1.0CR1 package.. when i gave the user created (TestUer) in LDAP, it says login failed. when i look at the jboss server command prompt, it says The user has not been activated-TestUser something like this. But when i gave the admin or Directory manager users, it simply says Login Failed and no error on the jboss command prompt.. I looked at the ldap.log file, ther i was found some entries that, the jboss searched for the user TestUser (nearly 3 to 5 times). Please tell me why this error comes and give me solution to resolve this one. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4139555#4139555 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4139555 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
Hi, Also, please tell me the purpose of the SSO Trust Server Thanks, Nandhu. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4139557#4139557 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4139557 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
I have been on big quest as well to get this working. The documentation leaves a lot to be desired but here is what I did to get it working. First a basic LDAP schema | # Base | dn: dc=foo,dc=bar | dc: foo | objectClass: top | objectClass: dcObject | objectClass: organization | o: Foo Bar | | # Ldap admin user | dn: cn=admin, dc=foo,dc=bar | userPassword:: secret | description: LDAP administrator | objectClass: simpleSecurityObject | objectClass: organizationalRole | cn: admin | | # People ou where we attach the users | dn: ou=People, dc=foo,dc=bar | ou: People | objectClass: top | objectClass: organizationalUnit | | # A basic inetOrgPerson | dn: cn=Test User,ou=People, dc=foo,dc=bar | sn: Test | userPassword:: secret | mail: [EMAIL PROTECTED] | displayName: Test User | objectClass: top | objectClass: person | objectClass: organizationalPerson | objectClass: inetOrgPerson | uid: test | cn: Test User | | # The ou where we attach roles/groups | dn: ou=roles, dc=foo,dc=bar | ou: roles | objectClass: top | objectClass: organizationalUnit | | # A test group member of roles ou | dn: cn=TestGroup,ou=roles, dc=foo,dc=bar | ou: TestGroup | objectClass: top | objectClass: groupOfUniqueNames | uniqueMember: cn=Test User,ou=People | cn: TestGroup | Now the importent part is of course the jboss-sso.sar/conf/sso.cfg.xml file. For the ldap schema above this would look like this: | ?xml version='1.0' encoding='ISO-8859-1'? | | jboss-sso | identity-management | login | provider id=si:jboss-sso:ldap:login class=org.jboss.security.idm.ldap.LDAPIdentityProvider | property name=connectionURL jdbc:ldap://ldap.domain.com:389/dc=foo,dc=bar?SEARCH_SCOPE:=subTreeScopesecure:=falseconcat_atts:=truesize_limit:=1000/property | property name=usernamecn=admin,dc=foo,dc=bar/property | property name=passwordsecret/property | !-- ou that contains all your inetOrgPersons -- | property name=identityOuPeople/property | !-- ou that contains your groups -- | property name=roleOuroles/property | /provider | /login | !--login | provider id=si:jboss-sso:demo:login class=org.jboss.security.idm.demo.DemoLoginProvider/ | /login-- | /identity-management | sso-processor | processor class=org.jboss.security.saml.JBossSingleSignOn | !-- Conf this to your sso jboss server -- | property name=trustServerhttp://sso-jboss.domain.com:8080/federate/trust/property | /processor | /sso-processor | /jboss-sso | Really importend here is to verify then you have set identityOU and roleOU to the right values. If there is an error here you will get No such object jdbc errors witch of course is an ldap error telling you it can't find the ou. I use openldap and set the loglevel property to 265, witch makes debuging jboss-sso a whole lot easier. If you tail the ldap log and start the sso service you should see jboss-sso connecting and scanning in the roles. If so and you can confirm the sso startup in the jboss server.log you are done. Hope this helpt View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4037902#4037902 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4037902 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Single Sign On with LDAP Examples
dittos View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4037225#4037225 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4037225 ___ jboss-user mailing list [EMAIL PROTECTED] https://lists.jboss.org/mailman/listinfo/jboss-user