New to WSO2 so be gentle. I'm building an instance of Ellucian's Ethos wso2 identity server (version 5.10.0) and when I point it to Active Directory the Tomcat server does start and I can login as the admin user I created in Active Directory for Ethos, but when I run "wso2server.bat -Dsetup" I see errors like the following in the wso2carbon.log file and I want to know if I should be worried.
ERROR {org.wso2.carbon.identity.scim.common.internal.SCIMCommonComponent} - Error occurred while setting SCIM attributes for the Admin org.wso2.carbon.user.core.UserStoreException: Error in adding SCIM metadata to the admin in tenant domain: carbon.super
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D77, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'CN=ouruser,OU=OurContainer'
ERROR {org.wso2.carbon.identity.scim2.common.utils.AdminAttributeUtil} - Error occurred while updating the admin user's attributes in Tenant ID : -1234, Error : One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser org.wso2.carbon.user.core.UserStoreException: One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser
I intend for AD to be treated as a read-only LDAP database so I have "eis.admin.create.user" set to false in the eis_config.properties file and the Ethos admin user I created in AD does not have AD admin privileges. AD is only being used for authentication and for pulling attributes and releasing them to service providers. Could it be trying to write attributes to the Ethos admin user I created in AD?
Or is it an attribute mapping issue (mapping AD attributes back into Ethos?). I noticed in the eis_config.properties file the following mappings section
eis.add.claim.logonname=sAMAccountName
eis.add.claim.upn=userPrincipalName
eis.add.claim.objectguid=objectGUID
eis.add.claim.udcid=udcid
eis.add.claim.personid=employeeNumber
eis.add.claim.challenge.question.uris=
eis.add.claim.challenge.question.1=
eis.add.claim.challenge.question.2=
eis.add.claim.resource.type=pager
And i know for a fact that attributes like "udcid" are specific to Ellucian products and are not an LDAP attribute in AD so I set it to "cn". And for the attribute mappings above that are blank I mapped them to real AD attributes to see if I could get rid of the errors but they remain.
Any thoughts?
Have you tried eis.add.claim.employeeType=memberOf in your eis_config.properties file?
And are the AD values correct for:
eis.admin.role.name=,
eis.admin.username=,
eis.userstore.ConnectionURL=,
eis.userstore.ConnectionName=,
eis.userstore.ConnectionPassword=,
eis.userstore.UserSearchBase=,
eis.userstore.UserNameAttribute=,
eis.userstore.GroupSearchBase=,
eis.userstore.SharedGroupSearchBase=,
eis.userstore.defaultRealmName=,
along with the user-mgt.xml settings?
Related
I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .
Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn
User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).
I'm evaluating keycloak for identity management using an existing (open)ldap server.
I've managed to get the telephoneNumber ldap attribute into keycloak.
The problem occurs if I try to remove a telephone number via keycloak: keycloak tries to set the ldap attribute to an empty string, which is not allowed. Is there a way to configure the user-attribute-ldap-mapper to delete the attribute if its empty?
Best wishes
Daniel
[edit] I've opend a bug report at keyloak for this issue
We managed to setup LDAP as a secondary User Store in the WSO2 Governance Registry Management Console 5.3.0 (Carbon). We see the Users/Roles were loaded correctly and we can access Management Console (Carbon) with those users.
However despite of the LDAP users having "Internal/store" permission, they cannot access/sign in to WSO2 Governance Center - STORE. The error on the Sign In page is: "Insufficient priveleages to access the Store application."
Managed to solve the problem just with putting the domain name of the User Store and forward slash in front of the LDAP username: <domain_name>/<user_name>
When the username is specified without the domain name, the Store application gives misleading error: "Insufficient priveleages to access the Store application." I think it should respond with different error, for example: "The provided username and password combination is incorrect."
I'm trying to use wso2 APPM (vers 1.10.0) with an external ldap as authentication without real success.
I'll try to be as factual as possible to let it be testable:
I've unzip the wso2appm zip file under linux
I've setup the java_home var
I've start the wso2server.sh ==> no problem displayed in the log, at this step I must precise I'm using the default database of wso2.
Then logging to carbon gui, and adding a new userstore management setting up to a read-only external ldap.
after few seconds, the ldap users appears in the user list.
then selecting me in the list and adding the internal/store role.
opening the store url, and trying to login with the login / password of my user
Then having a message to inform me that the user has not the store profile.
If I log into carbon with my ldap user, it's working.
The same use case with the API looks fine to log into the store.
Any fix or ideas are welcome.
BR,
jfv
By the looks of it I suspect your issue is, the privileges are not set correctly for your ldap user store roles. Please make sure that you have assigned the internal/subscriber role to the relevant user in your permission tree. You can find more details about this at JIRA ticket [1]
[1] https://wso2.org/jira/browse/APPM-279
Cheers,
Pubudu
Hi and thank your for your answer,
first: I've checked this morning the solution you've proposed, and there is no change.
In a second time, I've tryied to add all privileges without more success
but if I create a new user manually, this one can login.
The following error in the log are shown when I try to login with an ldap user.
[2016-05-09 07:48:54,272] INFO - ReadOnlyLDAPUserStoreManager LDAP connection created successfully in read-only mode
[2016-05-09 07:48:54,283] INFO - UserStoreDeploymentManager Realm configuration of tenant:-1234 modified with /opt/wso2appm/repository/deployment/server/userstores/orange_com.xml
[2016-05-09 07:50:18,187] WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1234]' at [2016-05-09 07:50:18,187+0200]
[2016-05-09 07:50:18,189] WARN - AuthenticationHandler Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,189] ERROR - AUDIT_LOG Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,221] WARN - acs:jag User jaav7491 does not have permission to access the store application. Make sure the user has the store role.
the login is "jaav7491"
Thank you for your ideas,
BR,
jfv
I am now trying to configure for the LDAP authentication in /admin/auth_config.php?auth=ldap.
I would like to know what the Bind settings does? Is it necessary to fill in the DN and Password under Bind settings for LDAP to work?
And I have encountered an error code auth_ldap_noconnect when trying to sync the users through LDAP from the cron script. What could be the causes for this error?
The Bind settings are necessary - without them Moodle can't connect to your LDAP server. They determine how Moodle will access the LDAP server.
CN = your Common Name
OU = your Organizational Unit
DC = your Domain Component
Those are all part of the LDAP data Interchange Format (LDIF) and they determine how the LDAP tree is filtered. See http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format.
So in Moodle you probably need a Distinguished name like:
cn=YourServiceAccountName,ou=YourSchool,ou=Service Accounts,DC=yourdc,DC=co,DC=uk
And you'll probably also have to list the Contexts where your students are found:
ou=yourschool,DC=yourdc,DC=co,DC=uk;
User attribute might = samaccountname (for MS Active Directory)