I'm configuring an activeMQ with cached LDAP authentication.
For the moment, there's an user "cta" that send messages (IoT) to topics and an admin "itopsystem" that read from those topics (App)
the user cta is in a group "users" that has read, write rights to the topics, and itopsystem is in admins group. it works fine for the cta user but with itopsystem i have this error :
Security Error occurred on connection to: tcp://xx.xx.xx.xx:47704, User itopsystem is not authorized to read from: ActiveMQ.Advisory.Connection,ActiveMQ.Advisory.Consumer.Topic.app/CTA/>,ActiveMQ.Advisory.Producer.Topic.app/CTA/>,app/motronics/>,app/motronics/#, app/ethairbox/>,app/ethairbox/#,ethairbox/>,ethairbox/#, | org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: tcp:///xx.xx.xx.xx:47704#61616
There's my ldap architecture
XML config
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap connectionURL="ldap://localhost:389" connectionUsername="cn=Manager,dc=app,dc=com" connectionPassword="xxxxxxx" queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=app,dc=com" topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=app,dc=com" tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=app,dc=com" refreshInterval="300000" legacyGroupMapping="false"/>
</map>
</authorizationPlugin>
Why is my itopsystem user lack of rights if he's in the admins group ? The members are set like that in the group branch: member: uid=itopsystem
Related
I Installed nifi-1.13.2
and I need to authenticate with LDAP
but there is some issue
when I want to use multiple account in different "OU"
I get this error
"Unable to validate the supplied credentials. Please contact the system administrator."
this is my login-identity-providers.xml:
login-identity-providers.xml
this is my LDAP Server table:
LDAP
I found The Solution
you should change ldap port to 3268
like this
<property name="Url">ldap://10.1.21.2:3268</property>
<property name="User Search Base">DC=COM</property>
this port is for Global catalog and mostly use for authentication
I'm having a problem getting LDAP authentication to work. Looking at the logs it seems to bind ok, but when i try to login it doesn't look like its hitting ldap at all and i get authentication failed.
In the logs I see:
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm: LDAP
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=ou=people,o=intra,dc=sears,dc=com, request=(&(objectClass=*searsorgperson)(uid={0})), realNameAttribute=cn, emailAttribute=mail}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] Groups will not be synchronized, because property 'ldap.group.baseDn' is empty.
2017.03.28 17:17:46 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection on ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com: OK
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm started
My config has the following:
# General Configuration
sonar.security.realm=LDAP
sonar.authenticator.createUsers=true
sonar.authenticator.class: org.sonar.plugins.ldap.LdapAuthenticator
sonar.security.savePassword=true
sonar.security.updateUserAttributes=true
ldap.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com
# User Configuration
ldap.user.baseDn=ou=people,o=intra,dc=sears,dc=com
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
According to my LDAP admin, it does an anonumous check when it first comes up, but nothing is else done after that. So for some reason it doesn't seem to be hitting the LDAP server when i login. I don't have any local IDs setup besides admin.
You have not configured an authenticated user to do the search.
That is, the first test, anonymous bind tests the connectivity. But to search for the users DN, you need more than anonymous permissions. Then once the DN is found, bind as the logging in user. But first you need to provide the LDAP DN of the user who is the proxy that can search and its password.
Also you have an asterisk (wildcard) in your objectlass search filter:
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
Or is that formatting symbol? I am not sure ObjectClass can usually be searched that way).
When I change admin-bam password from Web Console ( the default password for admin-bam is "admin"),
Home > Configure > Users and Roles --> Change my Password.
Then I recive the following log errors:
TID: [0] [BAM] [2015-11-04 08:36:07,718] INFO
{org.wso2.carbon.databridge.core.DataBridge} - user admin-bam connected {org.wso2.carbon.databridge.core.DataBridge}
TID: [0] [BAM] [2015-11-04 08:36:07,733] ERROR
{org.wso2.carbon.databridge.core.internal.authentication.Authenticator} - Authentication failed! admin-bam. This user is not permitted to publish events. {org.wso2.carbon.databridge.core.internal.authentication.Authenticator}
I also change my usr-mgt.xml and restart BAM, but I receive the same error:
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin-bam</AdminRole>
<AdminUser>
<UserName>admin-bam</UserName>
<Password>NEW_PASSWORD_HERE</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
Property name="dataSource">jdbc/USER_LST</Property>
</Configuration>
-.........
If I set again admin-bam/admin, those logs disappear.
Where is the error?
You have to use in the following way
Configure > Users and Roles > Users > Change Password
You need to change the BAMUsername and BAMPassword to match the new username and passowrd which you defined. Configuration is given below,
<APIUsageTracking>
<!-- Enable/Disable the API usage tracker. -->
<Enabled>true</Enabled>
<PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>
<ThriftPort>7614</ThriftPort>
<BAMServerURL>tcp://<BAM host IP>:7614/</BAMServerURL>
<BAMUsername>admin</BAMUsername>
<BAMPassword>admin</BAMPassword>
<!-- JNDI name of the data source to be used for getting BAM statistics. This data source should
be defined in the master-datasources.xml file in conf/datasources directory. -->
<DataSourceName>jdbc/WSO2AM_STATS_DB</DataSourceName>
</APIUsageTracking>
You can find this file in following location:
API Manager/repository/conf/api-manager.xml
If you are in a clustered environment, it is sufficient to only change the above settings in the Gateway node.
I'm trying to look on on the root of a AD server for users with tomcat5.5 and JNDIRealm, but it seems that there are several referrals to other locations in the whole AD structure and one of the referrals give a "connection refused" . With LDAP you can use the option referrals="ignore" but this doesn't work if you use AD so you must use referrals=follow otherwise you get a Unprocessed Continuation Reference(s) exception
Is there a way that I can ignore all referrals to other servers?
current config in a server.xml file:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="CN=root_user,OU= foo,OU= bar ,dc=example,dc=com"
connectionPassword="hideMe!"
connectionURL="ldap://****:389"
userBase="DC=example,DC=com"
userSearch="(&(objectClass=user)(sAMAccountName={0}))"
userSubtree="true"
roleBase="OU=rolles,dc=example,dc=com"
roleName="CN"
roleSearch="(member={0})"
roleSubtree="false"
/>
Exception:
It seems that the active directory was corrupt. There where broken referal links. So be sure that the servers are all up and running
I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
Authenticate as the manager, find the users full dn based on search criteria
Attempt to bind as the user (using their full dn) and the provided password
The logs dont seem to give enough information as to why this is failing. It just says invalid credentials - when I know they are valid. My thoughts are one of the following is happening:
The users full DN is not being found, and they are just being authenticated with the username
It is trying to do a password compare, vs actually trying to bind to the directory
Configuration:
<ldap-server
url="ldap://adapps.company.com:389/dc=company,dc=com"
manager-dn="cn=fulluserdn,dc=company,dc=com"
manager-password="password"/>
<ldap-user-service user-search-base="" user-search-filter="(samaccountname={0})"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})" user-search-base="dc=company,dc=com"/>
</authentication-manager>
Error logs:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
The problem was teat the LDAP server was running on a different port, but the normal port was still open.