We need to do a LDAP Authentication for login. It works fine for checking with a single AD server.
<loginModules>
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="${ldap.security.dom1.url}"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="exists"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
</loginModule>
It works fine, if I use a single url in the ldapprovider URL. I wanted to add 2 ldap urls, one as primary & other as secondary. I tried adding comma ',' separated url's, where if the primary fails, it needs to check for the secondary url. the urls are configured in worklight.properties as below
ldap.security.dom1.url = LDAP://10.40.88.10/DC=10.40.88.10
ldap.security.dom2.url = LDAP://10.30.88.10/DC=10.30.88.10
The code is as below
<parameter name="ldapProviderUrl" value="${ldap.security.dom1.url},${ldap.security.dom2.url}"/>
But it throws the below error
LdapLoginModule authentication failed. Reason 'javax.naming.InvalidNameException: Invalid name: DC=10.30.28.10,LDAP://10.40.88.10/DC=10.40.88.10
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:74)
at javax.naming.ldap.LdapName.parse(LdapName.java:789)
at javax.naming.ldap.LdapName.<init>(LdapName.java:125)
at com.sun.jndi.ldap.LdapNameParser.parse(LdapNameParser.java:39)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
Kindly advice.
According to the documentation found here, ldapProviderUrl is expected to be a single, RFC-2253 parsable URL or IP address. You're receiving this error, because the module has no notion of a delimited "list" for this value.
Related
I am using the following code in my proxy to connect ftp server to read file from.
<proxy name="SFTPVFSProxy" transports="vfs" startOnLoad="true" xmlns="http://ws.apache.org/ns/synapse">
<target>
<inSequence>
<send/>
</inSequence>
</target>
<parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
<parameter name="transport.PollInterval">15</parameter>
<parameter name="transport.vfs.MoveAfterProcess">vfs:sftp://username:password#ftpserver-host/outbox</parameter>
<parameter name="transport.vfs.FileURI">vfs:sftp://username:password#ftpserver-host/inbox</parameter>
<parameter name="transport.vfs.MoveAfterFailure">vfs:sftp://username:password#ftpserver-host/sent</parameter>
<parameter name="transport.vfs.FileNamePattern">.*.txt</parameter>
<parameter name="transport.vfs.ContentType">application/xml</parameter>
<parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
</proxy>
But I am getting below error when I ran the above. VFS transport is eanbled in axis2.xml and I can see vfs transport in wso2 esb 4.9.0 admin console.
The system cannot infer the transport information from the vfs:sftp://user:password#sftpserverhost/in URL
SFTP uses SSH protocol to communicate with the server, so it always logs into the user's home directory and then it takes the path relative to the user's home directory.
You can add "sftpPathFromRoot" to WSO2 VFS transport URI as to get absolute path access as below.
<parameter name="transport.vfs.FileURI">sftp://[ username[: password]#] hostname[: port][ absolute-path]?sftpPathFromRoot=true</parameter>
Alternatively you can use symbolic link.You can find more details here.
Just starting out with InboundEndpoints in version 4.9.0 of the WSO2 ESB.
I would like to create an inbound endpoint that polls for incoming files, forwards this to a service and saves the service reply to a file.
I have read the available docs and examples and this is what I came up with.
<inboundEndpoint xmlns="http://ws.apache.org/ns/synapse"
name="testinbound"
sequence="TestIn"
onError="fault"
protocol="file"
suspend="false">
<parameters>
<parameter name="interval">1000</parameter>
<parameter name="coordination">true</parameter>
<parameter name="transport.vfs.ContentType">text/xml</parameter>
<parameter name="transport.vfs.LockReleaseSameNode">false</parameter>
<parameter name="transport.vfs.AutoLockRelease">false</parameter>
<parameter name="transport.vfs.ActionAfterFailure">DELETE</parameter>
<parameter name="transport.vfs.CreateFolder">true</parameter>
<parameter name="sequential">true</parameter>
<parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
<parameter name="transport.vfs.FileURI">//C:/Test/ST/in</parameter>
<parameter name="transport.vfs.MoveAfterFailure">//C:/Test/ST/failure</parameter>
<parameter name="transport.vfs.DistributedLock">true</parameter>
<parameter name="transport.vfs.FileNamePattern">.*\.xml</parameter>
<parameter name="transport.vfs.Streaming">true</parameter>
<parameter name="transport.vfs.MoveAfterProcess">//C:/Test/ST/original</parameter>
<parameter name="transport.vfs.Locking">disable</parameter>
<parameter name="transport.vfs.FileSortAscending">true</parameter>
<parameter name="transport.vfs.FileSortAttribute">NONE</parameter>
<parameter name="transport.vfs.Build">false</parameter>
</parameters>
</inboundEndpoint>
where the "TestIn" sequence looks like:
<sequence xmlns="http://ws.apache.org/ns/synapse"
name="TestIn"
onError="fault"
statistics="enable">
<in>
<send>
<endpoint key="conf:/stock_quote_config/stock_quote_endpoint_reg"/>
</send>
</in>
</sequence>
Now I have a couple of questions about the behavior of this code, and how to achieve my goal.
How to get my hands on the reply of the service? I have tried to add an <out> mediator in the TestIn sequence. I got the following:
OutMediator Current message is a request - skipping child mediators
I also tried the transport.vfs.ReplyFileURI and transport.vfs.ReplyFileName parameters.
Strangely, these options are not available via the UI. I could specify them in the configuration source file, without any effect.
(These parameters are described in the documentation of the 4.9.0 version. See
https://docs.wso2.com/display/ESB490/VFS+Transport )
So how to save the reply? And how to redirect the reply?
I see that after the TestIn sequence the <main> sequence is executed by the ESB on the response path -- this is what I would like to redefine.
I get an error that the file could not be moved from the "in" to the "original" folder. (In fact, after execution the file is moved.)
[2015-11-20 13:36:55,145] ERROR - FilePollingConsumer Error moving
file : file:///c:/Test/ST/in/test.xml to //C:/Test/ST/original
org.apache.commons.vfs2.FileSystemException: Could not delete "file:///c:/Test/ST/in/test.xml".
at org.apache.commons.vfs2.provider.AbstractFileObject.deleteSelf(AbstractFileObject.java:849)
at org.apache.commons.vfs2.provider.AbstractFileObject.moveTo(AbstractFileObject.java:1139)
at org.wso2.carbon.inbound.endpoint.protocol.file.FilePollingConsumer.moveOrDeleteAfterProcessing(FilePollingConsumer.java:842)
at org.wso2.carbon.inbound.endpoint.protocol.file.FilePollingConsumer.directoryHandler(FilePollingConsumer.java:568)
at org.wso2.carbon.inbound.endpoint.protocol.file.FilePollingConsumer.poll(FilePollingConsumer.java:214)
at org.wso2.carbon.inbound.endpoint.protocol.file.FilePollingConsumer.execute(FilePollingConsumer.java:134)
at org.wso2.carbon.inbound.endpoint.protocol.file.FileTask.taskExecute(FileTask.java:45)
at org.wso2.carbon.inbound.endpoint.common.InboundTask.execute(InboundTask.java:44)
at org.wso2.carbon.mediation.ntask.NTaskAdapter.execute(NTaskAdapter.java:90)
at org.wso2.carbon.ntask.core.impl.TaskQuartzJobAdapter.execute(TaskQuartzJobAdapter.java:67)
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.commons.vfs2.FileSystemException: Could not delete "c:\Test\ST\in\test.xml".
at org.apache.commons.vfs2.provider.local.LocalFile.doDelete(LocalFile.java:127)
at org.apache.commons.vfs2.provider.AbstractFileObject.deleteSelf(AbstractFileObject.java:838)
... 16 more
You can use Call mediator instead of send mediator. When the response is received, the mediation flow resumes from the next mediator in the sequence. So you can redirect or process the incoming response.
I am trying to modify the sample project LDAPLoginModuleProject by changing the LdapLoginModule to connect to my ActiveDirectory. But I'm not able to get it right.
I have a BPM 8.5 installed and use LDAP authentication using the same AD. So the configs in authenticationConfig.xml refers to the WAS security configs. But I'm not sure what needs to be set in ldapSecurityPrincipalPattern and ldapSearchFilterPattern. Regarding the placeholder {username}, where does it come from? it's from the login.html, or my AD configurations?
WAS Global Security
Base Entry: OU=devUsers,DC=btpdev,DC=local
Primary host name: 192.168.1.112
Port: 389
Federated repository properties for login: uid
LDAP attribute for Kerberos principal name: userprincipalname
Federated repositories property names to LDAP attributes mapping
samAccountName -> uid
userprincipalname -> kerberosId
Below is my configuration.
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://192.168.1.112:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid={username},OU=devUsers,DC=btpdev,DC=local"/>
<parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
<parameter name="ldapSearchBase" value="OU=devUsers,DC=btpdev,DC=local"/>
</loginModule>
See my answer for a similar question here: https://stackoverflow.com/a/23390696/440934
The placeholder {username} is replaced by the username entered by the user (via a Worklight Authenticator). The answer above describes what the ldapSecurityPrincipalPattern and ldapSearchFilterPattern are used for.
I am currently trying to authenticate mobile application users using a LDAP loginModule with Worklight.
Instead of using the UID property as the username, I want to authenticate users by their email adress (field "mail" in an LDAP user entry).
I read the IBM Worklight documentation and follow the tutorial but I don't really understand how to do that with a LDAP login module.
I have tried this loginModule configuration :
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
<parameter name="ldapSearchFilterPattern" value="(mail={username})"/>
<parameter name="ldapSearchBase" value="ou=people,dc=mycompany,dc=com"/>
</loginModule>
But the LDAP returns an error 409 : invalid credentials.
Have you an idea to help me ?
Thank you very much !
Please use this link to get know Worklight related sample projects with sample projects.
You can find LDAP example project also under Authentication and security
AFAIK
simple ldapSecurityAuthentication used to send password with fully qualified DN as clear text and it uses LDAP_Simple_ Bind request to connect to LDAP server
Strong ldapSecurityAuthentication is a much stronger authentication method that can require a signed certificate or other method of authenticating the user.
Am not sure about None option for ldapSecurityAuthentication.
The above info's i got it from LDAP admin. Am also new to LDAP
Thank you for your answers which help me a lot to understand.
The application requirements changed in the beginning of the week and I need now to authenticate users with the UID.
I have succeeded with this configuration :
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid={username},OU=people,DC=mycompany,DC=com"/>
<parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
<parameter name="ldapSearchBase" value="OU=people,DC=mycompany,DC=com"/>
</loginModule>
It's work very well, so my problem is resolved.
However, to resolve this post, I am still trying to authenticate users with e-mail adress but I don't know how to do this. Maybe the only solution is to use a custom authentication module and to use a LDAP Java library ?
Thanks a lot.
I am using IBM Worklight 6.1 and trying to check if the user is authenticated or not:
I have a Realm defined in server/conf/authenticationConfig.xml
<realm name="myRealm" loginModule="myLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="authentication.onAuthRequired" />
<parameter name="logout-function" value="authentication.onLogout" />
</realm>
and its login module
<loginModule name="myLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
and after logging in, or even before that, when I try to check if the user is authenticated or not using
WL.Client.isUserAuthenticated("myRealm")
I have the following response
Unknown realm [myRealm]. null returned for key: isUserAuthenticated
Anyone have an idea about that ?
Is there something wrong with my Realm definition ?
Is there a better way to check if a user is authenticated ?
Did you first call to WL.Client.updateUserInfo();?
From the documentation:
updateUserInfo(options)
This method refreshes user data after an exception. Use this method
when the application receives an exception after calling the
invokeProcedure() method. The method refreshes the data for the
following methods:
WL.Client.getUserName(realm)
WL.Client.getLoginName(realm)
WL.Client.isUserAuthenticated(realm)
After such an exception, you can verify the user authentication status
by calling this function first, and then the isUserAuthenticated()
method.
Parameters: options - Optional. A standard options object.