I'm trying to use wso2 APPM (vers 1.10.0) with an external ldap as authentication without real success.
I'll try to be as factual as possible to let it be testable:
I've unzip the wso2appm zip file under linux
I've setup the java_home var
I've start the wso2server.sh ==> no problem displayed in the log, at this step I must precise I'm using the default database of wso2.
Then logging to carbon gui, and adding a new userstore management setting up to a read-only external ldap.
after few seconds, the ldap users appears in the user list.
then selecting me in the list and adding the internal/store role.
opening the store url, and trying to login with the login / password of my user
Then having a message to inform me that the user has not the store profile.
If I log into carbon with my ldap user, it's working.
The same use case with the API looks fine to log into the store.
Any fix or ideas are welcome.
BR,
jfv
By the looks of it I suspect your issue is, the privileges are not set correctly for your ldap user store roles. Please make sure that you have assigned the internal/subscriber role to the relevant user in your permission tree. You can find more details about this at JIRA ticket [1]
[1] https://wso2.org/jira/browse/APPM-279
Cheers,
Pubudu
Hi and thank your for your answer,
first: I've checked this morning the solution you've proposed, and there is no change.
In a second time, I've tryied to add all privileges without more success
but if I create a new user manually, this one can login.
The following error in the log are shown when I try to login with an ldap user.
[2016-05-09 07:48:54,272] INFO - ReadOnlyLDAPUserStoreManager LDAP connection created successfully in read-only mode
[2016-05-09 07:48:54,283] INFO - UserStoreDeploymentManager Realm configuration of tenant:-1234 modified with /opt/wso2appm/repository/deployment/server/userstores/orange_com.xml
[2016-05-09 07:50:18,187] WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1234]' at [2016-05-09 07:50:18,187+0200]
[2016-05-09 07:50:18,189] WARN - AuthenticationHandler Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,189] ERROR - AUDIT_LOG Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,221] WARN - acs:jag User jaav7491 does not have permission to access the store application. Make sure the user has the store role.
the login is "jaav7491"
Thank you for your ideas,
BR,
jfv
Related
I am using keycloak operator to install keycloak and i have configured keycloak to use external database (RDS instance). ==> (externalDatabase: true)
The keycloak instances are up and running without any issues.
When i tried to login to the keycloak UI with master realm credentials it is telling that the credentials are invalid, though the credentials are correct.
I am getting the credentials using the following command.
kubectl get secret credential-test -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
The following is the log from the instance.
07:40:48,172 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=566f4e3e-c0f1-4304-bca2-686321d88b87, ipAddress=10.242.3.61, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://test123.net/auth/admin/master/console/, code_id=5561bc9e-e2b9-41e3-836d-37add6e74c1c, username=admin, authSessionParentId=5561bc9e-e2b9-41e3-836d-37add6e74c1c, authSessionTabId=Oq-orhggRE4
Any advice or suggestion is highly appreciated.
I had this, or a similar issue as well when setting up the operator.
It appears that the external database that supposedly stores the admin username and password isn't updated when a new secret is generated if, say, the CRD for the Keycloak instance is deleted along with the secret. The steps I went through to fix it was to:
Delete the CRD.
Delete the database.
Recreate the database.
Recreate the CRD.
That way, the database should have no reason to accept the new credentials.
There is probably a better solution. But I could not find it in the docs so far.
I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .
Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn
User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).
We managed to setup LDAP as a secondary User Store in the WSO2 Governance Registry Management Console 5.3.0 (Carbon). We see the Users/Roles were loaded correctly and we can access Management Console (Carbon) with those users.
However despite of the LDAP users having "Internal/store" permission, they cannot access/sign in to WSO2 Governance Center - STORE. The error on the Sign In page is: "Insufficient priveleages to access the Store application."
Managed to solve the problem just with putting the domain name of the User Store and forward slash in front of the LDAP username: <domain_name>/<user_name>
When the username is specified without the domain name, the Store application gives misleading error: "Insufficient priveleages to access the Store application." I think it should respond with different error, for example: "The provided username and password combination is incorrect."
I have installed WSO2 Identity Server, configure the file user-mgt.xml (as ReadWriteLDAPUserStoreManager) in order to connect to my OpenLdap server.
1.- If I create an "inetOrgPerson" in LDAP, I can see this user at WSO2 admin console (users and roles)
2.- If I create a user with its password (no more data at the beginning) via WSO2 admin console and I can see this user in my LDAP.
But, here it is my problem. If I go to wso2 admin console, search for a user , to the "user profile" and update it, I obtain this error
"Error while updating user profile of test2. Error is: unknown"
On the log I have this error.
{org.wso2.carbon.identity.user.profile.ui.client.UserProfileCient} - org.apache.axis2.AxisFault: unknown
Could anyone help me, please?
Thanks a lot in advance.
Best regards
Finally, I solved it.
My problem was that I had claims named in one way at WSO2 and with other name at my LDAP (you can configure this on the administration console of WSO2, Claims, List, click on "http://wso2.org/claims")
Example attached (CN in my LDAP, mapped to fullname of WSO2)enter image description here
I have this problem:
I have enabled Liferay to import and export users from/to OpenLDAP server.
When I create a user in Liferay I obtain this page:
So, I have create a new user and Liferay has assigned to it a password (3zbPk6KA).
But.. if I try to login with new user (and generated password) I obtain the error message of incorrect credentials. In LDAP server I can see the new account but, the corresponding password seems to be different from that generated by Liferay..
In Java console i read this warning:
14:20:15,882 WARN [http-bio-8080-exec-6][LDAPAuth:208] Passwords do not match for userDN cn=myUser,ou=users,dc=myProject,dc=com
Some suggestions?
Had this problem too. what's your value for Ldap password policy and what's your liferay version ?
I think you have 2 options :
Disable Ldap password policy, and if your Liferay version has no bug on exporting new user's autogenerated passwords, Your scenario is supposed to work. Else, you'll have to create a patch/hook that sends that password to LDAP
Enable LDAP password policy, setup a fixed default LDAP password, and hook the login process, so that you inform the new registered user (Screen Message + validation email) on her initial password. Note that there's still a security issue here, because of the fixed password, as someone could create accounts for other users if he knows their e-mails and tries to register before them.
You have to unmark "required" in controlpanel→portal→configuration→autenticathion→LDAP to di
I don't know why that specific scenario doesn't work. I have used Liferay 6.1 and know there are a number of bugs with the LDAP function of version 6.1. The problem that I faced was that checking "Use LDAP Password Policy" resulted in a user being created without a password.
However, if your password is being created in Liferay, you can turn off the export in Liferay LDAP wizard and programmatically export users through a hook using Java LDAP look up. I had to do it and it fixed a number of similar issues for me.
The link is a below
http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/