I am currently trying to authenticate mobile application users using a LDAP loginModule with Worklight.
Instead of using the UID property as the username, I want to authenticate users by their email adress (field "mail" in an LDAP user entry).
I read the IBM Worklight documentation and follow the tutorial but I don't really understand how to do that with a LDAP login module.
I have tried this loginModule configuration :
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
<parameter name="ldapSearchFilterPattern" value="(mail={username})"/>
<parameter name="ldapSearchBase" value="ou=people,dc=mycompany,dc=com"/>
</loginModule>
But the LDAP returns an error 409 : invalid credentials.
Have you an idea to help me ?
Thank you very much !
Please use this link to get know Worklight related sample projects with sample projects.
You can find LDAP example project also under Authentication and security
AFAIK
simple ldapSecurityAuthentication used to send password with fully qualified DN as clear text and it uses LDAP_Simple_ Bind request to connect to LDAP server
Strong ldapSecurityAuthentication is a much stronger authentication method that can require a signed certificate or other method of authenticating the user.
Am not sure about None option for ldapSecurityAuthentication.
The above info's i got it from LDAP admin. Am also new to LDAP
Thank you for your answers which help me a lot to understand.
The application requirements changed in the beginning of the week and I need now to authenticate users with the UID.
I have succeeded with this configuration :
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid={username},OU=people,DC=mycompany,DC=com"/>
<parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
<parameter name="ldapSearchBase" value="OU=people,DC=mycompany,DC=com"/>
</loginModule>
It's work very well, so my problem is resolved.
However, to resolve this post, I am still trying to authenticate users with e-mail adress but I don't know how to do this. Maybe the only solution is to use a custom authentication module and to use a LDAP Java library ?
Thanks a lot.
Related
We need to do a LDAP Authentication for login. It works fine for checking with a single AD server.
<loginModules>
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="${ldap.security.dom1.url}"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="exists"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
</loginModule>
It works fine, if I use a single url in the ldapprovider URL. I wanted to add 2 ldap urls, one as primary & other as secondary. I tried adding comma ',' separated url's, where if the primary fails, it needs to check for the secondary url. the urls are configured in worklight.properties as below
ldap.security.dom1.url = LDAP://10.40.88.10/DC=10.40.88.10
ldap.security.dom2.url = LDAP://10.30.88.10/DC=10.30.88.10
The code is as below
<parameter name="ldapProviderUrl" value="${ldap.security.dom1.url},${ldap.security.dom2.url}"/>
But it throws the below error
LdapLoginModule authentication failed. Reason 'javax.naming.InvalidNameException: Invalid name: DC=10.30.28.10,LDAP://10.40.88.10/DC=10.40.88.10
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:74)
at javax.naming.ldap.LdapName.parse(LdapName.java:789)
at javax.naming.ldap.LdapName.<init>(LdapName.java:125)
at com.sun.jndi.ldap.LdapNameParser.parse(LdapNameParser.java:39)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
Kindly advice.
According to the documentation found here, ldapProviderUrl is expected to be a single, RFC-2253 parsable URL or IP address. You're receiving this error, because the module has no notion of a delimited "list" for this value.
I had a security test for login which is as below
<customSecurityTest name="SingleStepAuthAdapter-securityTest">
<test isInternalUserID="true" realm="SingleStepAuthRealm"/>
</customSecurityTest>
<realm loginModule="AuthLoginModule" name="SingleStepAuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthenticationService.onAuthRequired"/>
<parameter name="logout-function" value="AuthenticationService.onLogout"/>
</realm>
I have adapters that have to be called before login and they work fine until I am putthis piece of code in my authenticationConfig.xml for pushnotification
<mobileSecurityTest name="PushApplication-strong-mobile-securityTest">
<testUser realm="SingleStepAuthRealm"/>
<testDeviceId provisioningType="none"/>
</mobileSecurityTest>
The adapters that are called before login like forgot password are not working and not giving any error.Can any help me in understanding why this issue exits, do I need to put some wl_unprotected in these adapters.Because I have tried that to. Do I need to do any thing else.I can give you more details if you need something else.
Please help.
Finally found the solution ..
I was putting security test for whole android app when I removed it worked for me...
instead of this..
<android version="1.0" securityTest="PushApplication-strong-mobile-securityTest">
using this worked
<android version="1.0" >
What is ClassName used for in the following?
<realms>
<realm name="CustomDeviceProvisioningRealm" loginModule="CustomDeviceProvisioningLoginModule">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
<parameter name="validate-csr-function" value="ProvisioningAdapter.validateCSR" />
</realm>
Can I put more than on className in the same realm?
How can I merge an realm used for authentication with the realm used for Device provisioning?
For example: merging the one at the top with this one:
<realm loginModule="BankingLoginModule" name="MobileBankingRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthenticationAdapter.onAuthRequired" />
<parameter name="logout-function" value="AuthenticationAdapter.onLogout" />
</realm>
and how will this reflect on the Mobile Security test?
The classname element designates which Java class implements the authenticator and/or login module.
There cannot be more than 1 per realm/login module.
The mentioned class names in your question are the default ones provided by Worklight.
These are public classes that can be extended, which may be what you're looking for, instead of "merging".
You can also create your own that implement WorklightAuthenticator and WorklightLoginModule interfaces.
I am trying to modify the sample project LDAPLoginModuleProject by changing the LdapLoginModule to connect to my ActiveDirectory. But I'm not able to get it right.
I have a BPM 8.5 installed and use LDAP authentication using the same AD. So the configs in authenticationConfig.xml refers to the WAS security configs. But I'm not sure what needs to be set in ldapSecurityPrincipalPattern and ldapSearchFilterPattern. Regarding the placeholder {username}, where does it come from? it's from the login.html, or my AD configurations?
WAS Global Security
Base Entry: OU=devUsers,DC=btpdev,DC=local
Primary host name: 192.168.1.112
Port: 389
Federated repository properties for login: uid
LDAP attribute for Kerberos principal name: userprincipalname
Federated repositories property names to LDAP attributes mapping
samAccountName -> uid
userprincipalname -> kerberosId
Below is my configuration.
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://192.168.1.112:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid={username},OU=devUsers,DC=btpdev,DC=local"/>
<parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
<parameter name="ldapSearchBase" value="OU=devUsers,DC=btpdev,DC=local"/>
</loginModule>
See my answer for a similar question here: https://stackoverflow.com/a/23390696/440934
The placeholder {username} is replaced by the username entered by the user (via a Worklight Authenticator). The answer above describes what the ldapSecurityPrincipalPattern and ldapSearchFilterPattern are used for.
I am using IBM Worklight 6.1 and trying to check if the user is authenticated or not:
I have a Realm defined in server/conf/authenticationConfig.xml
<realm name="myRealm" loginModule="myLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="authentication.onAuthRequired" />
<parameter name="logout-function" value="authentication.onLogout" />
</realm>
and its login module
<loginModule name="myLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
and after logging in, or even before that, when I try to check if the user is authenticated or not using
WL.Client.isUserAuthenticated("myRealm")
I have the following response
Unknown realm [myRealm]. null returned for key: isUserAuthenticated
Anyone have an idea about that ?
Is there something wrong with my Realm definition ?
Is there a better way to check if a user is authenticated ?
Did you first call to WL.Client.updateUserInfo();?
From the documentation:
updateUserInfo(options)
This method refreshes user data after an exception. Use this method
when the application receives an exception after calling the
invokeProcedure() method. The method refreshes the data for the
following methods:
WL.Client.getUserName(realm)
WL.Client.getLoginName(realm)
WL.Client.isUserAuthenticated(realm)
After such an exception, you can verify the user authentication status
by calling this function first, and then the isUserAuthenticated()
method.
Parameters: options - Optional. A standard options object.