Hi Amila, I am trying to authenticate users using an external kerberos KDC.
Really what I am trying to do is similar to what is described here: http://blog.facilelogin.com/2011/11/cross-domain-authentication-patterns.html I want to have a user come along with their kerberos ticket and I then want the identity server to give out a SAML token (hopefully with attributes from the users ldap entry and group memberships) to be used for authentication to another service. I have started to play with the STS and set it up with Kerberos security (option 16) I am just not sure how to test it to see that it is working the way I would like. I am new to SAML and WS-Security so I am still trying to wrap my head around how everything fits together. Thanks, Bram On 12-01-04 9:31 AM, Amila Jayasekara wrote: > On Tue, Jan 3, 2012 at 11:24 PM, Bram Cymet <bcy...@cbnco.com> wrote: >> Ok i figured out my problem. >> >> I was missing the GroupNameListFilter property. Now I am able to log in. >> >> The next thing I would like to figure out is if I can use my existing >> kerberos KDC for authentication? > > Hi Bram, > > Can you elaborate your question bit further ? > Are you trying authenticate users in WSO2 server using an external > Kerberos KDC OR else are you trying to setup KDC server which comes > with embedded LDAP for user authentication ? > > Thanks > AmilaJ > >> >> Thanks, >> >> Bram >> >> On 12-01-03 11:28 AM, Bram Cymet wrote: >>> Hi Hasini, >>> >>> Here is my user-mgt.xml file >>> >>> <UserManager> >>> <Realm> >>> <Configuration> >>> <AdminRole>admin</AdminRole> >>> <AdminUser> >>> <UserName>bcymet</UserName> >>> <Password>XXXXXX</Password> >>> </AdminUser> >>> <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By >>> default users in thsi role sees the registry root --> >>> <ReadOnly>true</ReadOnly> >>> <MaxUserNameListLength>500</MaxUserNameListLength> >>> <Property >>> name="url">jdbc:h2:repository/database/WSO2CARBON_DB</Property> >>> <Property name="userName">wso2carbon</Property> >>> <Property name="password">wso2carbon</Property> >>> <Property name="driverName">org.h2.Driver</Property> >>> <Property name="maxActive">50</Property> >>> <Property name="maxWait">60000</Property> >>> <Property name="minIdle">5</Property> >>> </Configuration> >>> >>> <UserStoreManager >>> class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> >>> <Property name="ReadOnly">true</Property> >>> <Property name="MaxUserNameListLength">100</Property> >>> <Property name="ConnectionURL">ldap://localhost:389</Property> >>> <Property >>> name="ConnectionName">cn=admin,dc=TESTLDAP,dc=CBN</Property> >>> <Property name="ConnectionPassword">******</Property> >>> <Property >>> name="UserSearchBase">ou=people,dc=TESTLDAP,dc=CBN</Property> >>> <Property >>> name="UserNameListFilter">(objectClass=inetOrgPerson)</Property> >>> <Property name="UserNameAttribute">uid</Property> >>> <Property name="ReadLDAPGroups">false</Property> >>> <Property >>> name="GroupSearchBase">ou=groups,dc=TESTLDAP,dc=CBN</Property> >>> <Property >>> name="GroupSearchFilter">(objectClass=groupOfNames)</Property> >>> <Property name="GroupNameAttribute">cn</Property> >>> <Property name="MembershipAttribute">member</Property> >>> </UserStoreManager> >>> >>> <AuthorizationManager >>> >>> class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"> >>> </AuthorizationManager> >>> </Realm> >>> </UserManager> >>> >>> I followed the directions for the read only setup at first. >>> >>> I thought that the part in the file: >>> >>> <AdminRole>admin</AdminRole> >>> <AdminUser> >>> <UserName>bcymet</UserName> >>> <Password>XXXXXX</Password> >>> </AdminUser> >>> >>> would give my user permissions that it needed. >>> >>> I guess I am missing something else. >>> >>> >>> On 12-01-03 11:23 AM, Hasini Gunasinghe wrote: >>>> Hi Bram, >>>> >>>> In order to login, you need to have login permission as well. (i.e only >>>> matching user name, password is not sufficient) >>>> >>>> In the first time login, you should login as the admin user which you >>>> specify in the user-mgt.xml. Admin user can then create users, roles and >>>> assign users to roles and permissions to those roles. >>>> >>>> So can you please make sure that you specify the admin user and admin >>>> role in user-mgt.xml correctly and also the admin user belongs to the >>>> admin role in the LDAP. >>>> Also, please make sure that you provided the correct value for the group >>>> search base property in user-mgt.xml >>>> >>>> If you can attach the user-mgt.xml, we might be able to provide more >>>> insight. >>>> >>>> Thanks, >>>> Hasini. >>>> >>>> On Tue, Jan 3, 2012 at 8:45 PM, Bram Cymet <bcy...@cbnco.com >>>> <mailto:bcy...@cbnco.com>> wrote: >>>> >>>> Hi, >>>> >>>> I am attempting to setup a wso2 identity server using my existing >>>> openldap instance as the userstore. >>>> >>>> I can see the server connecting to my ldap instance when I attempt to >>>> log in so I know the ConnectionURL, Name, and Password are correct. I >>>> can even see the server bind to my ldap instance successfully. However >>>> I >>>> can not log into the identity web interface. >>>> >>>> In the logs all I get is: >>>> >>>> [2012-01-03 09:55:11,033] WARN >>>> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed >>>> Administrator login attempt 'bcymet[0]' at [2012-01-03 09:55:11,0032] >>>> from IP address 172.20.22.157 >>>> >>>> Any idea what might be going on or how I can up the logging to get a >>>> more detailed message? >>>> >>>> Thanks, >>>> >>>> -- >>>> Bram Cymet >>>> Software Developer >>>> Canadian Bank Note Co. Ltd. >>>> 613-608-9752 >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> Carbon-dev@wso2.org <mailto:Carbon-dev@wso2.org> >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> Carbon-dev@wso2.org >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> >> -- >> Bram Cymet >> Software Developer >> Canadian Bank Note Co. Ltd. >> 613-608-9752 >> _______________________________________________ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > > -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752 _______________________________________________ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
