Just to add one more point: I don't need users to be able to log into the identity management console with their kerberos credentials. I am fine with just using regular LDAP auth for admin users on the console.
On 12-01-04 10:18 AM, Bram Cymet wrote: > Hi Amila, > > I am trying to authenticate users using an external kerberos KDC. > > Really what I am trying to do is similar to what is described here: > > http://blog.facilelogin.com/2011/11/cross-domain-authentication-patterns.html > > > I want to have a user come along with their kerberos ticket and I then > want the identity server to give out a SAML token (hopefully with > attributes from the users ldap entry and group memberships) to be used > for authentication to another service. > > I have started to play with the STS and set it up with Kerberos security > (option 16) I am just not sure how to test it to see that it is working > the way I would like. > > I am new to SAML and WS-Security so I am still trying to wrap my head > around how everything fits together. > > Thanks, > > Bram > > On 12-01-04 9:31 AM, Amila Jayasekara wrote: >> On Tue, Jan 3, 2012 at 11:24 PM, Bram Cymet <[email protected]> wrote: >>> Ok i figured out my problem. >>> >>> I was missing the GroupNameListFilter property. Now I am able to log in. >>> >>> The next thing I would like to figure out is if I can use my existing >>> kerberos KDC for authentication? >> >> Hi Bram, >> >> Can you elaborate your question bit further ? >> Are you trying authenticate users in WSO2 server using an external >> Kerberos KDC OR else are you trying to setup KDC server which comes >> with embedded LDAP for user authentication ? >> >> Thanks >> AmilaJ >> >>> >>> Thanks, >>> >>> Bram >>> >>> On 12-01-03 11:28 AM, Bram Cymet wrote: >>>> Hi Hasini, >>>> >>>> Here is my user-mgt.xml file >>>> >>>> <UserManager> >>>> <Realm> >>>> <Configuration> >>>> <AdminRole>admin</AdminRole> >>>> <AdminUser> >>>> <UserName>bcymet</UserName> >>>> <Password>XXXXXX</Password> >>>> </AdminUser> >>>> <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By >>>> default users in thsi role sees the registry root --> >>>> <ReadOnly>true</ReadOnly> >>>> <MaxUserNameListLength>500</MaxUserNameListLength> >>>> <Property >>>> name="url">jdbc:h2:repository/database/WSO2CARBON_DB</Property> >>>> <Property name="userName">wso2carbon</Property> >>>> <Property name="password">wso2carbon</Property> >>>> <Property name="driverName">org.h2.Driver</Property> >>>> <Property name="maxActive">50</Property> >>>> <Property name="maxWait">60000</Property> >>>> <Property name="minIdle">5</Property> >>>> </Configuration> >>>> >>>> <UserStoreManager >>>> class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> >>>> <Property name="ReadOnly">true</Property> >>>> <Property name="MaxUserNameListLength">100</Property> >>>> <Property name="ConnectionURL">ldap://localhost:389</Property> >>>> <Property >>>> name="ConnectionName">cn=admin,dc=TESTLDAP,dc=CBN</Property> >>>> <Property name="ConnectionPassword">******</Property> >>>> <Property >>>> name="UserSearchBase">ou=people,dc=TESTLDAP,dc=CBN</Property> >>>> <Property >>>> name="UserNameListFilter">(objectClass=inetOrgPerson)</Property> >>>> <Property name="UserNameAttribute">uid</Property> >>>> <Property name="ReadLDAPGroups">false</Property> >>>> <Property >>>> name="GroupSearchBase">ou=groups,dc=TESTLDAP,dc=CBN</Property> >>>> <Property >>>> name="GroupSearchFilter">(objectClass=groupOfNames)</Property> >>>> <Property name="GroupNameAttribute">cn</Property> >>>> <Property name="MembershipAttribute">member</Property> >>>> </UserStoreManager> >>>> >>>> <AuthorizationManager >>>> >>>> class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"> >>>> </AuthorizationManager> >>>> </Realm> >>>> </UserManager> >>>> >>>> I followed the directions for the read only setup at first. >>>> >>>> I thought that the part in the file: >>>> >>>> <AdminRole>admin</AdminRole> >>>> <AdminUser> >>>> <UserName>bcymet</UserName> >>>> <Password>XXXXXX</Password> >>>> </AdminUser> >>>> >>>> would give my user permissions that it needed. >>>> >>>> I guess I am missing something else. >>>> >>>> >>>> On 12-01-03 11:23 AM, Hasini Gunasinghe wrote: >>>>> Hi Bram, >>>>> >>>>> In order to login, you need to have login permission as well. (i.e only >>>>> matching user name, password is not sufficient) >>>>> >>>>> In the first time login, you should login as the admin user which you >>>>> specify in the user-mgt.xml. Admin user can then create users, roles and >>>>> assign users to roles and permissions to those roles. >>>>> >>>>> So can you please make sure that you specify the admin user and admin >>>>> role in user-mgt.xml correctly and also the admin user belongs to the >>>>> admin role in the LDAP. >>>>> Also, please make sure that you provided the correct value for the group >>>>> search base property in user-mgt.xml >>>>> >>>>> If you can attach the user-mgt.xml, we might be able to provide more >>>>> insight. >>>>> >>>>> Thanks, >>>>> Hasini. >>>>> >>>>> On Tue, Jan 3, 2012 at 8:45 PM, Bram Cymet <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I am attempting to setup a wso2 identity server using my existing >>>>> openldap instance as the userstore. >>>>> >>>>> I can see the server connecting to my ldap instance when I attempt to >>>>> log in so I know the ConnectionURL, Name, and Password are correct. I >>>>> can even see the server bind to my ldap instance successfully. >>>>> However I >>>>> can not log into the identity web interface. >>>>> >>>>> In the logs all I get is: >>>>> >>>>> [2012-01-03 09:55:11,033] WARN >>>>> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - >>>>> Failed >>>>> Administrator login attempt 'bcymet[0]' at [2012-01-03 09:55:11,0032] >>>>> from IP address 172.20.22.157 >>>>> >>>>> Any idea what might be going on or how I can up the logging to get a >>>>> more detailed message? >>>>> >>>>> Thanks, >>>>> >>>>> -- >>>>> Bram Cymet >>>>> Software Developer >>>>> Canadian Bank Note Co. Ltd. >>>>> 613-608-9752 >>>>> _______________________________________________ >>>>> Carbon-dev mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Carbon-dev mailing list >>>>> [email protected] >>>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>> >>> >>> -- >>> Bram Cymet >>> Software Developer >>> Canadian Bank Note Co. Ltd. >>> 613-608-9752 >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> >> > > -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752 _______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
