I'm trying to get the LDAP plugin work. I only want a LDAP authentication against an Active Directory but it seems that I'm missing something.
Config
grails {
plugins {
springsecurity {
userLookup.userDomainClassName = 'de.ac.dmf.security.User'
userLookup.authorityJoinClassName = 'de.ac.dmf.security.UserRole'
authority.className = 'de.ac.dmf.security.Role'
ldap {
context.managerDn = 'CN=dmf Systemuser,CN=Users,DC=dmf,DC=local'
context.managerPassword = 'Password1'
context.server = 'ldap://192.168.100.133:389/'
authorities{
groupSearchBase ='OU=Groups'
groupSearchFilter = '(member={0})'
retrieveGroupRoles = false
retrieveDatabaseRoles = false
defaultRole = 'USER'
ignorePartialResultException = true
}
search{
base = 'CN=Users,DC=dmf,DC=local'
filter = '(sAMAccountName={0})'
searchSubtree = true
}
// mapper.userDetailsClass = 'user'
// auth.hideUserNotFoundExceptions = false
useRememberMe = false
}
}
}
}
On every login I just get this exception
2011-04-29 08:49:09,129 [http-8080-1] DEBUG springsecurity.RequestHolderAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=dmf,DC=local'; remaining name 'CN=Users,DC=dmf,DC=local'
It doesn't matter which user from my AD I'm trying to authenticate. Is my configuration wrong?
I'm using
Grails 1.3.7
spring-security-core 1.1.2
spring-security-ldap 1.04
are you sure about your base configuration? Looks like OU=Users could work instead of CN=Users. Easiest way to figure this out is to use a tool like ad explorer (http://technet.microsoft.com/de-de/sysinternals/bb963907), connect to your AD, browse to a user and take a look at the path to the user...
Try using:
filter = '(&(sAMAccountName={0})(objectclass=user))'
That works on our AD.
You are missing the provider name list.
grails.plugins.springsecurity.providerNames = ['ldapAuthProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider']
Related
I need to check through LDAP if an ActiveDirectory user has the PASSWD_CANT_CHANGE flag set. I found the UserAccountControl attribute (https://learn.microsoft.com/it-it/windows/desktop/ADSchema/a-useraccountcontrol): it works for all other flags but it doesn't work for this flag. I only need to read it, not to write.
I'm using Java with UnboundID LDAP SDK (https://ldap.com/unboundid-ldap-sdk-for-java/).
Here is my JUnit test code.
public static enum UACFlags {
SCRIPT(0x0001),
ACCOUNTDISABLE(0x0002),
HOMEDIR_REQUIRED(0x0008),
LOCKOUT(0x0010),
PASSWD_NOTREQD(0x0020),
PASSWD_CANT_CHANGE(0x0040),
ENCRYPTED_TEXT_PWD_ALLOWED(0x0080),
TEMP_DUPLICATE_ACCOUNT(0x0100),
NORMAL_ACCOUNT(0x0200),
INTERDOMAIN_TRUST_ACCOUNT(0x0800),
WORKSTATION_TRUST_ACCOUNT(0x1000),
SERVER_TRUST_ACCOUNT(0x2000),
DONT_EXPIRE_PASSWORD(0x10000),
MNS_LOGON_ACCOUNT(0x20000),
SMARTCARD_REQUIRED(0x40000),
TRUSTED_FOR_DELEGATION(0x80000),
NOT_DELEGATED(0x100000),
USE_DES_KEY_ONLY(0x200000),
DONT_REQ_PREAUTH(0x400000),
PASSWORD_EXPIRED(0x800000),
TRUSTED_TO_AUTH_FOR_DELEGATION(0x1000000);
private int flag;
private UACFlags(int flag) {
this.flag = flag;
}
}
#Test
public void testLDAP() throws LDAPException {
LDAPConnection connection = //GET CONNECTION
String username = "....";
String search = "(sAMAccountName=" + username + ")";
SearchRequest request = new SearchRequest("DC=....,DC=....", SearchScope.SUB, search, SearchRequest.ALL_USER_ATTRIBUTES);
SearchResult result = connection.search(request);
SearchResultEntry entry = result.getSearchEntries().get(0);
Attribute a = entry.getAttribute("userAccountControl");
int val = a.getValueAsInteger();
System.out.println(Integer.toHexString(val));
EnumSet<UACFlags> flags = EnumSet.noneOf(UACFlags.class);
for (UACFlags f : UACFlags.values()) {
if ((val & f.flag) == f.flag) {
flags.add(f);
}
}
System.out.println("FLAGS: " + flags);
}
I set up the flag on AD Users and Computers and it works as expected. I only want to check the flag programmatically, using Java and LDAP. Other solutions than UserAccountControl attribute are ok!
Thanks!!
That is, unfortunately, expected.
Microsoft uses the ADS_USER_FLAG_ENUM enumeration in a couple places:
The userAccountControl attribute when using LDAP, and
The userFlags property when using the WinNT provider.
The ADS_UF_PASSWD_CANT_CHANGE flag can only be used when using the WinNT provider, which I'm not sure you can do from Java.
When you click that 'User cannot change password' checkbox in AD Users and Computers, it doesn't actually change the userAccountControl attribute. In reality, it adds two permissions on the account:
Deny Change Password to 'Everyone'
Deny Change Password to 'SELF'
There is a description of how to look for those permissions here, but the examples are in C++ and VBScript. I don't know how to view the permissions in Java. It seems difficult and I can't find any real examples.
UPDATE
Appears from AD 2008 on that this is not a "real" value; but rather an ACE within the ACL of the entry.
THIS NO LONGER WORKS
As far as I can tell.
Microsoft Active Directory has a neat Extensible matching value that should work called LDAP_MATCHING_RULE_BIT_AND
So a simple LDAP Query Filter like:
(userAccountControl:1.2.840.113556.1.4.803:=64)
Should do the trick.
Historically I've only ever used CQ 5.6, but am now working on a project using 5.3 and am failing to get a servlet registered and accessible. When I try to hit the servlet (with and without and extension) I get the following INFO line in the error log:
GET /bin/TestServlet.json HTTP/1.1] org.apache.sling.engine.impl.SlingMainServlet service: Resource /bin/TestServlet.json not found
I can build the bundle containing the servlet, deploy it using the maven-sling-plugin, and the bundle ends up in the console as 'active', but the servlet isn't available. I'm using the following in my class file to define the servlet:
#SlingServlet(paths = {"/bin/TestServlet"}, methods = {"GET"}, extensions = {"json"}, metatype = true)
#Properties({
#Property(name = "service.name", value = "com.something.servlets.TestServlet", propertyPrivate = true),
#Property(name = "service.description", value= "Test servlet I am trying to geet working", propertyPrivate = true),
#Property(name = "service.vendor", value = "something", propertyPrivate = true)
})
Please note that I have also tried that alternative using the #Component(.......) and #Service(value=Servlet.class) annotations
Looking to see if the problem is configuration based (thinking /bin was blocked) I went back to 5.6.1 to compare configuration and noticed that the config for Apache Sling Servlet/Script Resolver and Error Handler differs between 5.3 and 5.6.
In 5.6 you can configure the servletresolver.paths which (if I understand things correctly) opens up paths for execution, but this is not present in 5.3
So:
Does the configuration for servletresolver.paths exist in 5.3?
Can I even register a servlet like this in 5.3?
If the answer to 2 is 'no', can you point me at an example/tutorial on how to do this in 5.3 (Docs and tutorials are thin on the ground for this version)?
Thanks in advance
EDIT (resolution):
It seems to be down to versions in the POM (and possibly plugin config). May only have been one culprit, but I simply don't have time to try all permutations. If I get time to try I'll add an edit.
Successful versions:
maven-bundle-plugin - v2.4.0
maven-scr-plugin - v1.13.0
maven-sling-plugin - v2.1.0
in CQ5.3 you can use 'JCR resolver' to check servlet mapping.
Go To
http://localhost:4502/system/console/jcrresolver
And enter path to your servlet in 'Configuration Test'.
e.g.
http://localhost:4502/bin/TestServlet
resolve result should mapping to your servlet
for example
ServletResource, servlet=com.test.impl.HelloJSONServlet, path=/bin/TestServlet
Also there is code snippet which works in CQ5.3
#Component(immediate = true, metatype = false, label = "Hello JSON Servlet")
#Service(serviceFactory = false, value = javax.servlet.Servlet.class)
#Properties(value = {
#org.apache.felix.scr.annotations.Property(name = "sling.servlet.methods", value = { "GET" }),
#org.apache.felix.scr.annotations.Property(name = "sling.servlet.extensions", value = { "json" }),
#org.apache.felix.scr.annotations.Property(name = "sling.servlet.paths", value = {"/bin/TestServlet"})
})
public class HelloJSONServlet extends SlingAllMethodsServlet {
protected void doGet(SlingHttpServletRequest request,
SlingHttpServletResponse response) throws ServletException,
IOException {
String username = request.getParameter("username");
response.setContentType("application/json");
response.getWriter().write("{ \"hello\" : \""+username+"\" }");
}
}
I'm working in a project where we are using Apache Shiro for security.
Now, I'm not sure if the problem is in the Shrio configuration or if it is somewhere else.
What happens is, that when a User has entered the credentials and is authenticated with basic auth, the values for username and password are preserved until the browser has been shutdown. I've tried this in Firefox and Chrome and it is the same behaviour.
From what I understand this sounds like the Shiro "RememberMe" function, but I "think" I've shut this off.
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
logger.info("Remember Me active ? {}", upToken.isRememberMe());
Prints:
09:44:00,323 INFO [TestRealm] Remember Me active ? false
I've also tried using the Shiro logout configured in the shiro.ini file
[main]
...
logout.redirectUrl = /logout.jsp
...
[url]
/logout = logout
The logout.jsp looks as follows:
<%# page import="org.apache.shiro.SecurityUtils" %>
<% SecurityUtils.getSubject().logout();%>
You have succesfully logged out.
Non of this helps, the session is still active as long the browser has not been shutdown. When on the logout page, using Chrome-developer, I can see that the cookie is removed in the resources.
The shiro.ini complete file
[main]
authBasicRealm = se.test.TestRealm
securityManager.realms = $authBasicRealm
#builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $builtInCacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager.sessionIdCookieEnabled = false
# cookie for single sign on
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = test.session
cookie.path = /test
cookie.maxAge = 60
#cookie.secure = true
cookie.httpOnly = false
sessionManager.sessionIdCookie = $cookie
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
securityManager.sessionManager = $sessionManager
logout.redirectUrl = /logout.jsp
[users]
# format: username = password, role1, role2, ..., roleN
admin = admin, 4
user = user, 2
[roles]
admin = *
user = *
#User Get Specified
1 = 1
#User Get All
2 = 1
#Create Put Update
3 = 2:*
#Admin
4 = admin:*
test = 2:*
[urls]
/logout = logout
/** = authcBasic
Best,
Henrik
There muust be some probelm in configuration you can try a demo app from https://github.com/dominicfarr/skybird-shiro and check if it works.
Using SocialAuth: v2.3 via Railo CFML Engine, I am getting the following exception thrown:
Railo 3.3.4.003 Error (org.brickred.socialauth.exception.SocialAuthException)
Message facebook is not a provider or valid OpenId URL
Cause org.brickred.socialauth.exception.SocialAuthException
Stacktrace The Error Occurred in
/Users/rountrjf/Sites/ccpd-dev/controllers/socialauth.cfc: line 31
29: manager.setSocialAuthConfig(config);
30: successUrl = "http://dev.ccpd.uc.edu/socialauth/success";
31: providerUrl = manager.getAuthenticationUrl("facebook", successUrl);
Here is a snippet of my CFC code:
public string function login() {
id = params.key;
configFile = expandPath("/SocialAuth/oauth_config.properties");
inputFile = createObject("java","java.io.File").init(configFile);
inputStream = createObject("java", "java.io.FileInputStream").init(inputFile);
SocialAuthConfig = createObject("java","org.brickred.socialauth.SocialAuthConfig").init();
config = SocialAuthConfig.getDefault();
config.load(configFile);
SocialAuthManager = createObject("java","org.brickred.socialauth.SocialAuthManager").init();
manager = SocialAuthManager;
manager.setSocialAuthConfig(config);
successUrl = "http://dev.ccpd.uc.edu/socialauth/success";
providerUrl = manager.getAuthenticationUrl("facebook", successUrl);
Why is it throwing this error? The "configFile" has a property for "facebook" and it configured as shown in step 3 of the "Getting Started" guide.
CONFIG FILE I'M USING
#google
www.google.com.consumer_key = opensource.brickred.com
www.google.com.consumer_secret = YC06FqhmCLWvtBg/O4W/aJfj
#you can set custom permission by using custom_permissions with provider prefix.
#www.google.com.custom_permissions = http://www.google.com/m8/feeds/,http://picasaweb.google.com/data/
#yahoo
api.login.yahoo.com.consumer_key = dj0yJmk9VTdaSUVTU3RrWlRzJmQ9WVdrOWNtSjZNMFpITm1VbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD1iMA--
api.login.yahoo.com.consumer_secret = 1db3d0b897dac60e151aa9e2499fcb2a6b474546
#twitter
twitter.com.consumer_key = E3hm7J9IQbWLijpiQG7W8Q
twitter.com.consumer_secret = SGKNuXyybt0iDdgsuzVbFHOaemV7V6pr0wKwbaT2MH0
#facebook
graph.facebook.com.consumer_key = 152190004803645
graph.facebook.com.consumer_secret = 64c94bd02180b0ade85889b44b2ba7c4
#you can set custom permission by using custom_permissions with provider prefix.
#graph.facebook.com.custom_permission = publish_stream,email,user_birthday,user_location,offline_access
#hotmail
consent.live.com.consumer_key = 000000004403D60E
consent.live.com.consumer_secret = cYqlii67pTvgPD4pdB7NUVC7L4MIHCcs
#AOL
api.screenname.aol.com.consumer_key = ab1QxoYXlT-x-ARL
api.screenname.aol.com.consumer_secret = 000
#LinkedIn
api.linkedin.com.consumer_key = 9-mmqg28fpMocVuAg87exH-RXKs70yms52GSFIqkZN25S3m96kdPGBbuSxdSBIyL
api.linkedin.com.consumer_secret = e6NBqhDYE1fX17RwYGW5vMp25Cvh7Sbw9t-zMYTIW_T5LytY5OwJ12snh_YftgE4
#MySpace
api.myspace.com.consumer_key = 29db395f5ee8426bb90b1db65c91c956
api.myspace.com.consumer_secret = 0fdccc829c474e42867e16b68cda37a4c4b7b08eda574fe6a959943e3e9be709
#FourSquare
foursquare.com.consumer_key = JQKEM1PHWFW4YF2YPEQBRRESXE3SBGNCYJWWDTZKF3IZNJ3V
foursquare.com.consumer_secret = 4IILLDFDVPP2LC554S4KXKETQNTDKPDSEVCKVHA2QEHKYBEQ
#Yammer
www.yammer.com.consumer_key=5zyIkp12TrkulSRbSegQ
www.yammer.com.consumer_secret=zUcCB9kqWhI1IiTAJbl9QdG2AWcUJMDWp3Qyv5VJJw
#Mendeley
api.mendeley.com.consumer_key=f31077a7576d5e02537e232eb649403c04fce1dd0
api.mendeley.com.consumer_secret=1810bc92d4625f673e4ff35cb248aab3
#Salesforce
login.salesforce.com.consumer_key = 3MVG9Y6d_Btp4xp4yFMR0tPSndkAVu4OBejuYcL2iGFC68tA49PknWKX20XdPl5s1iwWldyuAbSINWHbB2Jcu
login.salesforce.com.consumer_secret = 1993703471433041656
I would suggest using Constants.FACEBOOK which is actually "facebook" but in case it isn't it has a value that should work.
A possible reason that the error appears is that you are not using the correct input file.
Make sure that the configuration config is loaded correctly,
try to call config.getProviderConfig(Constants.FACEBOOK) and see if it returns null
Lastly you can try this. This is what I used and works.
SocialAuthConfig config = new SocialAuthConfig();
SocialAuthManager socialAuthManager = new SocialAuthManager();
config.load(inputStream);
socialAuthManager.setSocialAuthConfig(config);
I don't really know Railo CFML Engine and what it does so I can't help.
Maybe remove .getDefault() from config = SocialAuthConfig.getDefault();?
I hope someone here has experience with Sun OpenSSO (now ForgeRock OpenAM).
I'm trying to get all groups in ActiveDirectory using the OpenSSO Client SDK in Java / JBoss EAP 5.0.
I tried the following by combining various samples and code snippets I could find on the web, but this fails and eventually logs "Memberships for identities other than Users is not allowed." The basic approach was to use AMIdentityRepository -> getRealmIdentity() -> getMemberships(IdType.GROUP) :
SSOTokenManager manager = SSOTokenManager.getInstance();
String tokenString = URLDecoder.decode(tokenID, "ISO-8859-1");
SSOToken token = manager.createSSOToken(tokenString);
if (manager.isValidToken(token)) {
SSOToken adminToken = (SSOToken)AccessController.
doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository rep = new AMIdentityRepository(adminToken, "/");
AMIdentity identity = rep.getRealmIdentity();
Set groups = identity.getMemberships(IdType.GROUP);
}
Note I'm not trying to determine if a user is a member of a group or to retrieve a user's groups - I'm trying to get a list of ALL groups.
Any suggestions would be appreciated - thanks!
Instead of rep.getRealmIdentity() and then calling getMemberships(IdType.GROUP), use searchIdentities and getSearchResults like:
SSOToken token = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository ir = new AMIdentityRepository(token, "/");
IdSearchResults results = ir.searchIdentities(IdType.GROUP, "*", new IdSearchControl());
Set<AMIdentity> groups = results.getSearchResults();
for (AMIdentity group : groups) {
logger.debug("Group Name : " + group.getName());
}