[Unity-idm-discuss] Using UNICORE with Unity

[Alvaro A. <alv...@tu...>]

Hello,

I'm trying to get Unicore use Unity to validate users using our LDAP 
server and could use a little help from someone with experience on this.
Until now I have set up a Unity server and created a simple 
authenticator for LDAP (code below), as well as the corresponding 
translation profile (also below).
The dry test of the TP seems to be working well

I also added the certificate of the Unity server to Unicore's assertion 
issuers and granted access to the LDAP users in the XUUDB.

However, I'm still unable to login to Unicore using the rich client with 
the Unity option.

Any hints about what I'm missing or doing wrong?

Thanks!
Alvaro


------------------------------


*wsrflite.xml (both for registry & unicore/x)

*<property name="container.security.trustedAssertionIssuers.type" 
value="directory" />
<property 
name="container.security.trustedAssertionIssuers.directoryLocations.1" 
value="/home/somepath.../unity..pem" />


*uas.conf*

container.security.rest.authentication.order=FILE UNITY
container.security.rest.authentication.UNITY.class=eu.unicore.services.rest.security.UnitySAMLAuthenticator
container.security.rest.authentication.UNITY.address=https://unity.zih.tu-dresden.de:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService
container.security.rest.authentication.UNITY.validate=true


*Authenticator*

ldap.bindAs=system
ldap.systemDN=cn=blahblah,dc=zih,dc=tu-dresden,dc=de
ldap.systemPassword=secret
ldap.servers.1=ldap-server.zih.tu-dresden.de
ldap.ports.1=636
ldap.connectionMode=SSL
ldap.trustAllServerCertificates=true
ldap.userDNTemplate=uid={USERNAME},ou=users,dc=tu-dresden,dc=de
ldap.groupsBaseName=ou=groups,dc=tu-dresden,dc=de
ldap.groups.1.objectClass=posixGroup
ldap.groups.1.memberAttribute=memberUid
ldap.groups.1.nameAttribute=cn
ldap.groups.1.matchByMemberAttribute=cn
ldap.translationProfile=LDAP-Test



*Translation Profile (LDAP-Test)*

1: Condition: true
         Action: mapIdentity
         Action parameters:
         unityIdentityType = x500Name
         expression = id
         credential requirement = Password requirement
         effect = CREATE_OR_MATCH
2: Condition: true
         Action: mapIdentity
         Action parameters:
         unityIdentityType = userName
         expression = attr['uid']
         credential requirement = Password requirement
         effect = CREATE_OR_MATCH
3: Condition: true
         Action: mapAttribute
         Action parameters:
         unityAttribute = cn
         group = /
         expression = attr['cn']
         visibility = full
         effect = CREATE_OR_UPDATE
4: Condition: true
         Action:mapAttribute
         Action parameters:
         unityAttribute = urn:unicore:attrType:xlogin
         group = /
         expression = attr['uid']
         visibility = full
         effect = CREATE_OR_UPDATE
5: Condition: true
         Action: mapAttribute
         Action parameters:
         unityAttribute = email
         group = /
         expression = attr['mail']
         visibility = full
         effect = CREATE_OR_UPDATE




-- 
Dipl.-Inf. Alvaro Aguilera
Wissenschaftlicher Mitarbeiter

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Verteiltes und Datenintensives Rechnen

Büro:   Falkenbrunnen, Raum 256
         Chemnitzer Straße 46b
         01187 Dresden
Tel:    +49 (351) 463 33491
Email:alv...@tu...
Web:http://www.tu-dresden.de/zih

OTR-Fingerprint:
9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1