Menu
▾
▴
Re: [Unity-idm-discuss] Unity 2.7.5 to 2.8.0 update: LDAP authentication not working
|
From: Krzysztof B. <kb...@un...> - 2019-04-03 22:32:02
|
Dear Rolf,
W dniu 29.03.2019 o 08:42, Rolf Haist pisze:
> Dear all,
>
> I am trying to update Unity 2.7.5 to 2.8.0 but I cannot get it
> working. Unity is used as attribute source for UNICORE (core server
> bundle 7.12.0), users should be authenticated via LDAP.
>
> In Unity 2.7.5 I changed the module unicoreWithPAM.module so that it
> uses the authenticator ldapPasswordWS:
>
> # Used by UNICORE/X when authenticating its REST clients and by
> UCC/URC to provide certificate-less access
> unityServer.core.endpoints.unicoreSOAPPass.endpointType=SAMLUnicoreSoapIdP
>
> unityServer.core.endpoints.unicoreSOAPPass.endpointConfigurationFile=${CONF}/modules/unicore/saml-unicoreidp.properties
>
> unityServer.core.endpoints.unicoreSOAPPass.contextPath=/unicore-soapidp
> unityServer.core.endpoints.unicoreSOAPPass.endpointRealm=defaultRealm
> unityServer.core.endpoints.unicoreSOAPPass.endpointName=UNITY UNICORE
> SOAP SAML service for REST queries
> unityServer.core.endpoints.unicoreSOAPPass.endpointAuthenticators=ldapPasswordWS
>
>
> # ldapPasswordWS:
> unityServer.core.authenticators.ldapPasswordWS.authenticatorName=ldapPasswordWS
>
> unityServer.core.authenticators.ldapPasswordWS.authenticatorType=ldap
> with cxf-httpbasic
> unityServer.core.authenticators.ldapPasswordWS.verificatorConfigurationFile=${CONF}/authenticators/ldap.properties
>
> unityServer.core.authenticators.ldapPasswordWS.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval-ldap.json
>
>
> This configuration is working and users can be authenticated via Unity
> in the Unicore Rich Client.
>
>
> I tried to do the same in Unity 2.8.0. Again, I changed the module
> unicoreWithPAM.module so that it uses ldapPassword as authenticator:
>
> # Used by UNICORE/X when authenticating its REST clients and by
> UCC/URC to provide certificate-less access
> unityServer.core.endpoints.unicoreSOAPPass.endpointType=SAMLUnicoreSoapIdP
>
> unityServer.core.endpoints.unicoreSOAPPass.endpointConfigurationFile=${CONF}/modules/unicore/saml-unicoreidp.properties
>
> unityServer.core.endpoints.unicoreSOAPPass.contextPath=/unicore-soapidp
> unityServer.core.endpoints.unicoreSOAPPass.endpointRealm=defaultRealm
> unityServer.core.endpoints.unicoreSOAPPass.endpointName=UNITY UNICORE
> SOAP SAML service for REST queries
> unityServer.core.endpoints.unicoreSOAPPass.endpointAuthenticators=ldapPassword
>
>
> # ldapPassword with new syntax:
> unityServer.core.authenticators.ldapPassword.authenticatorName=ldapPassword
>
> unityServer.core.authenticators.ldapPassword.authenticatorType=ldap
> unityServer.core.authenticators.ldapPassword.configurationFile=${CONF}/authenticators/ldap.properties
>
>
> This configuration is not working. If I try to login via Unity in the
> Unicore Rich Client I get the errow message “Could not refresh
> resource properties of service Grid/Registry:
> org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential
> or external authentication failed.”
>
> unity-server.log shows the following messages:
>
> 2019-03-28T09:39:58,917 [qtp327575653-125] TRACE
> unity.server.rest.AuthenticationInterceptor: Processing authenticator
> ldapPassword
> 2019-03-28T09:39:58,917 [qtp327575653-125] TRACE
> unity.server.rest.AuthenticationInterceptor: Authenticator
> ldapPassword returned notApplicable
> 2019-03-28T09:39:58,917 [qtp327575653-125] DEBUG
> unity.server.rest.AuthenticationInterceptor: Authentication set failed
> to authenticate the client using flow ldapPassword, will try another:
> pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> AuthenticationProcessorImpl.authnFailed
> 2019-03-28T09:39:58,917 [qtp327575653-125] INFO
> unity.server.rest.AuthenticationInterceptor: Authentication failed for
> client
> 2019-03-28T09:39:58,917 [qtp327575653-125] INFO
> unity.server.rest.AuthenticationInterceptor: Authentication failed for
> client
>
>
> The configuration of the authenticator ldapPassword should be correct.
> If I use it as authenticator for the UserHomeUI endpoint useres can
> login via LDAP.
>
>
> Does anyone see the error?
Hmm - not really, looks good. Have you tried to turn on TRACE logging
and evaluate logs captured when trying to log in using URC?
If ldap authenticator works for web login most likely there is some
problem related to the new feature of automatically selecting binding
for authenticators - let me know, having the logs would help (you can
send them with private message).
Best
KB
|
