Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2019-10-18 08:25:38
|
Dear Subscribers,
Finally Unity 3.0.0 is released.
The main highlights of the Unity 3 were pre-announced with the RC so
only a brief reminder:
* The biggest change in Unity 3 is a new administrative web UI: Admin
Console (or Console for short). It completely replaces the legacy
Admin UI.**
* Audit log.
* Java 11 is finally supported. Java 8 can still be used.
* It is possible to outsource message templates management and message
sending to an external service.
More detailed changelog and announcement is available at
https://www.unity-idm.eu/downloads/
For those upgrading make sure to read the upgrade instructions, which
are very easy but cover two important points:
http://www.unity-idm.eu/documentation/unity-3.0.0/manual.html#ver-update
Huge thank you to the whole team for making this major step forward in
Unity development possible!
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2019-10-07 12:35:15
|
Dear Subscribers,
I'm happy to invite you to testing of Unity 3.0.0 Release Candidate. In
short time from now we are planning to release 3.0.0 final version.
Therefore spending short time now on quick testing of upgrade will help
us to deliver a better initial version.
The main highlights of the Unity 3 follows:
*Admin Console*
The biggest change in Unity 3 is a new administrative web UI: Admin
Console (or Console for short). It completely replaces the legacy Admin UI.
The grand goal of adding Console was to expose all functionalities Unity
has over web interface. Previously Unity admin was forced to follow a
hybrid approach: directory was managed with web interface, but many
other settings like authenticators were only reachable from config
files. Now almost everything is exposed within the Console.
It is hard to enumerate all improvements, the best is to give it a try.
The most notable items are:
*
Complete management:
o
realms, authenticators, authentication flows
o
all endpoints (in console broken into two categories: /IdP//s/
and other /Services/)
o
trusted certificates
o
moved all features of Admin UI
o
many of existing views refreshed, and much more useful now
+
better use of screen size, no more vertically split panels
(besides group browser)
+
sorting and filtering in all relevant places
+
small improvements in many places (e.g. on realms view you
can check which endpoint is using it)
+
many improvements in directory browser: some things still to
come, but its UX is greatly improved already now. For
instance attribute values are instantly visible for each
selected entity.
* Input and Output profiles are now 1-1 bound with their corresponding
authenticator or endpoint (respectively). No more “global” view of
profiles, e.g. editing of an input profile is now a part of
authenticator editing.
* New main layout with left bar navigation
* Lightweight, faster loading compared to AdminUI
*New features*
**
*
Audit log. Unity now stores audit log of most important operations
that were performed on the directory. That’s an initial version of
this subsystem with certain gaps, but it is already now very
functional and provides valuable insights into history of Unity
deployment.
*
Java 11 is finally supported. Java 8 can still be used. In close
future we are going to deprecate Java 8. Java 12 & 13 should work
too, but was not tested.
*
It is possible to outsource message templates management and message
sending to an external service. Admins can integrate Unity with
dedicated mail systems or marketing/CMS software and manage all
organization communication from one place.
RC1 can be downloaded from:
https://sourceforge.net/projects/unity-idm/files/Unity%20server/3.0.0-rc1/
Documentation is available at:
http://www.unity-idm.eu/documentation/unity-3.0.0-rc1/manual.html
For those upgrading make sure to read the upgrade instructions, which
are short but cover two important points:
http://www.unity-idm.eu/documentation/unity-3.0.0-rc1/manual.html#ver-update
Happy testing!
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2019-06-28 07:52:36
|
Hi Krzysztof, thanks for your swift reply. For sure I did not set it. Sorry for bothering you with stupid user failures. Best regards, Sander On Fri, 2019-06-28 at 09:20 +0200, Krzysztof Benedyczak wrote: > Sander, > > W dniu 27.06.2019 o 13:09, Sander Apweiler pisze: > > Hi Krzysztof, > > > > If a user selects an registration form, the user is not able to > > cancel > > the registration form and go back to the previous page, e.g. home > > endpoint. The user must close the tab and come back to unity in a > > new > > one. Using the "go back" function does not work, because the URL > > did > > not change. Is it possible to enable a cancel button within the > > registration form to go back to the previous page. We are running > > unity > > 2.8.2. > > Hmm, do you have cancel option enabled in your form configuration as > below? > If yes and it is still not visible, then please provide detailed > description of your flow. I.e. how your user is accessing the form > (from authN screen, from standalone URL, authN screen during external > authN, etc - there are few other options too). > Cheers, > KB > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-06-28 07:20:28
|
Sander, W dniu 27.06.2019 o 13:09, Sander Apweiler pisze: > Hi Krzysztof, > > If a user selects an registration form, the user is not able to cancel > the registration form and go back to the previous page, e.g. home > endpoint. The user must close the tab and come back to unity in a new > one. Using the "go back" function does not work, because the URL did > not change. Is it possible to enable a cancel button within the > registration form to go back to the previous page. We are running unity > 2.8.2. Hmm, do you have cancel option enabled in your form configuration as below? If yes and it is still not visible, then please provide detailed description of your flow. I.e. how your user is accessing the form (from authN screen, from standalone URL, authN screen during external authN, etc - there are few other options too). Cheers, KB |
|
From: Sander A. <sa....@fz...> - 2019-06-27 11:09:37
|
Hi Krzysztof, If a user selects an registration form, the user is not able to cancel the registration form and go back to the previous page, e.g. home endpoint. The user must close the tab and come back to unity in a new one. Using the "go back" function does not work, because the URL did not change. Is it possible to enable a cancel button within the registration form to go back to the previous page. We are running unity 2.8.2. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-05-30 21:12:17
|
Dear Subscribers,
Subsequent revision release in the 2.8 line is available. It brings
couple of important improvements of existing features. The most notable
ones are:
* Better support for running Unity behind a proxy server (e.g. cloud
loadbalancer). Unity can now be started on plain HTTP, what is
useful if HTTPS is provided by the proxy. More importantly Unity can
be configured to relay on X-Forwarded-For header to establish
client's IP. That's important for reliable brute force attack
detection and logging.
* User can kill an in-progress external authentication (e.g. external
OAuth started from Unity) from other browser tab, than the one that
was used to initiate it.
* Registration is now properly handling case when is configured with
only external sign-up. That is when there is no option to setup a
local account).
* Unity now shows enquiries which have no user-editable controls on a
form. Up to now in such situation user was shown an error. This can
be used to present acknowledgment or simple agreement which is
accepted merely by submitting a form - naturally care must be taken
to provide proper information in equiry title or infobox.
There were also few additional smaller bugfixes. See Downloads
<http://www.unity-idm.eu/downloads/> for a detailed changelog.
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2019-05-28 17:11:24
|
Hi Sander, W dniu 27.05.2019 o 14:58, Sander Apweiler pisze: > Hi Krzysztof, > > within unity 2.4.2 we found some issues for users having the inspector > role. > > 1. A user has inspector role in root group. Within the root group > another entity is disabled. Instead of getting the user list, the > inspector sees this error: "Problem retrieving group members: > pl.edu.icm.unity.exceptions.IllegalIdentityValueException: The entity > is disabled" Yeah, that's a bug and it is still here with recent version, but shows up differently. My take for this would be to deprecate the Inspector role, or better said - merge it with Privileged Inspector, which works correctly. Do you have anything against? The difference is that Privileged Inspector can read just everything. It is also suggested workaround. > 2. A user is regular user in root group and inspector in one subgroup > (/a). The attribute CN got the attribute metadata "Value of this > attribute in the root group is used as an entity's displayed name." > This attribute is copied by attribute statements within the subgroup. > The inspector only sees the list of entities without the name. If the > inspector selects one of the entities, the inspector got the lists of > available attributes. After selecting one of the attributes, the > inspector can read the attributes. Hmm, what is the problem here? Sounds all right: can read attributes in a group where it is an inspector, but not from root group where it is not an inspector. > 3. A user is regular user in root group, inspector in first level > subgroup (/a) and contents manager within second level subgroup (/a/b). > The user tries to copy another user from /a into /a/b. The user got the > following error: "Access denied. The operation getGroups requires > 'read' capability". If the user get inspector role in root group too, > it works. Unfortunately this is also by design. In general roles in subgroups are of very limited usefulness: in order to perform many of the operations on subgroup level one needs some permissions on the global level. Our approach to this is basically UpMan. It implements access to a subgroup with precisely controlled global impact (which always happen as side effect of authorized operation on a subgroup). If more flexibility on subgroup limited management is required we need to put more feature in UpMan, instead trying to figure out some generic authZ abstractions which are too hard to develop and understand. We tried hard with it for many years and always failed. And in UpMan its both well controlled and easy. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2019-05-27 12:58:50
|
Hi Krzysztof, within unity 2.4.2 we found some issues for users having the inspector role. 1. A user has inspector role in root group. Within the root group another entity is disabled. Instead of getting the user list, the inspector sees this error: "Problem retrieving group members: pl.edu.icm.unity.exceptions.IllegalIdentityValueException: The entity is disabled" 2. A user is regular user in root group and inspector in one subgroup (/a). The attribute CN got the attribute metadata "Value of this attribute in the root group is used as an entity's displayed name." This attribute is copied by attribute statements within the subgroup. The inspector only sees the list of entities without the name. If the inspector selects one of the entities, the inspector got the lists of available attributes. After selecting one of the attributes, the inspector can read the attributes. 3. A user is regular user in root group, inspector in first level subgroup (/a) and contents manager within second level subgroup (/a/b). The user tries to copy another user from /a into /a/b. The user got the following error: "Access denied. The operation getGroups requires 'read' capability". If the user get inspector role in root group too, it works. I guess this setup is used quit seldom and the issues might be available in the current release too. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-05-09 20:45:54
|
Hi Sander, W dniu 08.05.2019 o 15:35, Sander Apweiler pisze: > Hi Krzysztof, > > we are testing the upman feature. One issue we found is that the user > who received an invitation, although the user is already member of the > project/group, sees an error if the user follows the link. The error > is: > > The selected enquiry is not applicable to your account or was already > filled > > From our point of view it would be better if the project/groupmanager > who creates the invitation receives an message that the user is already > member and no invitation is send. I was trying to reproduce this and no luck. I've invited a user who is in a project to it again. The user gets notification, and can fill it. No error, everything was accepted correctly (also checked internally). I agree that it would be better to detect such situation when invited user is already a member and then show a modal with warning. I'll open a FR for this, though I don't think it is critical(?). But regarding your error I'd need more details. What is the user and details of the form configured for the project (joining enquiry). Best KB |
|
From: Krzysztof B. <kb...@un...> - 2019-05-08 14:27:19
|
Hi Sander, W dniu 08.05.2019 o 15:35, Sander Apweiler pisze: > Hi Krzysztof, > > we are testing the upman feature. One issue we found is that the user > who received an invitation, although the user is already member of the > project/group, sees an error if the user follows the link. The error > is: > > The selected enquiry is not applicable to your account or was already > filled I'll have to look into it... > From our point of view it would be better if the project/groupmanager > who creates the invitation receives an message that the user is already > member and no invitation is send. > > The second issue we found is in combination with eduGain as external > authorisation. If we enable it, all IdPs are listed in one single > column. Is it possible to create different columns and a grid linke in > the endpoints for user registration? Is it possible to remove the local > account creation (username+password) from it. We want to support only > the homeorganisation identities. Currently our registration layout allows for a single column only. However answer for all other questions is positive: -) you can remove local authN on registration form -) you can specify that you want to use a grid, and which authentication options/authenticators should be shown in it. All of this is controlled on registration form of your delegated group. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2019-05-08 13:37:09
|
Hi Krzysztof, we are testing the upman feature. One issue we found is that the user who received an invitation, although the user is already member of the project/group, sees an error if the user follows the link. The error is: The selected enquiry is not applicable to your account or was already filled From our point of view it would be better if the project/groupmanager who creates the invitation receives an message that the user is already member and no invitation is send. The second issue we found is in combination with eduGain as external authorisation. If we enable it, all IdPs are listed in one single column. Is it possible to create different columns and a grid linke in the endpoints for user registration? Is it possible to remove the local account creation (username+password) from it. We want to support only the homeorganisation identities. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-04-11 23:10:37
|
Dear Subscribers, While we are busy working on huge features of the next big release, the current 2.8 release train got an update addressing couple of issues found in 2.8.0. The most important one is related to LDAP authenticator which in 2.8.0 in some (actually random) cases was not functioning properly. Another significant problem was found in HTTPS server setup: CORS support in 2.8.0 (and possibly also some 2.7.x releases) was never enabled due to incompatible changes in upstream library. Both issues and few other were fixed in 2.8.1. More details can be found in Downloads <http://www.unity-idm.eu/downloads/>. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2019-04-03 22:32:02
|
Dear Rolf,
W dniu 29.03.2019 o 08:42, Rolf Haist pisze:
> Dear all,
>
> I am trying to update Unity 2.7.5 to 2.8.0 but I cannot get it
> working. Unity is used as attribute source for UNICORE (core server
> bundle 7.12.0), users should be authenticated via LDAP.
>
> In Unity 2.7.5 I changed the module unicoreWithPAM.module so that it
> uses the authenticator ldapPasswordWS:
>
> # Used by UNICORE/X when authenticating its REST clients and by
> UCC/URC to provide certificate-less access
> unityServer.core.endpoints.unicoreSOAPPass.endpointType=SAMLUnicoreSoapIdP
>
> unityServer.core.endpoints.unicoreSOAPPass.endpointConfigurationFile=${CONF}/modules/unicore/saml-unicoreidp.properties
>
> unityServer.core.endpoints.unicoreSOAPPass.contextPath=/unicore-soapidp
> unityServer.core.endpoints.unicoreSOAPPass.endpointRealm=defaultRealm
> unityServer.core.endpoints.unicoreSOAPPass.endpointName=UNITY UNICORE
> SOAP SAML service for REST queries
> unityServer.core.endpoints.unicoreSOAPPass.endpointAuthenticators=ldapPasswordWS
>
>
> # ldapPasswordWS:
> unityServer.core.authenticators.ldapPasswordWS.authenticatorName=ldapPasswordWS
>
> unityServer.core.authenticators.ldapPasswordWS.authenticatorType=ldap
> with cxf-httpbasic
> unityServer.core.authenticators.ldapPasswordWS.verificatorConfigurationFile=${CONF}/authenticators/ldap.properties
>
> unityServer.core.authenticators.ldapPasswordWS.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval-ldap.json
>
>
> This configuration is working and users can be authenticated via Unity
> in the Unicore Rich Client.
>
>
> I tried to do the same in Unity 2.8.0. Again, I changed the module
> unicoreWithPAM.module so that it uses ldapPassword as authenticator:
>
> # Used by UNICORE/X when authenticating its REST clients and by
> UCC/URC to provide certificate-less access
> unityServer.core.endpoints.unicoreSOAPPass.endpointType=SAMLUnicoreSoapIdP
>
> unityServer.core.endpoints.unicoreSOAPPass.endpointConfigurationFile=${CONF}/modules/unicore/saml-unicoreidp.properties
>
> unityServer.core.endpoints.unicoreSOAPPass.contextPath=/unicore-soapidp
> unityServer.core.endpoints.unicoreSOAPPass.endpointRealm=defaultRealm
> unityServer.core.endpoints.unicoreSOAPPass.endpointName=UNITY UNICORE
> SOAP SAML service for REST queries
> unityServer.core.endpoints.unicoreSOAPPass.endpointAuthenticators=ldapPassword
>
>
> # ldapPassword with new syntax:
> unityServer.core.authenticators.ldapPassword.authenticatorName=ldapPassword
>
> unityServer.core.authenticators.ldapPassword.authenticatorType=ldap
> unityServer.core.authenticators.ldapPassword.configurationFile=${CONF}/authenticators/ldap.properties
>
>
> This configuration is not working. If I try to login via Unity in the
> Unicore Rich Client I get the errow message “Could not refresh
> resource properties of service Grid/Registry:
> org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential
> or external authentication failed.”
>
> unity-server.log shows the following messages:
>
> 2019-03-28T09:39:58,917 [qtp327575653-125] TRACE
> unity.server.rest.AuthenticationInterceptor: Processing authenticator
> ldapPassword
> 2019-03-28T09:39:58,917 [qtp327575653-125] TRACE
> unity.server.rest.AuthenticationInterceptor: Authenticator
> ldapPassword returned notApplicable
> 2019-03-28T09:39:58,917 [qtp327575653-125] DEBUG
> unity.server.rest.AuthenticationInterceptor: Authentication set failed
> to authenticate the client using flow ldapPassword, will try another:
> pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> AuthenticationProcessorImpl.authnFailed
> 2019-03-28T09:39:58,917 [qtp327575653-125] INFO
> unity.server.rest.AuthenticationInterceptor: Authentication failed for
> client
> 2019-03-28T09:39:58,917 [qtp327575653-125] INFO
> unity.server.rest.AuthenticationInterceptor: Authentication failed for
> client
>
>
> The configuration of the authenticator ldapPassword should be correct.
> If I use it as authenticator for the UserHomeUI endpoint useres can
> login via LDAP.
>
>
> Does anyone see the error?
Hmm - not really, looks good. Have you tried to turn on TRACE logging
and evaluate logs captured when trying to log in using URC?
If ldap authenticator works for web login most likely there is some
problem related to the new feature of automatically selecting binding
for authenticators - let me know, having the logs would help (you can
send them with private message).
Best
KB
|
|
From: Rolf H. <rol...@un...> - 2019-03-29 07:42:26
|
Dear all,
I am trying to update Unity 2.7.5 to 2.8.0 but I cannot get it working.
Unity is used as attribute source for UNICORE (core server bundle
7.12.0), users should be authenticated via LDAP.
In Unity 2.7.5 I changed the module unicoreWithPAM.module so that it
uses the authenticator ldapPasswordWS:
# Used by UNICORE/X when authenticating its REST clients and by UCC/URC
to provide certificate-less access
unityServer.core.endpoints.unicoreSOAPPass.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.unicoreSOAPPass.endpointConfigurationFile=${CONF}/modules/unicore/saml-unicoreidp.properties
unityServer.core.endpoints.unicoreSOAPPass.contextPath=/unicore-soapidp
unityServer.core.endpoints.unicoreSOAPPass.endpointRealm=defaultRealm
unityServer.core.endpoints.unicoreSOAPPass.endpointName=UNITY UNICORE
SOAP SAML service for REST queries
unityServer.core.endpoints.unicoreSOAPPass.endpointAuthenticators=ldapPasswordWS
# ldapPasswordWS:
unityServer.core.authenticators.ldapPasswordWS.authenticatorName=ldapPasswordWS
unityServer.core.authenticators.ldapPasswordWS.authenticatorType=ldap
with cxf-httpbasic
unityServer.core.authenticators.ldapPasswordWS.verificatorConfigurationFile=${CONF}/authenticators/ldap.properties
unityServer.core.authenticators.ldapPasswordWS.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval-ldap.json
This configuration is working and users can be authenticated via Unity
in the Unicore Rich Client.
I tried to do the same in Unity 2.8.0. Again, I changed the module
unicoreWithPAM.module so that it uses ldapPassword as authenticator:
# Used by UNICORE/X when authenticating its REST clients and by UCC/URC
to provide certificate-less access
unityServer.core.endpoints.unicoreSOAPPass.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.unicoreSOAPPass.endpointConfigurationFile=${CONF}/modules/unicore/saml-unicoreidp.properties
unityServer.core.endpoints.unicoreSOAPPass.contextPath=/unicore-soapidp
unityServer.core.endpoints.unicoreSOAPPass.endpointRealm=defaultRealm
unityServer.core.endpoints.unicoreSOAPPass.endpointName=UNITY UNICORE
SOAP SAML service for REST queries
unityServer.core.endpoints.unicoreSOAPPass.endpointAuthenticators=ldapPassword
# ldapPassword with new syntax:
unityServer.core.authenticators.ldapPassword.authenticatorName=ldapPassword
unityServer.core.authenticators.ldapPassword.authenticatorType=ldap
unityServer.core.authenticators.ldapPassword.configurationFile=${CONF}/authenticators/ldap.properties
This configuration is not working. If I try to login via Unity in the
Unicore Rich Client I get the errow message “Could not refresh resource
properties of service Grid/Registry:
org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or
external authentication failed.”
unity-server.log shows the following messages:
2019-03-28T09:39:58,917 [qtp327575653-125] TRACE
unity.server.rest.AuthenticationInterceptor: Processing authenticator
ldapPassword
2019-03-28T09:39:58,917 [qtp327575653-125] TRACE
unity.server.rest.AuthenticationInterceptor: Authenticator ldapPassword
returned notApplicable
2019-03-28T09:39:58,917 [qtp327575653-125] DEBUG
unity.server.rest.AuthenticationInterceptor: Authentication set failed
to authenticate the client using flow ldapPassword, will try another:
pl.edu.icm.unity.engine.api.authn.AuthenticationException:
AuthenticationProcessorImpl.authnFailed
2019-03-28T09:39:58,917 [qtp327575653-125] INFO
unity.server.rest.AuthenticationInterceptor: Authentication failed for
client
2019-03-28T09:39:58,917 [qtp327575653-125] INFO
unity.server.rest.AuthenticationInterceptor: Authentication failed for
client
The configuration of the authenticator ldapPassword should be correct.
If I use it as authenticator for the UserHomeUI endpoint useres can
login via LDAP.
Does anyone see the error?
Best regards
Rolf
|
|
From: Sander A. <sa....@fz...> - 2019-02-21 06:13:38
|
Hi Krzysztof, we are using unity 2.4.2. If it is working in latest version its ok. We plan to update in March or April. I want to make you aware of this issue if this is also in latest release. Best regards, Sander On Wed, 2019-02-20 at 19:13 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 20.02.2019 o 07:20, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > Yes it is accepted automatically. Sorry I forgot to enter the form > > details yesterday. > > > > Form type: user is requested, optional > > Enquiry target group: oauth_missing_information (I copied all oauth > > clients with missing information in this group) > > Collected attributes: > > - Attribute: cert_contact > > - Attributes group: /oauth-clients > > - Attribute: cert_site_contact > > - Attributes group: /oauth-clients > > - Attribute: oauth_service_sedcription > > - Attributes group: /oauth-clients > > - Attribute: oauth_service_dps_url > > - Attributes group: /oauth-clients > > Automatically assigned settings: > > - Condition: true > > - Action: AutoProcess > > - action: accept > > > > All four attributes are strings. > > I've recreated this setup (so enquiry in one group, sets attributes > in > another, auto accept etc) and works fine for me. What version of > Unity > do you use? > > Best > KB > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-02-20 18:14:09
|
Hi Sander, W dniu 20.02.2019 o 07:20, Sander Apweiler pisze: > Good morning Krzysztof, > > Yes it is accepted automatically. Sorry I forgot to enter the form > details yesterday. > > Form type: user is requested, optional > Enquiry target group: oauth_missing_information (I copied all oauth > clients with missing information in this group) > Collected attributes: > - Attribute: cert_contact > - Attributes group: /oauth-clients > - Attribute: cert_site_contact > - Attributes group: /oauth-clients > - Attribute: oauth_service_sedcription > - Attributes group: /oauth-clients > - Attribute: oauth_service_dps_url > - Attributes group: /oauth-clients > Automatically assigned settings: > - Condition: true > - Action: AutoProcess > - action: accept > > All four attributes are strings. I've recreated this setup (so enquiry in one group, sets attributes in another, auto accept etc) and works fine for me. What version of Unity do you use? Best KB |
|
From: Sander A. <sa....@fz...> - 2019-02-20 06:20:45
|
Good morning Krzysztof, Yes it is accepted automatically. Sorry I forgot to enter the form details yesterday. Form type: user is requested, optional Enquiry target group: oauth_missing_information (I copied all oauth clients with missing information in this group) Collected attributes: - Attribute: cert_contact - Attributes group: /oauth-clients - Attribute: cert_site_contact - Attributes group: /oauth-clients - Attribute: oauth_service_sedcription - Attributes group: /oauth-clients - Attribute: oauth_service_dps_url - Attributes group: /oauth-clients Automatically assigned settings: - Condition: true - Action: AutoProcess - action: accept All four attributes are strings. On Tue, 2019-02-19 at 19:13 +0100, Krzysztof Benedyczak wrote: > Sander, > > W dniu 19.02.2019 o 18:55, Sander Apweiler pisze: > > Hi Krzysztof, > > > > I encountered an issue in enquiry forms. We want to request > > additional > > information from our OAuth clients. For this reason we created an > > enquiry form and want to store the information in /oauth-clients > > group. > > The form is shown to the "users" and they submit it but they are > > not > > stored, neither in root group nor in oauth-clients group. > > > > Within log files I see the submitted form and no errors. > > OK, but after submission are those enquiries accepted (either > manually > or automatically)? If so - can you share the form configuration? > > > Best > > K > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-02-19 18:13:42
|
Sander, W dniu 19.02.2019 o 18:55, Sander Apweiler pisze: > Hi Krzysztof, > > I encountered an issue in enquiry forms. We want to request additional > information from our OAuth clients. For this reason we created an > enquiry form and want to store the information in /oauth-clients group. > The form is shown to the "users" and they submit it but they are not > stored, neither in root group nor in oauth-clients group. > > Within log files I see the submitted form and no errors. OK, but after submission are those enquiries accepted (either manually or automatically)? If so - can you share the form configuration? Best K |
|
From: Sander A. <sa....@fz...> - 2019-02-19 17:56:08
|
Hi Krzysztof, I encountered an issue in enquiry forms. We want to request additional information from our OAuth clients. For this reason we created an enquiry form and want to store the information in /oauth-clients group. The form is shown to the "users" and they submit it but they are not stored, neither in root group nor in oauth-clients group. Within log files I see the submitted form and no errors. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-02-13 16:42:57
|
Dear Subscribers,
On behalf of the Unity Team, I'm happy to announce that release 2.8.0 is
out.
/When installing this release as an update a migration will be performed
and some configuration changes ARE necessary (but will to simplify your
existing configs). Make sure to make backup and read update instructions
in the documentation.
/
Some most important highlights are:
Binding agnostic authenticators
With Unity 2.8.0 release authenticators setup was simplified.
Authenticators are not binding-specific anymore, the concepts of
credential verificator and retrieval are used only under the hood and so
administrator need not to even know them. This change requires a
significant amount of changes in configuration. While this may sound
disturbing, the good aspect is that those changes will simplify your
configuration, in some cases significantly. Upgrade documentation
contains a detailed instruction with examples.
UpMan
By far the biggest addition to Unity in this release is a new endpoint:
Unity Project Management, UpMan. This endpoint addresses a frequently
asked problem of delegation of particular Unity group management to a
group-administrator, who otherwise has no full Unity admin rights.
UpMan, besides providing a complex workaround around authorization
issues, also exposes a user firendly UI, simple and task-focussed.
Project manager is not bothered with Unity specific terms and difficult
pipelines; instead simple tasks are just simple.
Currently the v1 of UpMan is naturally limited — we would love to hear
your thoughts!
Form enhancements
* Sticky enquiry: a new type of enquiry is introduced, which is
intended for repeatable user updates. Sticky forms can be filled
multiple times, and are not “pushed” to the users at login. Instead
user may fill it by entering form’s link on its own, or one of the
following two features can be used:
* Sticky enquiries can be included on HomeUI
* Invitations to enquiries are now possible
* Grid widget & search for remote registration is available
* It is possible to filter allowed groups when creating an invitation
to a form.
* Flexible control of users for whom enquiry is applicable was added.
Public and native OAuth clients
Support for public and native OAuth clients, including PKCE is added.
RFC 7636 is supported now, along with the key guidelines for
authenticating native clients from RFC 8252.
Other notable changes
* Support of PNG and GIF images in attributes, thanks to Remek, our
new contributor
* Historical passwords (used for checking recent passwords) are
removed when password hashing policy is changed.
* After modification of local credential config, authenticators using
it are automatically refreshed.
* Larger default and in general configurable limit of maximum
attribute size.
Big thanks for all who helped with this release. As always more detailed
changelog is available on the Downloads page:
http://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
//
|
|
From: Roman K. <rkr...@gm...> - 2019-01-23 20:24:06
|
Hi Sander, Thank you for your patience. I have opened a ticket against the problem you've reported - UY-846. Meanwhile, in order to format the message properly, as a workaround I can propose to use html break line tag <br> in the places where the lines are too wide. Please let me know if that works for you. Thank you, Roman On Tue, Jan 22, 2019 at 8:10 PM Roman Krysinski <rkr...@gm...> wrote: > Hi Sander, > > Sorry to be long in replay, let me verify this first and I'll get back to > you on the possible options on how to fix this. > > Thank you, > Roman > > On Wed, Jan 16, 2019 at 7:43 AM Sander Apweiler <sa....@fz...> > wrote: > >> Hi Krzysztof, all, >> >> within unity 2.7.3 I found an issue in registration forms. I added a >> longer text in form information (visual settings) which is displayed to >> the users. I formatted the text with html paragraphs. The text is not >> adjusted to the window size and runs out of the browser window. See >> attached screenshot. Support of full html is activated. Do you have any >> idea about the issue? >> >> Best regards, >> Sander >> -- >> Federated Systems and Data >> Juelich Supercomputing Centre >> >> phone: +49 2461 61 8847 >> fax: +49 2461 61 6656 >> email: sa....@fz... >> >> ---------------------------------------------------------------------- >> ----------------------------------------------------------------------- >> Forschungszentrum Juelich GmbH >> 52425 Juelich >> Sitz der Gesellschaft: Juelich >> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 >> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher >> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), >> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, >> Prof. Dr. Sebastian M. Schmidt >> ----------------------------------------------------------------------- >> ----------------------------------------------------------------------- >> _______________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >> > > > -- > Roman > > Nothing is impossible; impossible itself says "I m possible"... > -- Roman Nothing is impossible; impossible itself says "I m possible"... |
|
From: Roman K. <rkr...@gm...> - 2019-01-22 19:10:25
|
Hi Sander, Sorry to be long in replay, let me verify this first and I'll get back to you on the possible options on how to fix this. Thank you, Roman On Wed, Jan 16, 2019 at 7:43 AM Sander Apweiler <sa....@fz...> wrote: > Hi Krzysztof, all, > > within unity 2.7.3 I found an issue in registration forms. I added a > longer text in form information (visual settings) which is displayed to > the users. I formatted the text with html paragraphs. The text is not > adjusted to the window size and runs out of the browser window. See > attached screenshot. Support of full html is activated. Do you have any > idea about the issue? > > Best regards, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ---------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, > Prof. Dr. Sebastian M. Schmidt > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > -- Roman Nothing is impossible; impossible itself says "I m possible"... |
|
From: Sander A. <sa....@fz...> - 2019-01-16 06:43:52
|
Hi Krzysztof, all, within unity 2.7.3 I found an issue in registration forms. I added a longer text in form information (visual settings) which is displayed to the users. I formatted the text with html paragraphs. The text is not adjusted to the window size and runs out of the browser window. See attached screenshot. Support of full html is activated. Do you have any idea about the issue? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2019-01-08 18:26:46
|
Dear Subscribers, The next release 2.7.5 was published with two bugfixes: - Performance of authentication of users who are members of many groups (hundreds and more) was significantly improved. - MVEL ‘validCode’ variable was not available in registration automation rules context. Best regards, Roman |
|
From: Krzysztof B. <kb...@un...> - 2018-12-20 21:56:55
|
Dear Subscribers,
The next release *2.7.4* was published with couple of bugfixes.
The most important bugfix is related to some registration requests
(rather rare, but not fully exotic) created in pre-2.7 versions which
were not displaying correctly.
Besides of it there is a series of improvements related to OAuth support:
* When no scopes are provided when refreshing a token then all
original scopes are assumed now (previously: no scopes).
* Optional expires_in field is added to all issued access tokens.
* Setting of infinite lifetime of refresh tokens in configuration was
effecting in one year lifetime. Now it is really infinite.
Additionally there is small improvement related to consent screen: it is
not shown at all when is auto accept or deny was selected by user. This
was affecting only users who also enable active value selection feature.
Best regards,
Krzysztof
|
