Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2016-10-21 09:17:11
|
Hi Sander, W dniu 20.10.2016 o 12:44, Sander Apweiler pisze: > Hi, > > I want to change the value type of email attribute from string into > verifiableEmail. When I submit the changes I got an error that at least > one attribute is in conflict with it. The stack trace from log file is > attached. Has anyone a hint for me? > Unfortunately this direction is not easy. verifiableEmail holds a complex information as attribute values. Usually you see only the sole email value, but it is also stored whether it was confirmed, when, how many confirmation requests were sent. Therefore simple upcasting of String to vEmail won't work. One approach would be to create a new verifiableEmail-type attribute and use REST API to transform. It should be also possible to create a JSON dump, tweak it and reimport, but this is really fragile operation, requiring good testing on a test instance... If you don't mind waiting you can open a ticket for this - we can implement better special handling for attribute type changes: if the current approach of basic type cast does not work, we can try to perform export to text representation and parse it. Of course such fallback can loose some information but should work in the typical cases. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2016-10-20 10:44:50
|
Hi, I want to change the value type of email attribute from string into verifiableEmail. When I submit the changes I got an error that at least one attribute is in conflict with it. The stack trace from log file is attached. Has anyone a hint for me? Best regards, Sander ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <kb...@un...> - 2016-09-16 11:32:44
|
Hi Shiraz, W dniu 16.09.2016 o 12:14, Shiraz Memon pisze: > Hi, > > I am running v1.9.3. Whenever I (re)start the server, following error > appears in the startup log file. However I am able to access the Web UI. > org.apache.ibatis.exceptions.PersistenceException: > ### Error querying database. Cause: org.h2.jdbc.JdbcSQLException: Table > "EVENTS_QUEUE" not found; SQL statement: Yes you can safely ignore it. The local database (which is causing this error) is not effectively used and was already removed for the 2.0 version. To fix error: likely the *local* H2 database (as configured in unityServer.conf, pay attention not to mix it with your primary contents database) schema is corrupted. You can remove it, should be recreated after the next restart. HTH, Krzysztof |
|
From: Shiraz M. <a....@fz...> - 2016-09-16 10:15:27
|
Hi,
I am running v1.9.3. Whenever I (re)start the server, following error appears in the startup log file. However I am able to access the Web UI.
Sep 16, 2016 12:01:20 PM CEST: Starting UNITY Web Server
Sep 16, 2016 12:02:01 PM CEST: UNITY Server Started
Exception in thread "Thread-3" org.apache.ibatis.exceptions.PersistenceException:
### Error querying database. Cause: org.h2.jdbc.JdbcSQLException: Table "EVENTS_QUEUE" not found; SQL statement:
SELECT * FROM EVENTS_QUEUE WHERE NEXT_PROCESSING < ? [42102-191]
### The error may exist in pl/edu/icm/unity/db/mapper-local/Events.xml
### The error may involve pl.edu.icm.unity.db.mapper.local.EventsMapper.selectEventsForProcessing
### The error occurred while executing a query
### SQL: SELECT * FROM EVENTS_QUEUE WHERE NEXT_PROCESSING < ?
### Cause: org.h2.jdbc.JdbcSQLException: Table "EVENTS_QUEUE" not found; SQL statement:
SELECT * FROM EVENTS_QUEUE WHERE NEXT_PROCESSING < ? [42102-191]
at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:30)
at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:122)
at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:113)
at org.apache.ibatis.binding.MapperMethod.executeForMany(MapperMethod.java:122)
at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:64)
at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:53)
at com.sun.proxy.$Proxy97.selectEventsForProcessing(Unknown Source)
at pl.edu.icm.unity.db.DBEvents.getEventsForProcessing(DBEvents.java:96)
at pl.edu.icm.unity.engine.events.EventsProcessingThread.run(EventsProcessingThread.java:48)
Caused by: org.h2.jdbc.JdbcSQLException: Table "EVENTS_QUEUE" not found; SQL statement:
SELECT * FROM EVENTS_QUEUE WHERE NEXT_PROCESSING < ? [42102-191]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
at org.h2.message.DbException.get(DbException.java:179)
at org.h2.message.DbException.get(DbException.java:155)
at org.h2.command.Parser.readTableOrView(Parser.java:5349)
at org.h2.command.Parser.readTableFilter(Parser.java:1245)
at org.h2.command.Parser.parseSelectSimpleFromPart(Parser.java:1884)
at org.h2.command.Parser.parseSelectSimple(Parser.java:2032)
at org.h2.command.Parser.parseSelectSub(Parser.java:1878)
at org.h2.command.Parser.parseSelectUnion(Parser.java:1699)
at org.h2.command.Parser.parseSelect(Parser.java:1687)
at org.h2.command.Parser.parsePrepared(Parser.java:443)
at org.h2.command.Parser.parse(Parser.java:315)
at org.h2.command.Parser.parse(Parser.java:287)
at org.h2.command.Parser.prepareCommand(Parser.java:252)
at org.h2.engine.Session.prepareLocal(Session.java:560)
at org.h2.engine.Session.prepareCommand(Session.java:501)
at org.h2.jdbc.JdbcConnection.prepareCommand(JdbcConnection.java:1188)
at org.h2.jdbc.JdbcPreparedStatement.<init>(JdbcPreparedStatement.java:73)
at org.h2.jdbc.JdbcConnection.prepareStatement(JdbcConnection.java:276)
at sun.reflect.GeneratedMethodAccessor22.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.ibatis.datasource.pooled.PooledConnection.invoke(PooledConnection.java:245)
at com.sun.proxy.$Proxy28.prepareStatement(Unknown Source)
at org.apache.ibatis.executor.statement.PreparedStatementHandler.instantiateStatement(PreparedStatementHandler.java:79)
at org.apache.ibatis.executor.statement.BaseStatementHandler.prepare(BaseStatementHandler.java:88)
at org.apache.ibatis.executor.statement.RoutingStatementHandler.prepare(RoutingStatementHandler.java:58)
at org.apache.ibatis.executor.SimpleExecutor.prepareStatement(SimpleExecutor.java:76)
at org.apache.ibatis.executor.SimpleExecutor.doQuery(SimpleExecutor.java:61)
at org.apache.ibatis.executor.BaseExecutor.queryFromDatabase(BaseExecutor.java:303)
at org.apache.ibatis.executor.BaseExecutor.query(BaseExecutor.java:154)
at org.apache.ibatis.executor.CachingExecutor.query(CachingExecutor.java:102)
at org.apache.ibatis.executor.CachingExecutor.query(CachingExecutor.java:82)
at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:120
Should I ignore this error?
Cheers,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)
Phone: +49 2461 61 6899
Fax: +49 2461 61 6656
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2016-09-15 20:17:49
|
Dear Subscribers, Subsequent Unity release - 1.9.4 - is available for download. In the first place it fixes couple of bugs which where discovered recently. Additionally new configuration options are introduced, which should increase system flexibility. Probably the most important one (and requested for a long time) is the possibility to accept signed SAML authentication responses which contain unsigned assertions. This is SAML SSO protocol violation, however often used in the wild. Download links and detailed list of changes is available at: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Björn H. <b.h...@fz...> - 2016-09-14 10:25:55
|
Hi Krzysztof, Am 14.09.2016 um 12:16 schrieb Krzysztof Benedyczak: > So there is a bug. It can be triggered only if when creating a statement > in a group, in which you relay on attributes assigned by another > statement in extra group. glad I could help and you were able to understand the problem despite my incomplete dump. Cheers, Björn -- Dipl.-Inform. Björn Hagemeier Federated Systems and Data Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61 1584 Fax : +49 2461 61 6656 Email: b.h...@fz... Skype: bhagemeier WWW : http://www.fz-juelich.de/jsc JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2016-09-14 10:20:44
|
Hi, W dniu 13.09.2016 o 14:32, Björn Hagemeier pisze: > Hi Krzysztof, > > based on the examples in the documentation, I found a much simpler way > of defining attributes for my particular use case. My condition within > the parent group attribute statements is now the group membership. > > groups contains '/parent/servers' > groups contains '/parent/users' > > However, I do think that Unity should be able to work with arbitrary > values from sub-groups. I may not have quite grasped the difference > between eattr and eattrs, however using either one does not make a > difference for me. Yes, the above is another workaround as it doesn't relay on subgroup attributes at all. BTW this version is also more effective. Regarding eattr and eattrs: eattr provide you direct access to the first value of an attribute. eattrs provide you access to all values in an array. So always: eattr['foo'] == eattrs['foo'][0] In other words eattr is just a convenience thingy for a common case of single valued attributes. > > Is it possible that urn:unicore:attrType:role is treated specially. > Using a similar statement for urn:unicore:attrType:xlogin only uses the > value on the particular entity. > > Are enumerations somehow special when it comes to dynamic attributes? No, not really - why it worked for xlogin is that, I guess, you was not assigning it with a statement. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2016-09-14 10:16:26
|
Hi Björn, W dniu 13.09.2016 o 11:31, Björn Hagemeier pisze: >> If yes - what misbehavior do you get? > The attribute in question is set to the same value for ALL entities in > the parent group. >> >> And please provide details of the attribute statement that you use to >> copy the attribute in question. > In order to copy the attribute from sub-group servers > > Extra group with attributes: /unicorex/servers > Condition: eattrs contains 'urn:unicore:attrType:role' > Dynamic attribute name: urn:unicore:attrType:role > Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] > Dynamic attribute visibility: unlimited > Conflict resolution: skip > > And for sub-group users: > > Extra group with attributes: /unicorex/users > Condition: eattrs contains 'urn:unicore:attrType:role' > Dynamic attribute name: urn:unicore:attrType:role > Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] > Dynamic attribute visibility: unlimited > Conflict resolution: skip > > The list entry (toString()-rendering?) of this statement not mention the > extra group, such that they look alike at first sight. But this is > probably just a UI issue. It is intended: the extra group is skipped so the statement's string representation is more compact. > With conflict resolution 'skip', the first statement in the list wins, > with conflict resolution 'overwrite previous', then last one wins. This > is expected behaviour, but values are applied to all entities in the > parent group. I've attached what I think is a minimal example of this > problem. It's a database dump from a fresh Unity installation with all > example data removed. Maybe it helps in debugging the problem. The dump was not consistent with the above description and the description was not enough to reproduce. Fortunately putting them together helped. So there is a bug. It can be triggered only if when creating a statement in a group, in which you relay on attributes assigned by another statement in extra group. This is what you used (not written above but this is the only statement that was present in the dump). More precisely: Unity, when evaluating statement of a subgroup doesn't ensure properly that the entity for which attributes are collected, is actually the member of this subgroup. It simply assumes that the entity is the member. This is always correct for parent-extra-groups, but naturally not for sub-extra-groups. I'll fix this of course (#577), there are workarounds for this for now. Having the above statements, change the statement in the subgroups (/unicorex/servers and /unicorex/users), so that their condition is not simply 'true', but explicitly requires membership in the current group. I.e. group contains '/unicorex/servers' and analogical for /unicorex/users. Thanks for reporting this! Krzysztof |
|
From: Björn H. <b.h...@fz...> - 2016-09-13 12:33:20
|
Hi Krzysztof, based on the examples in the documentation, I found a much simpler way of defining attributes for my particular use case. My condition within the parent group attribute statements is now the group membership. groups contains '/parent/servers' groups contains '/parent/users' However, I do think that Unity should be able to work with arbitrary values from sub-groups. I may not have quite grasped the difference between eattr and eattrs, however using either one does not make a difference for me. Is it possible that urn:unicore:attrType:role is treated specially. Using a similar statement for urn:unicore:attrType:xlogin only uses the value on the particular entity. Are enumerations somehow special when it comes to dynamic attributes? Cheers, Björn Am 13.09.2016 um 11:34 schrieb Björn Hagemeier: > Hi Krzysztof, > > on quick remark. The dump I just sent you may not have contained the > second rule to copy attributes from the server group. I did this for > testing purposes, but it shows the problem as well, as the user role > gets assigned to all entities in the parent group. > > I had done the change for testing purposes, but it didn't lead to any > resolution on my side. > > > Cheers, > Björn > > Am 13.09.2016 um 11:31 schrieb Björn Hagemeier: >> Hi Krzysztof, >> >> Am 13.09.2016 um 10:04 schrieb Krzysztof Benedyczak: >>> Hi Björn, >>> >>> W dniu 13.09.2016 o 09:46, Björn Hagemeier pisze: >>>> Hi there, >>>> >>>> I ran into a problem using attributes statements in Unity 1.9.3. I would >>>> like to use an attribute statement to copy an attribute from sub-groups. >>>> Entity membership within sub-groups is mutually exclusive, the attribute >>>> in question gets assigned automatically based on group membership. When >>>> using two attribute statements to copy the attribute from the respective >>>> sub-groups, the attribute value is updated on all entities within the >>>> parent group. >>>> >>>> parent: dynamic attribute value from sub-groups assigned to all entities >>>> |- servers: all entities assigned role server >>>> |- users: all entities assigned role user >>>> >>>> The dynamic attribute values are taken from one group or the other, >>>> depending on the order of the statements and the conflict resolution. >>>> Only 'overwrite previous' and 'skip' really work here, but again, due to >>>> the entities and hence the attributes being mutually exclusive within >>>> the sub-groups, there should not be any conflict (to the best of my >>>> knowledge). >>>> >>>> Am I doing anything wrong or is the value selection and assignment not >>>> sufficiently restrictive? >>> >>> Well, I'm not sure if I can extract the problem that you get from your >>> description. I understand that you have entities which are either in >>> parent/servers or parent/users (never both), and want to copy the same >>> attribute from a subgroup to have it also in the parent group. Is this >>> correct? >> Absoultely >>> If yes - what misbehavior do you get? >> The attribute in question is set to the same value for ALL entities in >> the parent group. >>> >>> And please provide details of the attribute statement that you use to >>> copy the attribute in question. >> In order to copy the attribute from sub-group servers >> >> Extra group with attributes: /unicorex/servers >> Condition: eattrs contains 'urn:unicore:attrType:role' >> Dynamic attribute name: urn:unicore:attrType:role >> Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] >> Dynamic attribute visibility: unlimited >> Conflict resolution: skip >> >> And for sub-group users: >> >> Extra group with attributes: /unicorex/users >> Condition: eattrs contains 'urn:unicore:attrType:role' >> Dynamic attribute name: urn:unicore:attrType:role >> Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] >> Dynamic attribute visibility: unlimited >> Conflict resolution: skip >> >> The list entry (toString()-rendering?) of this statement not mention the >> extra group, such that they look alike at first sight. But this is >> probably just a UI issue. >> >> With conflict resolution 'skip', the first statement in the list wins, >> with conflict resolution 'overwrite previous', then last one wins. This >> is expected behaviour, but values are applied to all entities in the >> parent group. I've attached what I think is a minimal example of this >> problem. It's a database dump from a fresh Unity installation with all >> example data removed. Maybe it helps in debugging the problem. >> >> >> Best regards and thanks for your great support, >> Björn >> >>> >>> Cheers, >>> Krzysztof >>> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> >> _______________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >> > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > -- Dipl.-Inform. Björn Hagemeier Federated Systems and Data Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61 1584 Fax : +49 2461 61 6656 Email: b.h...@fz... Skype: bhagemeier WWW : http://www.fz-juelich.de/jsc JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- |
|
From: Björn H. <b.h...@fz...> - 2016-09-13 09:34:21
|
Hi Krzysztof, on quick remark. The dump I just sent you may not have contained the second rule to copy attributes from the server group. I did this for testing purposes, but it shows the problem as well, as the user role gets assigned to all entities in the parent group. I had done the change for testing purposes, but it didn't lead to any resolution on my side. Cheers, Björn Am 13.09.2016 um 11:31 schrieb Björn Hagemeier: > Hi Krzysztof, > > Am 13.09.2016 um 10:04 schrieb Krzysztof Benedyczak: >> Hi Björn, >> >> W dniu 13.09.2016 o 09:46, Björn Hagemeier pisze: >>> Hi there, >>> >>> I ran into a problem using attributes statements in Unity 1.9.3. I would >>> like to use an attribute statement to copy an attribute from sub-groups. >>> Entity membership within sub-groups is mutually exclusive, the attribute >>> in question gets assigned automatically based on group membership. When >>> using two attribute statements to copy the attribute from the respective >>> sub-groups, the attribute value is updated on all entities within the >>> parent group. >>> >>> parent: dynamic attribute value from sub-groups assigned to all entities >>> |- servers: all entities assigned role server >>> |- users: all entities assigned role user >>> >>> The dynamic attribute values are taken from one group or the other, >>> depending on the order of the statements and the conflict resolution. >>> Only 'overwrite previous' and 'skip' really work here, but again, due to >>> the entities and hence the attributes being mutually exclusive within >>> the sub-groups, there should not be any conflict (to the best of my >>> knowledge). >>> >>> Am I doing anything wrong or is the value selection and assignment not >>> sufficiently restrictive? >> >> Well, I'm not sure if I can extract the problem that you get from your >> description. I understand that you have entities which are either in >> parent/servers or parent/users (never both), and want to copy the same >> attribute from a subgroup to have it also in the parent group. Is this >> correct? > Absoultely >> If yes - what misbehavior do you get? > The attribute in question is set to the same value for ALL entities in > the parent group. >> >> And please provide details of the attribute statement that you use to >> copy the attribute in question. > In order to copy the attribute from sub-group servers > > Extra group with attributes: /unicorex/servers > Condition: eattrs contains 'urn:unicore:attrType:role' > Dynamic attribute name: urn:unicore:attrType:role > Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] > Dynamic attribute visibility: unlimited > Conflict resolution: skip > > And for sub-group users: > > Extra group with attributes: /unicorex/users > Condition: eattrs contains 'urn:unicore:attrType:role' > Dynamic attribute name: urn:unicore:attrType:role > Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] > Dynamic attribute visibility: unlimited > Conflict resolution: skip > > The list entry (toString()-rendering?) of this statement not mention the > extra group, such that they look alike at first sight. But this is > probably just a UI issue. > > With conflict resolution 'skip', the first statement in the list wins, > with conflict resolution 'overwrite previous', then last one wins. This > is expected behaviour, but values are applied to all entities in the > parent group. I've attached what I think is a minimal example of this > problem. It's a database dump from a fresh Unity installation with all > example data removed. Maybe it helps in debugging the problem. > > > Best regards and thanks for your great support, > Björn > >> >> Cheers, >> Krzysztof >> > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > -- Dipl.-Inform. Björn Hagemeier Federated Systems and Data Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61 1584 Fax : +49 2461 61 6656 Email: b.h...@fz... Skype: bhagemeier WWW : http://www.fz-juelich.de/jsc JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- |
|
From: Björn H. <b.h...@fz...> - 2016-09-13 09:31:25
|
Hi Krzysztof, Am 13.09.2016 um 10:04 schrieb Krzysztof Benedyczak: > Hi Björn, > > W dniu 13.09.2016 o 09:46, Björn Hagemeier pisze: >> Hi there, >> >> I ran into a problem using attributes statements in Unity 1.9.3. I would >> like to use an attribute statement to copy an attribute from sub-groups. >> Entity membership within sub-groups is mutually exclusive, the attribute >> in question gets assigned automatically based on group membership. When >> using two attribute statements to copy the attribute from the respective >> sub-groups, the attribute value is updated on all entities within the >> parent group. >> >> parent: dynamic attribute value from sub-groups assigned to all entities >> |- servers: all entities assigned role server >> |- users: all entities assigned role user >> >> The dynamic attribute values are taken from one group or the other, >> depending on the order of the statements and the conflict resolution. >> Only 'overwrite previous' and 'skip' really work here, but again, due to >> the entities and hence the attributes being mutually exclusive within >> the sub-groups, there should not be any conflict (to the best of my >> knowledge). >> >> Am I doing anything wrong or is the value selection and assignment not >> sufficiently restrictive? > > Well, I'm not sure if I can extract the problem that you get from your > description. I understand that you have entities which are either in > parent/servers or parent/users (never both), and want to copy the same > attribute from a subgroup to have it also in the parent group. Is this > correct? Absoultely > If yes - what misbehavior do you get? The attribute in question is set to the same value for ALL entities in the parent group. > > And please provide details of the attribute statement that you use to > copy the attribute in question. In order to copy the attribute from sub-group servers Extra group with attributes: /unicorex/servers Condition: eattrs contains 'urn:unicore:attrType:role' Dynamic attribute name: urn:unicore:attrType:role Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] Dynamic attribute visibility: unlimited Conflict resolution: skip And for sub-group users: Extra group with attributes: /unicorex/users Condition: eattrs contains 'urn:unicore:attrType:role' Dynamic attribute name: urn:unicore:attrType:role Dynamic attribute values expression: eattrs['urn:unicore:attrType:role'] Dynamic attribute visibility: unlimited Conflict resolution: skip The list entry (toString()-rendering?) of this statement not mention the extra group, such that they look alike at first sight. But this is probably just a UI issue. With conflict resolution 'skip', the first statement in the list wins, with conflict resolution 'overwrite previous', then last one wins. This is expected behaviour, but values are applied to all entities in the parent group. I've attached what I think is a minimal example of this problem. It's a database dump from a fresh Unity installation with all example data removed. Maybe it helps in debugging the problem. Best regards and thanks for your great support, Björn > > Cheers, > Krzysztof > -- Dipl.-Inform. Björn Hagemeier Federated Systems and Data Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61 1584 Fax : +49 2461 61 6656 Email: b.h...@fz... Skype: bhagemeier WWW : http://www.fz-juelich.de/jsc JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2016-09-13 08:04:58
|
Hi Björn, W dniu 13.09.2016 o 09:46, Björn Hagemeier pisze: > Hi there, > > I ran into a problem using attributes statements in Unity 1.9.3. I would > like to use an attribute statement to copy an attribute from sub-groups. > Entity membership within sub-groups is mutually exclusive, the attribute > in question gets assigned automatically based on group membership. When > using two attribute statements to copy the attribute from the respective > sub-groups, the attribute value is updated on all entities within the > parent group. > > parent: dynamic attribute value from sub-groups assigned to all entities > |- servers: all entities assigned role server > |- users: all entities assigned role user > > The dynamic attribute values are taken from one group or the other, > depending on the order of the statements and the conflict resolution. > Only 'overwrite previous' and 'skip' really work here, but again, due to > the entities and hence the attributes being mutually exclusive within > the sub-groups, there should not be any conflict (to the best of my > knowledge). > > Am I doing anything wrong or is the value selection and assignment not > sufficiently restrictive? Well, I'm not sure if I can extract the problem that you get from your description. I understand that you have entities which are either in parent/servers or parent/users (never both), and want to copy the same attribute from a subgroup to have it also in the parent group. Is this correct? If yes - what misbehavior do you get? And please provide details of the attribute statement that you use to copy the attribute in question. Cheers, Krzysztof |
|
From: Björn H. <b.h...@fz...> - 2016-09-13 07:46:33
|
Hi there, I ran into a problem using attributes statements in Unity 1.9.3. I would like to use an attribute statement to copy an attribute from sub-groups. Entity membership within sub-groups is mutually exclusive, the attribute in question gets assigned automatically based on group membership. When using two attribute statements to copy the attribute from the respective sub-groups, the attribute value is updated on all entities within the parent group. parent: dynamic attribute value from sub-groups assigned to all entities |- servers: all entities assigned role server |- users: all entities assigned role user The dynamic attribute values are taken from one group or the other, depending on the order of the statements and the conflict resolution. Only 'overwrite previous' and 'skip' really work here, but again, due to the entities and hence the attributes being mutually exclusive within the sub-groups, there should not be any conflict (to the best of my knowledge). Am I doing anything wrong or is the value selection and assignment not sufficiently restrictive? Cheers, and thanks in advance, Björn -- Dipl.-Inform. Björn Hagemeier Federated Systems and Data Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61 1584 Fax : +49 2461 61 6656 Email: b.h...@fz... Skype: bhagemeier WWW : http://www.fz-juelich.de/jsc JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2016-08-11 07:29:54
|
Hi Sander, W dniu 10.08.2016 o 09:41, Sander Apweiler pisze: > Hi, > > we integrate eduGain IdPs with metadataSource. In last two weeks we got > two requests from our users about changes in displayed list. I didn't > found settings for both requests in unity manual. Below are both > request we got. > > 1) A user mentioned that the order of listed IdPs is not intuitive for > non computer scientists. It seems that IdPs are listed in ASCII order > because "ARIA" is listed before "Aalto university". Is it possible to > change the order in an alphabetical one? I've looked into it - should be trivial, no problem. > 2) The displayed IdP name is the english name out of metadata which is > fine so far. The search seems to be include only the english name out > of metadata too. A user said that he was not able to find the > university of Zurich because he searched for "Zürich" and "UZH", the > official acronym for university of Zurich. The user requested to > include the language of the different countries at least in search, > like german for Germany or polish for Poland. Is it possible to enable > the different languages in searchbar? This is slightly more work, as currently one main name is used for search, and this will require to change the internal API a bit to also provide authN option aliases from authenticator to the login screen, but doesn't seem very hard. I'll open tickets for both, seems that together with few other requests the next update will be mostly focusing on SAML functionality. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2016-08-10 07:42:00
|
Hi, we integrate eduGain IdPs with metadataSource. In last two weeks we got two requests from our users about changes in displayed list. I didn't found settings for both requests in unity manual. Below are both request we got. 1) A user mentioned that the order of listed IdPs is not intuitive for non computer scientists. It seems that IdPs are listed in ASCII order because "ARIA" is listed before "Aalto university". Is it possible to change the order in an alphabetical one? 2) The displayed IdP name is the english name out of metadata which is fine so far. The search seems to be include only the english name out of metadata too. A user said that he was not able to find the university of Zurich because he searched for "Zürich" and "UZH", the official acronym for university of Zurich. The user requested to include the language of the different countries at least in search, like german for Germany or polish for Poland. Is it possible to enable the different languages in searchbar? Best regards, Sander ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <kb...@un...> - 2016-07-17 19:37:30
|
Dear All, While our work focuses on the big 2.0 release, a small update to the current 1.9 release series was just published. 1.9.3 version in the first place fixes couple of bugs as loading of large SAML federations metadata and many UI issues. What is more two notable features are added: full support for ORCID identity provider (now including complete support for free members) as well as integration of a new version of certificate handling library, supporting multiple-pem-file truststore. Details are available at http://unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-05-09 14:04:01
|
Dear All, A subsequent revision release is available at: http://www.unity-idm.eu/site/downloads It brings few improvements and bufixes. The most important one is related to LDAP integration. In the first place LDAP authentication should be much faster what is important in case of large LDAP directories. What is more it is possible to enable a new LDAP import option. This feature allows for more complete integration of LDAP database: -) user entries may be simply imported using Unity REST interface (by triggering import) -) 3rd party queries over SAML (SOAP binding) trigger LDAP import if needed so also those users who never used Unity can be queried. Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-04-15 10:17:27
|
Dear Subscribers, Unity revision release 1.9.1 was just uploaded. It fixes few minor bugs and adds two small features. There is, however, one important fix included. In the 1.9.0 version the registration form editor crashes upon editing existing forms, which were created in earlier Unity version and use form automation feature. After update this problem is solved. Details as usual at: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-04-06 16:26:17
|
Dear Subscribers, Finally, after 4 months of development, the 9th feature-release of Unity is ready. This probably the largest (in terms of new features) release so far. Important note on OpenJDK: with introduction of the latest Jetty HTTP server (used internally by Unity) it was observed that Firefox browser has troubles connecting to Unity *launched on some of the OpenJDK distributions* (e.g. Fedora). This is due to disabled EC TLS ciphers in the affected OpenJDK. In case of troubles please use Oracle Java RE. The highlights of the release are: * Enquiry forms - this completely new feature allows for asking existing users about additional information: updated terms of use, additional attribute, different credential or... anything else. It is very similar (and as powerful) as the registrations forms intended for prospective users. Users are notified about enquiry via email and can fill it by visiting a link or after logging into Unity. * Form layouts - it is possible now to control the order of elements in a registration (and enquiry) form as well as define separators and custom captions. * Invitations - another new big and very useful feature: it is possible to invite users to fill a registration form. Registration forms can be also marked as by invitation only. Invitation can include pre-set settings for the user, which are used to partially prefill the registration form. * Bulk processing of entities - allows for performing batch operations on entities fulfilling a given criteria. So far only two operations are provided (change status and removal) but more can be easily added in future. It is also possible to schedule bulk processing actions to have an automated maintenance of users. * REST enhancements - The REST API is subsequently improved with each release. This time changes are huge: there is support for managing registration forms, invitations, endpoints and groups. It is possible to enable CORS support. Finally the unity-types module was improved so it can be used as a simple library for Java based REST client applications: most of REST-manageable Unity artifacts can be created via code using this library. * Customized i18n - Unity distribution contains now a complete of Unity internal messages. And it is possible to improve translations or change the defaults. As usual see http://www.unity-idm.eu/site/downloads for more details. Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-02-17 11:14:43
|
Dear Willem, W dniu 17.02.2016 o 10:55, Willem Elbers pisze: > Dear Krzysztof, > > we have recently encountered issue with users accessing unity from a > safari browser, after enabling authentication with client certificates. > > Apparently iCloud installs a certificate in the OSX keychain. If a user > then tries to access unity with client certificate authentication > enabled, safari pops up a dialog where the user can select a certificate > or choose cancel to authenticate without using a certificate. > This is confusing for most users, especially because authentication > fails if they don't click cancel. > > Is there a way to enable certificate based authentication on a dedicated > endpoint, different from /home/home as a workaround for this issue? Or > do you have another suggestion? This is a difficult issue. Your solution is impossible in general. TLS authN happens on (obviously) TLS level, i.e. lower level then HTTP. So when this happens it is not known what will be an HTTP path of an endpoint the browser *will* try to access. Therefore the answer is no: acceptance of client's certificate based authentication can be turned on/off only per network socket (with unityServer.core.httpServer.wantClientAuthn, see docs) == Unity instance. Next, TLS offers a feature to help clients decide whether client certificate base authN is possible. Namely on TLS handshake, client gets a list of DNs of server-accepted CAs. Unity supports this feature, here is part of TLS handshake with EUDAT instance retrieved by s_client: [...] Acceptable client certificate CA names /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 /C=FI/ST=Uusimaa/L=Espoo/O=CSC - Tieteen tietotekniikan keskus Oy/CN=b2access.eudat.eu /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01 /C=DE/ST=NRW/L=Juelich/O=FZJ/OU=JSC/CN=EUDAT CA /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 [...] A smart browser should take this into account and do not bug the user if there is no certificate installed, which is issued by an accepted CA. To my knowledge Firefox honors this. From what you wrote Safari doesn't. All in all you can: -) try to search for some hints on Safari itself knowing the above. -) disable wantClientAuthn per Unity server -) setup two Unity instances on different ports (sharing the same DB) to solve the issue fully - like using a sledgehammer to crack a nut... Best regards, Krzysztof |
|
From: Willem E. <wi...@cl...> - 2016-02-17 10:13:21
|
Dear Krzysztof, we have recently encountered issue with users accessing unity from a safari browser, after enabling authentication with client certificates. Apparently iCloud installs a certificate in the OSX keychain. If a user then tries to access unity with client certificate authentication enabled, safari pops up a dialog where the user can select a certificate or choose cancel to authenticate without using a certificate. This is confusing for most users, especially because authentication fails if they don't click cancel. Is there a way to enable certificate based authentication on a dedicated endpoint, different from /home/home as a workaround for this issue? Or do you have another suggestion? Best, Willem -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
|
From: Krzysztof B. <go...@ic...> - 2015-12-31 14:56:37
|
Dear All, First of all I would like to wish you all the best for the 2016. May the force be with you! As a present for the 2016 a new version 1.8.0 of Unity was published. It ships several notable new features, making Unity more universal and flexible. The highlights of this release: - Registration forms has a completely redesigned automation feature, based on translation profile (similar to the input and output profiles used for authentication and IdPs). With the new model it is possible to perform a great amount of advanced request processing: all elements can be filtered, new elements can be added, it can be precisely controlled when to perform redirects, finally requests can be not only automatically accepted but also dropped or denied. - Group attribute statements were fully redesigned into a much more flexible model. In effect it is possible not only to copy attributes between groups but also to modify them on the fly or to use non-attribute data (as identities) as values. - It is possible now to embed any of Unity web interfaces within a customized HTML, so it is possible to insert a custom header or footer. There are also other, smaller features included as OAuth client credentials grant support, better DoS protection mechanisms async loading of identities table (crucial with high number of entities). Make sure to read the upgrade instructions before upgrading! Big thanks to everybody involved in this release! The full list of changes with additional details are available as always at http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2015-11-30 13:02:29
|
Hi Alvaro, W dniu 30.11.2015 o 13:23, Alvaro Aguilera pisze: > Hi Krzysztof, > > thank you for the hint. I changed the authenticator type and it goes an > step further but still get an authentication error: > > Please enable TRACE (this is the highest) logging level on: unity.server.rest Or even better: on the whole unity.server and check the details. If you will be still unsure please provide your current authenticator and endpoint configs. Best, Krzysztof |
|
From: Alvaro A. <alv...@tu...> - 2015-11-30 12:24:05
|
Hi Krzysztof,
thank you for the hint. I changed the authenticator type and it goes an
step further but still get an authentication error:
**************************
UNITY Server Started
**************************
2015-11-30 13:20:12,965 [main] INFO org.eclipse.jetty.server.Server -
jetty-8.1.18.v20150929
2015-11-30 13:20:13,094 [main] INFO
org.eclipse.jetty.server.AbstractConnector - Started
NIO...@un...:2443
2015-11-30 13:20:13,095 [main] INFO unity.server.config.JettyServerBase
- Jetty HTTP server was started
2015-11-30 13:20:26,330 [qtp1704979234-39] DEBUG
unity.server.ldap.LdapClient - Established connection to LDAP server
2015-11-30 13:20:26,353 [qtp1704979234-39] DEBUG
unity.server.ldap.LdapClient - Established user's DN is:
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de
2015-11-30 13:20:26,388 [qtp1704979234-39] DEBUG
unity.server.ldap.LdapClient - LDAP bind as user
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de was successful
2015-11-30 13:20:26,695 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationProfile [TrProfile
LDAP-Test] - Input received from IdP ldap:
Identities:
- uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de (x500Name)
Attributes:
- uid: [projektnutzer01]
- homeDirectory: [/home/projektnutzer01]
- ou: [Zentr.f.Inform.dienste u.Hochleistrechn., Fak. Mathematik und
Naturwissenschaften]
- uidNumber: [20000037]
- givenName: [Projekt01]
- objectClass: [inetOrgPerson, organizationalPerson, person, top,
posixAccount]
- sn: [Nutzer]
- cn: [projektnutzer01]
- gidNumber: [40000007]
2015-11-30 13:20:26,697 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 1] - Condition OK
2015-11-30 13:20:26,729 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapIdentityAction [TrProfile LDAP-Test]
[r: 1] [ldap - uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] -
Mapped identity: [x500Name] uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de
2015-11-30 13:20:26,730 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 2] - Condition OK
2015-11-30 13:20:26,730 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapIdentityAction [TrProfile LDAP-Test]
[r: 2] [ldap - uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] -
Mapped identity: [userName] projektnutzer01
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 3] - Condition OK
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapAttributeAction [TrProfile
LDAP-Test] [r: 3] [ldap -
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] - Mapped attribute:
cn: [projektnutzer01]
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 4] - Condition OK
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapAttributeAction [TrProfile
LDAP-Test] [r: 4] [ldap -
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] - Mapped attribute:
urn:unicore:attrType:xlogin: [projektnutzer01]
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 5] - Condition OK
2015-11-30 13:20:26,732 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapAttributeAction [TrProfile
LDAP-Test] [r: 5] [ldap -
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] - Attribute value
evaluated to null, skipping
2015-11-30 13:20:26,732 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 6] - Condition OK
2015-11-30 13:20:26,732 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapGroupAction [TrProfile LDAP-Test]
[r: 6] [ldap - uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] -
Mapped group: /portal
2015-11-30 13:20:26,783 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationEngine - No identity
needs to be added
2015-11-30 13:20:26,803 [qtp1704979234-39] INFO
unity.server.externaltranslation.InputTranslationEngine - Adding to
group /portal
2015-11-30 13:20:26,811 [qtp1704979234-39] INFO
unity.server.rest.AuthenticationInterceptor - Authentication failed for
client
2015-11-30 13:20:26,814 [qtp1704979234-39] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://ws.samlidp.unicore.unity.icm.edu.pl/}SAMLETDAuthnImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Invalid user name, credential or
external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:114)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
at
org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
at
org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:317)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
at
org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
at
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861)
at
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:236)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at
org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
Caused by: pl.edu.icm.unity.server.authn.AuthenticationException:
Invalid user name, credential or external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:105)
... 40 more
any idea?
Thanks again,
Alvaro
On 11/30/2015 10:28 AM, Krzysztof Benedyczak wrote:
> Hi,
>
> W dniu 30.11.2015 o 10:22, Alvaro Aguilera pisze:
>> Hi Bern,
>>
>> when I add the authenticator to the endpoint like this:
>>
>> ...
>> unityServer.core.authenticators.6.authenticatorName=ldapZIH
>> unityServer.core.authenticators.6.authenticatorType=ldap with
>> web-password
>> unityServer.core.authenticators.6.verificatorConfigurationFile=conf/authenticators/ldap-zih.properties
>>
>>
>> unityServer.core.authenticators.6.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json
>>
>>
>> ...
>> unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP
>> unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
>>
>>
>> unityServer.core.endpoints.4.contextPath=/unicore-soapidp
>> unityServer.core.endpoints.4.endpointRealm=defaultRealm
>> unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML
>> service
>> unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;certWS;ldapZIH
>>
>>
>> I get the following error:
>>
>> ------------------
>> 2015-11-30 10:12:07,007 [main] FATAL unity.server.EngineInitialization -
>> Can't load endpoints which are configured
>> java.lang.NullPointerException
>
> Your authenticator is configured for the web endpoints
>
> unityServer.core.authenticators.6.authenticatorType=ldap with
> web-password
>
> that is it can retrieve password via web widget and is useful for
> instance for authN from UNICORE portal. You need to have "ldap with
> cxf-httpbasic" in order to get password from web service client
> (unicore/X)
>
> I'll have to check this NPE - looks like a regression, the logged
> error should be informative.
>
> Best,
> Krzysztof
>
--
Dipl.-Inf. Alvaro Aguilera
Wissenschaftlicher Mitarbeiter
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Verteiltes und Datenintensives Rechnen
Büro: Falkenbrunnen, Raum 256
Chemnitzer Straße 46b
01187 Dresden
Tel: +49 (351) 463 33491
Email: alv...@tu...
Web: http://www.tu-dresden.de/zih
OTR-Fingerprint:
9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1
|
|
From: Krzysztof B. <go...@ic...> - 2015-11-30 09:28:53
|
Hi, W dniu 30.11.2015 o 10:22, Alvaro Aguilera pisze: > Hi Bern, > > when I add the authenticator to the endpoint like this: > > ... > unityServer.core.authenticators.6.authenticatorName=ldapZIH > unityServer.core.authenticators.6.authenticatorType=ldap with web-password > unityServer.core.authenticators.6.verificatorConfigurationFile=conf/authenticators/ldap-zih.properties > > unityServer.core.authenticators.6.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json > > ... > unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP > unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties > > unityServer.core.endpoints.4.contextPath=/unicore-soapidp > unityServer.core.endpoints.4.endpointRealm=defaultRealm > unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML service > unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;certWS;ldapZIH > > > I get the following error: > > ------------------ > 2015-11-30 10:12:07,007 [main] FATAL unity.server.EngineInitialization - > Can't load endpoints which are configured > java.lang.NullPointerException Your authenticator is configured for the web endpoints unityServer.core.authenticators.6.authenticatorType=ldap with web-password that is it can retrieve password via web widget and is useful for instance for authN from UNICORE portal. You need to have "ldap with cxf-httpbasic" in order to get password from web service client (unicore/X) I'll have to check this NPE - looks like a regression, the logged error should be informative. Best, Krzysztof |
