Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2016-08-11 07:29:54
|
Hi Sander, W dniu 10.08.2016 o 09:41, Sander Apweiler pisze: > Hi, > > we integrate eduGain IdPs with metadataSource. In last two weeks we got > two requests from our users about changes in displayed list. I didn't > found settings for both requests in unity manual. Below are both > request we got. > > 1) A user mentioned that the order of listed IdPs is not intuitive for > non computer scientists. It seems that IdPs are listed in ASCII order > because "ARIA" is listed before "Aalto university". Is it possible to > change the order in an alphabetical one? I've looked into it - should be trivial, no problem. > 2) The displayed IdP name is the english name out of metadata which is > fine so far. The search seems to be include only the english name out > of metadata too. A user said that he was not able to find the > university of Zurich because he searched for "Zürich" and "UZH", the > official acronym for university of Zurich. The user requested to > include the language of the different countries at least in search, > like german for Germany or polish for Poland. Is it possible to enable > the different languages in searchbar? This is slightly more work, as currently one main name is used for search, and this will require to change the internal API a bit to also provide authN option aliases from authenticator to the login screen, but doesn't seem very hard. I'll open tickets for both, seems that together with few other requests the next update will be mostly focusing on SAML functionality. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2016-08-10 07:42:00
|
Hi, we integrate eduGain IdPs with metadataSource. In last two weeks we got two requests from our users about changes in displayed list. I didn't found settings for both requests in unity manual. Below are both request we got. 1) A user mentioned that the order of listed IdPs is not intuitive for non computer scientists. It seems that IdPs are listed in ASCII order because "ARIA" is listed before "Aalto university". Is it possible to change the order in an alphabetical one? 2) The displayed IdP name is the english name out of metadata which is fine so far. The search seems to be include only the english name out of metadata too. A user said that he was not able to find the university of Zurich because he searched for "Zürich" and "UZH", the official acronym for university of Zurich. The user requested to include the language of the different countries at least in search, like german for Germany or polish for Poland. Is it possible to enable the different languages in searchbar? Best regards, Sander ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <kb...@un...> - 2016-07-17 19:37:30
|
Dear All, While our work focuses on the big 2.0 release, a small update to the current 1.9 release series was just published. 1.9.3 version in the first place fixes couple of bugs as loading of large SAML federations metadata and many UI issues. What is more two notable features are added: full support for ORCID identity provider (now including complete support for free members) as well as integration of a new version of certificate handling library, supporting multiple-pem-file truststore. Details are available at http://unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-05-09 14:04:01
|
Dear All, A subsequent revision release is available at: http://www.unity-idm.eu/site/downloads It brings few improvements and bufixes. The most important one is related to LDAP integration. In the first place LDAP authentication should be much faster what is important in case of large LDAP directories. What is more it is possible to enable a new LDAP import option. This feature allows for more complete integration of LDAP database: -) user entries may be simply imported using Unity REST interface (by triggering import) -) 3rd party queries over SAML (SOAP binding) trigger LDAP import if needed so also those users who never used Unity can be queried. Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-04-15 10:17:27
|
Dear Subscribers, Unity revision release 1.9.1 was just uploaded. It fixes few minor bugs and adds two small features. There is, however, one important fix included. In the 1.9.0 version the registration form editor crashes upon editing existing forms, which were created in earlier Unity version and use form automation feature. After update this problem is solved. Details as usual at: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-04-06 16:26:17
|
Dear Subscribers, Finally, after 4 months of development, the 9th feature-release of Unity is ready. This probably the largest (in terms of new features) release so far. Important note on OpenJDK: with introduction of the latest Jetty HTTP server (used internally by Unity) it was observed that Firefox browser has troubles connecting to Unity *launched on some of the OpenJDK distributions* (e.g. Fedora). This is due to disabled EC TLS ciphers in the affected OpenJDK. In case of troubles please use Oracle Java RE. The highlights of the release are: * Enquiry forms - this completely new feature allows for asking existing users about additional information: updated terms of use, additional attribute, different credential or... anything else. It is very similar (and as powerful) as the registrations forms intended for prospective users. Users are notified about enquiry via email and can fill it by visiting a link or after logging into Unity. * Form layouts - it is possible now to control the order of elements in a registration (and enquiry) form as well as define separators and custom captions. * Invitations - another new big and very useful feature: it is possible to invite users to fill a registration form. Registration forms can be also marked as by invitation only. Invitation can include pre-set settings for the user, which are used to partially prefill the registration form. * Bulk processing of entities - allows for performing batch operations on entities fulfilling a given criteria. So far only two operations are provided (change status and removal) but more can be easily added in future. It is also possible to schedule bulk processing actions to have an automated maintenance of users. * REST enhancements - The REST API is subsequently improved with each release. This time changes are huge: there is support for managing registration forms, invitations, endpoints and groups. It is possible to enable CORS support. Finally the unity-types module was improved so it can be used as a simple library for Java based REST client applications: most of REST-manageable Unity artifacts can be created via code using this library. * Customized i18n - Unity distribution contains now a complete of Unity internal messages. And it is possible to improve translations or change the defaults. As usual see http://www.unity-idm.eu/site/downloads for more details. Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2016-02-17 11:14:43
|
Dear Willem, W dniu 17.02.2016 o 10:55, Willem Elbers pisze: > Dear Krzysztof, > > we have recently encountered issue with users accessing unity from a > safari browser, after enabling authentication with client certificates. > > Apparently iCloud installs a certificate in the OSX keychain. If a user > then tries to access unity with client certificate authentication > enabled, safari pops up a dialog where the user can select a certificate > or choose cancel to authenticate without using a certificate. > This is confusing for most users, especially because authentication > fails if they don't click cancel. > > Is there a way to enable certificate based authentication on a dedicated > endpoint, different from /home/home as a workaround for this issue? Or > do you have another suggestion? This is a difficult issue. Your solution is impossible in general. TLS authN happens on (obviously) TLS level, i.e. lower level then HTTP. So when this happens it is not known what will be an HTTP path of an endpoint the browser *will* try to access. Therefore the answer is no: acceptance of client's certificate based authentication can be turned on/off only per network socket (with unityServer.core.httpServer.wantClientAuthn, see docs) == Unity instance. Next, TLS offers a feature to help clients decide whether client certificate base authN is possible. Namely on TLS handshake, client gets a list of DNs of server-accepted CAs. Unity supports this feature, here is part of TLS handshake with EUDAT instance retrieved by s_client: [...] Acceptable client certificate CA names /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 /C=FI/ST=Uusimaa/L=Espoo/O=CSC - Tieteen tietotekniikan keskus Oy/CN=b2access.eudat.eu /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01 /C=DE/ST=NRW/L=Juelich/O=FZJ/OU=JSC/CN=EUDAT CA /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 [...] A smart browser should take this into account and do not bug the user if there is no certificate installed, which is issued by an accepted CA. To my knowledge Firefox honors this. From what you wrote Safari doesn't. All in all you can: -) try to search for some hints on Safari itself knowing the above. -) disable wantClientAuthn per Unity server -) setup two Unity instances on different ports (sharing the same DB) to solve the issue fully - like using a sledgehammer to crack a nut... Best regards, Krzysztof |
|
From: Willem E. <wi...@cl...> - 2016-02-17 10:13:21
|
Dear Krzysztof, we have recently encountered issue with users accessing unity from a safari browser, after enabling authentication with client certificates. Apparently iCloud installs a certificate in the OSX keychain. If a user then tries to access unity with client certificate authentication enabled, safari pops up a dialog where the user can select a certificate or choose cancel to authenticate without using a certificate. This is confusing for most users, especially because authentication fails if they don't click cancel. Is there a way to enable certificate based authentication on a dedicated endpoint, different from /home/home as a workaround for this issue? Or do you have another suggestion? Best, Willem -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
|
From: Krzysztof B. <go...@ic...> - 2015-12-31 14:56:37
|
Dear All, First of all I would like to wish you all the best for the 2016. May the force be with you! As a present for the 2016 a new version 1.8.0 of Unity was published. It ships several notable new features, making Unity more universal and flexible. The highlights of this release: - Registration forms has a completely redesigned automation feature, based on translation profile (similar to the input and output profiles used for authentication and IdPs). With the new model it is possible to perform a great amount of advanced request processing: all elements can be filtered, new elements can be added, it can be precisely controlled when to perform redirects, finally requests can be not only automatically accepted but also dropped or denied. - Group attribute statements were fully redesigned into a much more flexible model. In effect it is possible not only to copy attributes between groups but also to modify them on the fly or to use non-attribute data (as identities) as values. - It is possible now to embed any of Unity web interfaces within a customized HTML, so it is possible to insert a custom header or footer. There are also other, smaller features included as OAuth client credentials grant support, better DoS protection mechanisms async loading of identities table (crucial with high number of entities). Make sure to read the upgrade instructions before upgrading! Big thanks to everybody involved in this release! The full list of changes with additional details are available as always at http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2015-11-30 13:02:29
|
Hi Alvaro, W dniu 30.11.2015 o 13:23, Alvaro Aguilera pisze: > Hi Krzysztof, > > thank you for the hint. I changed the authenticator type and it goes an > step further but still get an authentication error: > > Please enable TRACE (this is the highest) logging level on: unity.server.rest Or even better: on the whole unity.server and check the details. If you will be still unsure please provide your current authenticator and endpoint configs. Best, Krzysztof |
|
From: Alvaro A. <alv...@tu...> - 2015-11-30 12:24:05
|
Hi Krzysztof,
thank you for the hint. I changed the authenticator type and it goes an
step further but still get an authentication error:
**************************
UNITY Server Started
**************************
2015-11-30 13:20:12,965 [main] INFO org.eclipse.jetty.server.Server -
jetty-8.1.18.v20150929
2015-11-30 13:20:13,094 [main] INFO
org.eclipse.jetty.server.AbstractConnector - Started
NIO...@un...:2443
2015-11-30 13:20:13,095 [main] INFO unity.server.config.JettyServerBase
- Jetty HTTP server was started
2015-11-30 13:20:26,330 [qtp1704979234-39] DEBUG
unity.server.ldap.LdapClient - Established connection to LDAP server
2015-11-30 13:20:26,353 [qtp1704979234-39] DEBUG
unity.server.ldap.LdapClient - Established user's DN is:
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de
2015-11-30 13:20:26,388 [qtp1704979234-39] DEBUG
unity.server.ldap.LdapClient - LDAP bind as user
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de was successful
2015-11-30 13:20:26,695 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationProfile [TrProfile
LDAP-Test] - Input received from IdP ldap:
Identities:
- uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de (x500Name)
Attributes:
- uid: [projektnutzer01]
- homeDirectory: [/home/projektnutzer01]
- ou: [Zentr.f.Inform.dienste u.Hochleistrechn., Fak. Mathematik und
Naturwissenschaften]
- uidNumber: [20000037]
- givenName: [Projekt01]
- objectClass: [inetOrgPerson, organizationalPerson, person, top,
posixAccount]
- sn: [Nutzer]
- cn: [projektnutzer01]
- gidNumber: [40000007]
2015-11-30 13:20:26,697 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 1] - Condition OK
2015-11-30 13:20:26,729 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapIdentityAction [TrProfile LDAP-Test]
[r: 1] [ldap - uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] -
Mapped identity: [x500Name] uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de
2015-11-30 13:20:26,730 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 2] - Condition OK
2015-11-30 13:20:26,730 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapIdentityAction [TrProfile LDAP-Test]
[r: 2] [ldap - uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] -
Mapped identity: [userName] projektnutzer01
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 3] - Condition OK
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapAttributeAction [TrProfile
LDAP-Test] [r: 3] [ldap -
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] - Mapped attribute:
cn: [projektnutzer01]
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 4] - Condition OK
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapAttributeAction [TrProfile
LDAP-Test] [r: 4] [ldap -
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] - Mapped attribute:
urn:unicore:attrType:xlogin: [projektnutzer01]
2015-11-30 13:20:26,731 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 5] - Condition OK
2015-11-30 13:20:26,732 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapAttributeAction [TrProfile
LDAP-Test] [r: 5] [ldap -
uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] - Attribute value
evaluated to null, skipping
2015-11-30 13:20:26,732 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationRule [TrProfile
LDAP-Test] [r: 6] - Condition OK
2015-11-30 13:20:26,732 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.MapGroupAction [TrProfile LDAP-Test]
[r: 6] [ldap - uid=projektnutzer01,ou=users,dc=tu-dresden,dc=de] -
Mapped group: /portal
2015-11-30 13:20:26,783 [qtp1704979234-39] DEBUG
unity.server.externaltranslation.InputTranslationEngine - No identity
needs to be added
2015-11-30 13:20:26,803 [qtp1704979234-39] INFO
unity.server.externaltranslation.InputTranslationEngine - Adding to
group /portal
2015-11-30 13:20:26,811 [qtp1704979234-39] INFO
unity.server.rest.AuthenticationInterceptor - Authentication failed for
client
2015-11-30 13:20:26,814 [qtp1704979234-39] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://ws.samlidp.unicore.unity.icm.edu.pl/}SAMLETDAuthnImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Invalid user name, credential or
external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:114)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
at
org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82)
at
org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:317)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
at
org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
at
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861)
at
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:236)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at
org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)
Caused by: pl.edu.icm.unity.server.authn.AuthenticationException:
Invalid user name, credential or external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:105)
... 40 more
any idea?
Thanks again,
Alvaro
On 11/30/2015 10:28 AM, Krzysztof Benedyczak wrote:
> Hi,
>
> W dniu 30.11.2015 o 10:22, Alvaro Aguilera pisze:
>> Hi Bern,
>>
>> when I add the authenticator to the endpoint like this:
>>
>> ...
>> unityServer.core.authenticators.6.authenticatorName=ldapZIH
>> unityServer.core.authenticators.6.authenticatorType=ldap with
>> web-password
>> unityServer.core.authenticators.6.verificatorConfigurationFile=conf/authenticators/ldap-zih.properties
>>
>>
>> unityServer.core.authenticators.6.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json
>>
>>
>> ...
>> unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP
>> unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
>>
>>
>> unityServer.core.endpoints.4.contextPath=/unicore-soapidp
>> unityServer.core.endpoints.4.endpointRealm=defaultRealm
>> unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML
>> service
>> unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;certWS;ldapZIH
>>
>>
>> I get the following error:
>>
>> ------------------
>> 2015-11-30 10:12:07,007 [main] FATAL unity.server.EngineInitialization -
>> Can't load endpoints which are configured
>> java.lang.NullPointerException
>
> Your authenticator is configured for the web endpoints
>
> unityServer.core.authenticators.6.authenticatorType=ldap with
> web-password
>
> that is it can retrieve password via web widget and is useful for
> instance for authN from UNICORE portal. You need to have "ldap with
> cxf-httpbasic" in order to get password from web service client
> (unicore/X)
>
> I'll have to check this NPE - looks like a regression, the logged
> error should be informative.
>
> Best,
> Krzysztof
>
--
Dipl.-Inf. Alvaro Aguilera
Wissenschaftlicher Mitarbeiter
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Verteiltes und Datenintensives Rechnen
Büro: Falkenbrunnen, Raum 256
Chemnitzer Straße 46b
01187 Dresden
Tel: +49 (351) 463 33491
Email: alv...@tu...
Web: http://www.tu-dresden.de/zih
OTR-Fingerprint:
9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1
|
|
From: Krzysztof B. <go...@ic...> - 2015-11-30 09:28:53
|
Hi, W dniu 30.11.2015 o 10:22, Alvaro Aguilera pisze: > Hi Bern, > > when I add the authenticator to the endpoint like this: > > ... > unityServer.core.authenticators.6.authenticatorName=ldapZIH > unityServer.core.authenticators.6.authenticatorType=ldap with web-password > unityServer.core.authenticators.6.verificatorConfigurationFile=conf/authenticators/ldap-zih.properties > > unityServer.core.authenticators.6.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json > > ... > unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP > unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties > > unityServer.core.endpoints.4.contextPath=/unicore-soapidp > unityServer.core.endpoints.4.endpointRealm=defaultRealm > unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML service > unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;certWS;ldapZIH > > > I get the following error: > > ------------------ > 2015-11-30 10:12:07,007 [main] FATAL unity.server.EngineInitialization - > Can't load endpoints which are configured > java.lang.NullPointerException Your authenticator is configured for the web endpoints unityServer.core.authenticators.6.authenticatorType=ldap with web-password that is it can retrieve password via web widget and is useful for instance for authN from UNICORE portal. You need to have "ldap with cxf-httpbasic" in order to get password from web service client (unicore/X) I'll have to check this NPE - looks like a regression, the logged error should be informative. Best, Krzysztof |
|
From: Alvaro A. <alv...@tu...> - 2015-11-30 09:22:58
|
Hi Bern,
when I add the authenticator to the endpoint like this:
...
unityServer.core.authenticators.6.authenticatorName=ldapZIH
unityServer.core.authenticators.6.authenticatorType=ldap with web-password
unityServer.core.authenticators.6.verificatorConfigurationFile=conf/authenticators/ldap-zih.properties
unityServer.core.authenticators.6.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json
...
unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
unityServer.core.endpoints.4.contextPath=/unicore-soapidp
unityServer.core.endpoints.4.endpointRealm=defaultRealm
unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML service
unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;certWS;ldapZIH
I get the following error:
------------------
2015-11-30 10:12:07,007 [main] FATAL unity.server.EngineInitialization
- Can't load endpoints which are configured
java.lang.NullPointerException
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deployInt(EndpointManagementImpl.java:128)
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deploy(EndpointManagementImpl.java:97)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.loadEndpointsFromConfiguration(EngineInitialization.java:768)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeEndpoints(EngineInitialization.java:721)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeDatabaseContents(EngineInitialization.java:351)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.start(EngineInitialization.java:209)
at
org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:173)
at
org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51)
at
org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:346)
at
org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:149)
at
org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:112)
at
org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:770)
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:483)
at
pl.edu.icm.unity.server.UnityApplication.run(UnityApplication.java:49)
at
pl.edu.icm.unity.server.UnityApplication.main(UnityApplication.java:58)
2015-11-30 10:12:07,010 [main] WARN
org.springframework.context.support.ClassPathXmlApplicationContext -
Exception encountered during context initialization - cancelling refresh
attempt
org.springframework.context.ApplicationContextException: Failed to start
bean 'pl.edu.icm.unity.engine.internal.EngineInitialization#0'; nested
exception is pl.edu.icm.unity.exceptions.InternalException: Can't load
endpoints which are configured
at
org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:176)
at
org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51)
at
org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:346)
at
org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:149)
at
org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:112)
at
org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:770)
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:483)
at
pl.edu.icm.unity.server.UnityApplication.run(UnityApplication.java:49)
at
pl.edu.icm.unity.server.UnityApplication.main(UnityApplication.java:58)
Caused by: pl.edu.icm.unity.exceptions.InternalException: Can't load
endpoints which are configured
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeEndpoints(EngineInitialization.java:725)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeDatabaseContents(EngineInitialization.java:351)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.start(EngineInitialization.java:209)
at
org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:173)
... 8 more
Caused by: java.lang.NullPointerException
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deployInt(EndpointManagementImpl.java:128)
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deploy(EndpointManagementImpl.java:97)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.loadEndpointsFromConfiguration(EngineInitialization.java:768)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeEndpoints(EngineInitialization.java:721)
... 11 more
-----------------
do you know what's wrong with that?
I can add the authenticator to the SAMLUnicoreWebIdP endpoint without
problem, but that's not what I need.
Thanks
Alvaro
On 11/30/2015 09:59 AM, Bernd Schuller wrote:
> hi,
>
> did you add the LDAP authenticator to the unicore-soapidp endpoint?
>
> If yes, try debug logging on Unity and/or UNICORE/X to find out more...
>
>
> Best regards,
> Bernd.
>
> On 30.11.2015 09:51, Alvaro Aguilera wrote:
>> Hello,
>>
>> I'm trying to get Unicore use Unity to validate users using our LDAP
>> server and could use a little help from someone with experience on this.
>> Until now I have set up a Unity server and created a simple
>> authenticator for LDAP (code below), as well as the corresponding
>> translation profile (also below).
>> The dry test of the TP seems to be working well
>>
>> I also added the certificate of the Unity server to Unicore's assertion
>> issuers and granted access to the LDAP users in the XUUDB.
>>
>> However, I'm still unable to login to Unicore using the rich client with
>> the Unity option.
>>
>> Any hints about what I'm missing or doing wrong?
>>
>> Thanks!
>> Alvaro
>>
>>
>> ------------------------------
>>
>>
>> *wsrflite.xml (both for registry & unicore/x)
>>
>> *<property name="container.security.trustedAssertionIssuers.type"
>> value="directory" />
>> <property
>> name="container.security.trustedAssertionIssuers.directoryLocations.1"
>> value="/home/somepath.../unity..pem" />
>>
>>
>> *uas.conf*
>>
>> container.security.rest.authentication.order=FILE UNITY
>> container.security.rest.authentication.UNITY.class=eu.unicore.services.rest.security.UnitySAMLAuthenticator
>> container.security.rest.authentication.UNITY.address=https://unity.zih.tu-dresden.de:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService
>> container.security.rest.authentication.UNITY.validate=true
>>
>>
>> *Authenticator*
> [...]
>>
>> *Translation Profile (LDAP-Test)*
>>
> [...]
>
>
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
--
Dipl.-Inf. Alvaro Aguilera
Wissenschaftlicher Mitarbeiter
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Verteiltes und Datenintensives Rechnen
Büro: Falkenbrunnen, Raum 256
Chemnitzer Straße 46b
01187 Dresden
Tel: +49 (351) 463 33491
Email: alv...@tu...
Web: http://www.tu-dresden.de/zih
OTR-Fingerprint:
9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1
|
|
From: Bernd S. <b.s...@fz...> - 2015-11-30 08:59:18
|
hi, did you add the LDAP authenticator to the unicore-soapidp endpoint? If yes, try debug logging on Unity and/or UNICORE/X to find out more... Best regards, Bernd. On 30.11.2015 09:51, Alvaro Aguilera wrote: > Hello, > > I'm trying to get Unicore use Unity to validate users using our LDAP > server and could use a little help from someone with experience on this. > Until now I have set up a Unity server and created a simple > authenticator for LDAP (code below), as well as the corresponding > translation profile (also below). > The dry test of the TP seems to be working well > > I also added the certificate of the Unity server to Unicore's assertion > issuers and granted access to the LDAP users in the XUUDB. > > However, I'm still unable to login to Unicore using the rich client with > the Unity option. > > Any hints about what I'm missing or doing wrong? > > Thanks! > Alvaro > > > ------------------------------ > > > *wsrflite.xml (both for registry & unicore/x) > > *<property name="container.security.trustedAssertionIssuers.type" > value="directory" /> > <property > name="container.security.trustedAssertionIssuers.directoryLocations.1" > value="/home/somepath.../unity..pem" /> > > > *uas.conf* > > container.security.rest.authentication.order=FILE UNITY > container.security.rest.authentication.UNITY.class=eu.unicore.services.rest.security.UnitySAMLAuthenticator > container.security.rest.authentication.UNITY.address=https://unity.zih.tu-dresden.de:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService > container.security.rest.authentication.UNITY.validate=true > > > *Authenticator* [...] > > > *Translation Profile (LDAP-Test)* > [...] ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Alvaro A. <alv...@tu...> - 2015-11-30 08:51:28
|
Hello, I'm trying to get Unicore use Unity to validate users using our LDAP server and could use a little help from someone with experience on this. Until now I have set up a Unity server and created a simple authenticator for LDAP (code below), as well as the corresponding translation profile (also below). The dry test of the TP seems to be working well I also added the certificate of the Unity server to Unicore's assertion issuers and granted access to the LDAP users in the XUUDB. However, I'm still unable to login to Unicore using the rich client with the Unity option. Any hints about what I'm missing or doing wrong? Thanks! Alvaro ------------------------------ *wsrflite.xml (both for registry & unicore/x) *<property name="container.security.trustedAssertionIssuers.type" value="directory" /> <property name="container.security.trustedAssertionIssuers.directoryLocations.1" value="/home/somepath.../unity..pem" /> *uas.conf* container.security.rest.authentication.order=FILE UNITY container.security.rest.authentication.UNITY.class=eu.unicore.services.rest.security.UnitySAMLAuthenticator container.security.rest.authentication.UNITY.address=https://unity.zih.tu-dresden.de:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService container.security.rest.authentication.UNITY.validate=true *Authenticator* ldap.bindAs=system ldap.systemDN=cn=blahblah,dc=zih,dc=tu-dresden,dc=de ldap.systemPassword=secret ldap.servers.1=ldap-server.zih.tu-dresden.de ldap.ports.1=636 ldap.connectionMode=SSL ldap.trustAllServerCertificates=true ldap.userDNTemplate=uid={USERNAME},ou=users,dc=tu-dresden,dc=de ldap.groupsBaseName=ou=groups,dc=tu-dresden,dc=de ldap.groups.1.objectClass=posixGroup ldap.groups.1.memberAttribute=memberUid ldap.groups.1.nameAttribute=cn ldap.groups.1.matchByMemberAttribute=cn ldap.translationProfile=LDAP-Test *Translation Profile (LDAP-Test)* 1: Condition: true Action: mapIdentity Action parameters: unityIdentityType = x500Name expression = id credential requirement = Password requirement effect = CREATE_OR_MATCH 2: Condition: true Action: mapIdentity Action parameters: unityIdentityType = userName expression = attr['uid'] credential requirement = Password requirement effect = CREATE_OR_MATCH 3: Condition: true Action: mapAttribute Action parameters: unityAttribute = cn group = / expression = attr['cn'] visibility = full effect = CREATE_OR_UPDATE 4: Condition: true Action:mapAttribute Action parameters: unityAttribute = urn:unicore:attrType:xlogin group = / expression = attr['uid'] visibility = full effect = CREATE_OR_UPDATE 5: Condition: true Action: mapAttribute Action parameters: unityAttribute = email group = / expression = attr['mail'] visibility = full effect = CREATE_OR_UPDATE -- Dipl.-Inf. Alvaro Aguilera Wissenschaftlicher Mitarbeiter Technische Universität Dresden Zentrum für Informationsdienste und Hochleistungsrechnen Verteiltes und Datenintensives Rechnen Büro: Falkenbrunnen, Raum 256 Chemnitzer Straße 46b 01187 Dresden Tel: +49 (351) 463 33491 Email:alv...@tu... Web:http://www.tu-dresden.de/zih OTR-Fingerprint: 9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1 |
|
From: Krzysztof B. <go...@ic...> - 2015-11-27 12:16:39
|
Dear All, A new revision release 1.7.2 is available, fixing several problems, generally minor, however significant in some deployments. The most important changes include: -) strict and complete email address validation -) clearing of IdP SAML/OAuth context when using registration form an the endpoint, with custom redirects -) not duplicating SAML session participants used for SLO The full list of changes with additional details are available as always at http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2015-11-13 16:37:54
|
Dear All, the 1.7.1 release was published, fixing several bugs found in 1.7.0. The most significant bug was related to PostgreSQL transactions handling, which were randomly failing on higher load. The full list of changes with additional details are available as always at http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Bernd S. <b.s...@fz...> - 2015-11-09 12:48:16
|
hi Alvaro, the error means that the code was compiled for Java 1.8 To run it, you need to use Java 1.8 as well. Best regards, Bernd. On 09.11.2015 13:23, Alvaro Aguilera wrote: > Hello, > > I just installed Unity 1.7.0 and get the following error when starting > > > Exception in thread "main" java.lang.UnsupportedClassVersionError: > pl/edu/icm/unity/server/UnityApplication : Unsupported major.minor > version 52.0 > at java.lang.ClassLoader.defineClass1(Native Method) > at java.lang.ClassLoader.defineClass(ClassLoader.java:800) > at > java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) > at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) > at java.net.URLClassLoader.access$100(URLClassLoader.java:71) > at java.net.URLClassLoader$1.run(URLClassLoader.java:361) > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > at > sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482) > > > does anyone know where the problem lies? > > Thanks > Alvaro > > > > > ------------------------------------------------------------------------------ > Presto, an open source distributed SQL query engine for big data, initially > developed by Facebook, enables you to easily query your data on Hadoop in a > more interactive manner. Teradata is also now providing full enterprise > support for Presto. Download a free open source copy now. > http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Alvaro A. <alv...@tu...> - 2015-11-09 12:42:00
|
Hello,
I just installed Unity 1.7.0 and get the following error when starting
Exception in thread "main" java.lang.UnsupportedClassVersionError:
pl/edu/icm/unity/server/UnityApplication : Unsupported major.minor
version 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)
does anyone know where the problem lies?
Thanks
Alvaro
--
Dipl.-Inf. Alvaro Aguilera
Wissenschaftlicher Mitarbeiter
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Verteiltes und Datenintensives Rechnen
Büro: Falkenbrunnen, Raum 256
Chemnitzer Straße 46b
01187 Dresden
Tel: +49 (351) 463 33491
Email: alv...@tu...
Web: http://www.tu-dresden.de/zih
OTR-Fingerprint:
9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1
|
|
From: Sander A. <sa....@fz...> - 2015-10-15 08:00:00
|
Hi, sorry for the long period of silence. I think i have solved this issue. The user and identifier was deleted but not the entities. I deleted them now. Best regards, Sander On Di, 2015-09-22 at 12:51 +0200, Krzysztof Benedyczak wrote: > Hi, > > W dniu 16.09.2015 o 14:56, Sander Apweiler pisze: > > Hi all, > > > > i have a problem with the mailing behavior from unity. Unity tries to > > send an email to a testuser with an not existing email-address. The user > > is already deleted but unity still tries to send a confirmation mail to > > this user. How i can stop this? > > Are you sure it is Unity? Unity will send (if configured so) a > confirmation email to check if the email is valid. It is also in the > case of not existing user: during registration. The confirmation is sent > exactly once in any case. > > Maybe your SMTP is resending an email (originating from Unity) due to > any of SMTP-justified cases? If you are positive that it is Unity > submitting repeatedly emails to SMTP server, can you please more > precisely describe the steps to reproduce? > > Best, > Krzysztof > ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <go...@ic...> - 2015-10-09 16:22:01
|
Dear All, The release 1.7.0 of Unity server is ready for download. Note: since this version Java 8 is required to run Unity. The 1.7.0 release in the first place fixes numerous bugs that were found in 1.6.x releases. The most important new features are: - Support for PostgreSQL database backend. - It is possible now to access (public) registration forms with a well known URLs. You need a special endpoint for this feature (enabled in 1.7.0 by default). The public link of a form is visible in its settings in AdminUI. - It is possible to redirect user browser after registration and after confirming an email. This mechanism was partially available before (only for registration) but was reworked so redirection has rich information passed with parameters about operation state. - A new input translation action - remove stale data - is available. It allows for removing stale data from Unity, so Unity database can be kept in sync with remote IdP. Big thanks to everybody involved in this release! The full list of changes with additional details are available as always at http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2015-09-22 10:51:13
|
Hi, W dniu 16.09.2015 o 14:56, Sander Apweiler pisze: > Hi all, > > i have a problem with the mailing behavior from unity. Unity tries to > send an email to a testuser with an not existing email-address. The user > is already deleted but unity still tries to send a confirmation mail to > this user. How i can stop this? Are you sure it is Unity? Unity will send (if configured so) a confirmation email to check if the email is valid. It is also in the case of not existing user: during registration. The confirmation is sent exactly once in any case. Maybe your SMTP is resending an email (originating from Unity) due to any of SMTP-justified cases? If you are positive that it is Unity submitting repeatedly emails to SMTP server, can you please more precisely describe the steps to reproduce? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2015-09-16 12:56:57
|
Hi all, i have a problem with the mailing behavior from unity. Unity tries to send an email to a testuser with an not existing email-address. The user is already deleted but unity still tries to send a confirmation mail to this user. How i can stop this? Best regards, Sander Apweiler ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <go...@ic...> - 2015-09-11 10:35:30
|
Dear Gerben, W dniu 11.09.2015 o 11:45, Gerben Venekamp pisze: > Dear Krzysztof, > > Thanks for the reply. I did not explain myself well enough… > > What I failed to make clear was that the services are of a distributed > nature. In other words, the service is run across multiple sites. In > this kind of setup, LDAP is already being deployed. When a user has > access to a distributed service, it must be able to authenticate for > that service at all the different sites the service is hosted. Sites > usually have LDAP already running and adding to their existing LDAP > infrastructure is relatively easy. What happens is that there is a > master LDAP directory, which gets copied (replicated) to all involved > sites. This enables that a user is allowed to access a service on any of > the involved sites. It also ensures that all local sites do not have to > add a user to their local LDAP. It relieves local sites from doing all > the same thing and relieves the user in getting access to all sites > where the service is deployed. > > The above described setup requires obviously a registration process. > Currently users are added to the master LDAP directories in different > ways, but non of them are federated. The idea is to make this > registration process federated. In other words we are looking into > putting Unity on top of the existing LDAP infrastructure in order to > make the LDAP infrastructure federated. There is also a benefit in it. > In case Unity is unavailable for authentication, we could fall back to > the credentials in the LDAP directory and the service keeps running for > those users. Also, tooling already makes use of LDAP and thus those are > able benefit from federated authentication. > > The setup that I am thinking of is depicted in the attached image. In > this picture, a users accesses either the service on site A or B. The > LDAP could be used to authenticate the users (it will have short lived > credentials), or Unity is used for federated authentication. Unity adds > or updates the validated user to/in the LDAP directory. > > > > > Hopefully I have explained myself better this time. :-) What are your > thoughts on this? OK, now I got it (I think). Sorry to say, but this is impossible (in general, not as Unity can't do something). Simply put you can't provision federated users to a local DB (as LDAP) as you never get user's credential during federated login. [and one remark mostly about wording: if you want to really "federate" your LDAPs you need an additional IdP software (Unity/Shib IdP/...) per each LDAP instance.] You can have your local users in LDAP and federated users (in their IdPs which you can't control). If the federation gateway (as Unity) is down you can still use local LDAP if it is up, but not federated logins - those can not be magically "cached" locally. You can in general ask about a local credential during registration of a first-time federation user. However this won't be federated access anymore and in general makes little sense. For your setup you can go two ways: 1) setup single Unity to be a federation bridge plus expose LDAP login. Setup services to use Unity if available and local LDAP it not (what would be a degraded mode). Easy on Unity side, but can be a lot of work on (all) services side. 2) setup Unity as above but two instances using shared DB (and same configs) plus HA switching e.g. IP in DNS is changed when primary is down. Then you can easily configure services to use Unity. But a lot of work on Unity & its RDBMS side. Best, Krzysztof |
|
From: Gerben V. <ger...@su...> - 2015-09-11 09:45:37
|
Dear Krzysztof, Thanks for the reply. I did not explain myself well enough… What I failed to make clear was that the services are of a distributed nature. In other words, the service is run across multiple sites. In this kind of setup, LDAP is already being deployed. When a user has access to a distributed service, it must be able to authenticate for that service at all the different sites the service is hosted. Sites usually have LDAP already running and adding to their existing LDAP infrastructure is relatively easy. What happens is that there is a master LDAP directory, which gets copied (replicated) to all involved sites. This enables that a user is allowed to access a service on any of the involved sites. It also ensures that all local sites do not have to add a user to their local LDAP. It relieves local sites from doing all the same thing and relieves the user in getting access to all sites where the service is deployed. The above described setup requires obviously a registration process. Currently users are added to the master LDAP directories in different ways, but non of them are federated. The idea is to make this registration process federated. In other words we are looking into putting Unity on top of the existing LDAP infrastructure in order to make the LDAP infrastructure federated. There is also a benefit in it. In case Unity is unavailable for authentication, we could fall back to the credentials in the LDAP directory and the service keeps running for those users. Also, tooling already makes use of LDAP and thus those are able benefit from federated authentication. The setup that I am thinking of is depicted in the attached image. In this picture, a users accesses either the service on site A or B. The LDAP could be used to authenticate the users (it will have short lived credentials), or Unity is used for federated authentication. Unity adds or updates the validated user to/in the LDAP directory. Hopefully I have explained myself better this time. :-) What are your thoughts on this? Cheers, Gerben > On 08 Sep 2015, at 23:19, Krzysztof Benedyczak <go...@ic...> wrote: > > Dear Gerben, > > W dniu 08.09.2015 o 09:47, Gerben Venekamp pisze: >> Dear all, >> >> Unity has its own user database and I am wondering if it is possible to >> use LDAP instead. The second use case described in the Unity >> documentation (1.1 Use cases) seems to hint at this. However, the >> remainder of the document does not seem to further detail it. Of course >> the documentation describes how Unity can be configured to use LDAP for >> remote authentication. What I would like to know: is Unity able to use >> LDAP for its user database (instead of using either the H2 or MySql >> databases)? >> > > No, it is not (and won't be) possible. You can only relay on LDAP as an external IdP service. > >> The idea behind this is that Unity can act as a master and replicate the >> LDAP database to its slaves. This could be valuable when Unity for >> authentication is temporally not reachable, but services can still >> validate already known users. It would ensure that people can continue >> using a service in case Unity in not able to provide authentication. > > Well, I don't understand this idea. > > When you write "Unity can act as a master" do you mean that "LDAP instance used by Unity can act as (LDAP) master"? If so: how this would help you? I don't know what for you use Unity, but I assume it adds some value to your setup. And then if Unity is down you won't be able to operate. If you have a mixed setup and some services use LDAP directly, and some (e.g. web) via Unity with its added features, then you can replicate LDAPs and also set up two Unity instances, each configured to use different LDAP - so you have real HA. > > Or do you have another setup in mind? My interpretations are not really aligned with what you wrote... > > Best regards, > Krzysztof > > |
