Why is authentication module always picking embedded datastore and not the other ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Why is authentication module always picking embedded datastore and not the other ?

Olivier Rivat
Hi,


I have the following

1. installed opendj locally on port 1389 (with 50 default users)
---> This has generated 50 new users below dc=example,dc=com.

For example, there is user.0
dn uid=user.0,ou=people,dc=example,dc=com


2. I have a default openam installation using the embedded opends
datastore (port 50389)
I am able to connect to openam.example.com:8080/openam using amAdmin,
and also the user demo


3. I have done following
3.1 created a new realm example-realm1 (parent realm /)
3.2 created an opendj-example datastore with
    ldap server settings :    openam.example.com:1389
    Bind DN: cn=Directory Manager
    LDAP Organizatopn Dn: dc=example,dc=com
    Persistent search control Base DN: dc=example,dc=com

3.3 Clicking the subjects TAB I can see all the 50 opendj user visible
within openam console

4. Now I will try to authenticate within openam using one of this user
(for example user.9 from opendj), and it is failing as follows:

4.1 authentication.csv
---> it is indicating that authentication is failing
"moduleId"":""DataStore"",""info"":{""failureReason"":""LOGIN_FAILED""

~/openam/openam/log$ grep user.9 *
authentication.csv:"c477dccf-04de-4c8a-8511-76758ba08267-3002","2016-04-07T15:57:16.876Z","AM-LOGIN-MODULE-COMPLETED","c477dccf-04de-4c8a-8511-76758ba08267-3000",,"[""2e6c740dc5fb913f01""]","FAILED","[""user.9""]",,"[{""moduleId"":""DataStore"",""info"":{""authControlFlag"":""REQUIRED"",""moduleClass"":""DataStore"",""ipAddress"":""127.0.0.1"",""authLevel"":""0""}}]","Authentication","/"
authentication.csv:"c477dccf-04de-4c8a-8511-76758ba08267-3004","2016-04-07T15:57:16.877Z","AM-LOGIN-COMPLETED","c477dccf-04de-4c8a-8511-76758ba08267-3000",,"[""2e6c740dc5fb913f01""]","FAILED","[""user.9""]",,"[{""moduleId"":""DataStore"",""info"":{""failureReason"":""LOGIN_FAILED"",""ipAddress"":""127.0.0.1"",""authLevel"":""0""}}]","Authentication","/"


4.2 In fact, authentication is failing as authenticaton is redirected to
teh embbeded ldap module.
Within the embedded ldap module (531389), it is trying to instantiate
uid=user.9ou=people,dc=openam,dc=forgerock,dc=org

and thsi entry does not exist, which is normal(!).

access:[07/Apr/2016:17:57:16 +0200] SEARCH REQ conn=15 op=2580
msgID=2581 base="ou=people,dc=openam,dc=forgerock,dc=org" scope=sub
filter="(&(|(uid=user.9))(&(uid=*)(objectclass=inetorgperson)))"

4.3) why is embbeded datastore called instead of the other

So My question is why teh authentication redirected to the embedded ldap
module and not the other data store (i.e opendj.example.com:1389 with
dc=example,dc=com)
What shall eb done to fix this ?




5) additional information grabbed during the investigation



./ssoadm list-auth-instances -u amadmin -f /tmp/pwd.txt -e /example-realm1

Authentication Instances:
DataStore, [type=DataStore]
OATH, [type=OATH]
HOTP, [type=HOTP]
Federation, [type=Federation]
SAE, [type=SAE]
LDAP, [type=LDAP]
openam1@biviers:~/openam-tools/admin/openam/bin$
openam1@biviers:~/openam-tools/admin/openam/bin$
openam1@biviers:~/openam-tools/admin/openam/bin$
openam1@biviers:~/openam-tools/admin/openam/bin$ ./ssoadm
get-auth-instance -u amadmin -f /tmp/pwd.txt -e /example-realm1 -m LDAP

Authentication Instance profile:
iplanet-am-auth-ldap-auth-level=0
iplanet-am-auth-ldap-bind-passwd=********
iplanet-am-auth-ldap-return-user-dn=true
iplanet-am-ldap-user-creation-attr-list=
iplanet-am-auth-ldap-bind-dn=cn=Directory Manager
iplanet-am-auth-ldap-user-search-attributes=uid
openam-auth-ldap-heartbeat-timeunit=SECONDS
iplanet-am-auth-ldap-user-naming-attribute=uid
openam-auth-ldap-heartbeat-interval=10
iplanet-am-auth-ldap-base-dn=dc=example,dc=com
iplanet-am-auth-ldap-ssl-trust-all=false
iplanet-am-auth-ldap-invalid-chars=*|(|)|&|!
openam-auth-ldap-operation-timeout=0
iplanet-am-auth-ldap-search-filter=
iplanet-am-auth-ldap-search-scope=SUBTREE
iplanet-am-auth-ldap-behera-password-policy-enabled=true
iplanet-am-auth-ldap-min-password-length=8
iplanet-am-auth-ldap-server=openam.example.com:1389
openam-auth-ldap-connection-mode=LDAP
iplanet-am-auth-ldap-server2=

openam1@biviers:~/openam-tools/admin/openam/bin$ ./ssoadm
get-auth-instance -u amadmin -f /tmp/pwd.txt -e /example-realm1 -m DataStore

Authentication Instance profile:
sunAMAuthDataStoreAuthLevel=0
iplanet-am-auth-ldap-invalid-chars=*|(|)|&|!





Regards,

Olivier


---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Why is authentication module always picking embedded datastore and not the other ?

Bernhard Thalmayr
The log file suggests that the root realm '/' is used instead of the
sub-realm '/example-realm1'


....
}}]","Authentication","/"
...

-Bernhard

Am 07/04/16 um 18:16 schrieb Olivier Rivat:

> Hi,
>
>
> I have the following
>
> 1. installed opendj locally on port 1389 (with 50 default users)
> ---> This has generated 50 new users below dc=example,dc=com.
>
> For example, there is user.0
> dn uid=user.0,ou=people,dc=example,dc=com
>
>
> 2. I have a default openam installation using the embedded opends
> datastore (port 50389)
> I am able to connect to openam.example.com:8080/openam using amAdmin,
> and also the user demo
>
>
> 3. I have done following
> 3.1 created a new realm example-realm1 (parent realm /)
> 3.2 created an opendj-example datastore with
>    ldap server settings :    openam.example.com:1389
>    Bind DN: cn=Directory Manager
>    LDAP Organizatopn Dn: dc=example,dc=com
>    Persistent search control Base DN: dc=example,dc=com
>
> 3.3 Clicking the subjects TAB I can see all the 50 opendj user visible
> within openam console
>
> 4. Now I will try to authenticate within openam using one of this user
> (for example user.9 from opendj), and it is failing as follows:
>
> 4.1 authentication.csv
> ---> it is indicating that authentication is failing
> "moduleId"":""DataStore"",""info"":{""failureReason"":""LOGIN_FAILED""
>
> ~/openam/openam/log$ grep user.9 *
> authentication.csv:"c477dccf-04de-4c8a-8511-76758ba08267-3002","2016-04-07T15:57:16.876Z","AM-LOGIN-MODULE-COMPLETED","c477dccf-04de-4c8a-8511-76758ba08267-3000",,"[""2e6c740dc5fb913f01""]","FAILED","[""user.9""]",,"[{""moduleId"":""DataStore"",""info"":{""authControlFlag"":""REQUIRED"",""moduleClass"":""DataStore"",""ipAddress"":""127.0.0.1"",""authLevel"":""0""}}]","Authentication","/"
>
> authentication.csv:"c477dccf-04de-4c8a-8511-76758ba08267-3004","2016-04-07T15:57:16.877Z","AM-LOGIN-COMPLETED","c477dccf-04de-4c8a-8511-76758ba08267-3000",,"[""2e6c740dc5fb913f01""]","FAILED","[""user.9""]",,"[{""moduleId"":""DataStore"",""info"":{""failureReason"":""LOGIN_FAILED"",""ipAddress"":""127.0.0.1"",""authLevel"":""0""}}]","Authentication","/"
>
>
>
> 4.2 In fact, authentication is failing as authenticaton is redirected to
> teh embbeded ldap module.
> Within the embedded ldap module (531389), it is trying to instantiate
> uid=user.9ou=people,dc=openam,dc=forgerock,dc=org
>
> and thsi entry does not exist, which is normal(!).
>
> access:[07/Apr/2016:17:57:16 +0200] SEARCH REQ conn=15 op=2580
> msgID=2581 base="ou=people,dc=openam,dc=forgerock,dc=org" scope=sub
> filter="(&(|(uid=user.9))(&(uid=*)(objectclass=inetorgperson)))"
>
> 4.3) why is embbeded datastore called instead of the other
>
> So My question is why teh authentication redirected to the embedded ldap
> module and not the other data store (i.e opendj.example.com:1389 with
> dc=example,dc=com)
> What shall eb done to fix this ?
>
>
>
>
> 5) additional information grabbed during the investigation
>
>
>
> ./ssoadm list-auth-instances -u amadmin -f /tmp/pwd.txt -e /example-realm1
>
> Authentication Instances:
> DataStore, [type=DataStore]
> OATH, [type=OATH]
> HOTP, [type=HOTP]
> Federation, [type=Federation]
> SAE, [type=SAE]
> LDAP, [type=LDAP]
> openam1@biviers:~/openam-tools/admin/openam/bin$
> openam1@biviers:~/openam-tools/admin/openam/bin$
> openam1@biviers:~/openam-tools/admin/openam/bin$
> openam1@biviers:~/openam-tools/admin/openam/bin$ ./ssoadm
> get-auth-instance -u amadmin -f /tmp/pwd.txt -e /example-realm1 -m LDAP
>
> Authentication Instance profile:
> iplanet-am-auth-ldap-auth-level=0
> iplanet-am-auth-ldap-bind-passwd=********
> iplanet-am-auth-ldap-return-user-dn=true
> iplanet-am-ldap-user-creation-attr-list=
> iplanet-am-auth-ldap-bind-dn=cn=Directory Manager
> iplanet-am-auth-ldap-user-search-attributes=uid
> openam-auth-ldap-heartbeat-timeunit=SECONDS
> iplanet-am-auth-ldap-user-naming-attribute=uid
> openam-auth-ldap-heartbeat-interval=10
> iplanet-am-auth-ldap-base-dn=dc=example,dc=com
> iplanet-am-auth-ldap-ssl-trust-all=false
> iplanet-am-auth-ldap-invalid-chars=*|(|)|&|!
> openam-auth-ldap-operation-timeout=0
> iplanet-am-auth-ldap-search-filter=
> iplanet-am-auth-ldap-search-scope=SUBTREE
> iplanet-am-auth-ldap-behera-password-policy-enabled=true
> iplanet-am-auth-ldap-min-password-length=8
> iplanet-am-auth-ldap-server=openam.example.com:1389
> openam-auth-ldap-connection-mode=LDAP
> iplanet-am-auth-ldap-server2=
>
> openam1@biviers:~/openam-tools/admin/openam/bin$ ./ssoadm
> get-auth-instance -u amadmin -f /tmp/pwd.txt -e /example-realm1 -m
> DataStore
>
> Authentication Instance profile:
> sunAMAuthDataStoreAuthLevel=0
> iplanet-am-auth-ldap-invalid-chars=*|(|)|&|!
>
>
>
>
>
> Regards,
>
> Olivier
>
>
> ---
> L'absence de virus dans ce courrier électronique a été vérifiée par le
> logiciel antivirus Avast.
> https://www.avast.com/antivirus
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam