I'm trying to install shibboleth IDP and SP in windows machine. My aim is to use mysql instead of LDAP. Couldn't find any relevant source. Please help!
If you are asking how to configure Shibboleth IdP to provide attributes derived from a MySQL source, you would use the <DataConnector> element. The following example connects to the database shibboleth at mysqldb.example.com and defines the attribute sn:
# In the file attribute-resolver.xml (version 3.3 of Shibboleth Idp)
<AttributeDefinition
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
xsi:type="Simple" id="sn" sourceAttributeID="sn">
<Dependency ref="mysqlconnector" />
<AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:2.5.4.4" friendlyName="sn" />
</AttributeDefinition>
<DataConnector id="mysqlconnector" xsi:type="RelationalDatabase">
<ApplicationManagedConnection
jdbcDriver="com.mysql.jdbc.Driver"
jdbcURL="jdbc:mysql://mysqldb.example.com/shibboleth"
jdbcUserName="username"
jdbcPassword="password" />
<QueryTemplate>
<![CDATA[
SELECT sn
FROM users
WHERE userid='$resolutionContext.principal'
]]>
</QueryTemplate>
</DataConnector>
Note that the above works with Shibboleth Idp version 3.3; for more information, see the Shibboleth RelationalDatabaseConnector documentation.
Related
We use a WebSphere Liberty server behind a reverse proxy. We enabled the appSecurity-2.0 feature to add a custom TAI which validates HTTP request between the proxy and Liberty. To use the batch framework that comes with WebSphere Liberty, we enabled the feature batchManagement-1.0 and added the required role configuration as described here https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_batch_securing.html.
It is possible to submit a batch through the REST API, if the tag authorization-roles is added to the server.xml and the role batchAdmin is assigned to a user from the basic registry. However, if we add the authorization-roles tag Liberty restricts the HTTP request from the proxy(frontend users) to the deployed web-app and reports that the user has not the required permission to access the resources.
Is it possible to disable the batch security in WebSphere Liberty independent of the appSecurity feature?
You could grant everyone batchAdmin role access simply by:
<authorization-roles id="com.ibm.ws.batch">
<security-role name="batchAdmin">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</authorization-roles>
OR:
<authorization-roles id="com.ibm.ws.batch">
<security-role name="batchAdmin">
<special-subject type="EVERYONE" />
</security-role>
</authorization-roles>
However, there is not a way to disable batch security with security enabled.
Is there a way to configure LDAP as IDP provider for SSO.
I used the spring saml demo project (which shows sso circle as idp provider) and able to configure two apps (sps) with SSO.
Now, I want to use the LDAP for populating user data (for authentication and autherization). Is there a good demo or tutorial to learn and follow?
Thanks in advance
I can't say I use SAML (so can't speak to that), but I use the following for configuring my LDAP (AD) in Spring.
<security:ldap-server
url="${ldap.url}"
manager-dn="${ldap.manager.user}"
manager-password="${ldap.manager.password}"
/>
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-base="${ldap.search.user.base}"
user-search-filter="${ldap.search.user.filter}"
group-search-filter="${ldap.search.group.base}"
group-role-attribute="${ldap.search.group.filter}"
group-search-base="${ldap.search.group.attribute}"
/>
</security:authentication-manager>
I have an .net application that currently uses spring dbprovider to connect to an oracle database.
The database is now being migrated from Oracle to Teradata. I am new to Spring and Teradata does not seem to be in the default list of dbprovider present in Spring.
Is there any way to add the teradata configuration in spring. If so please provide me the step by step method.
Currently this is the connection string being used in Spring .Net:
<db:provider id="dbProvider" provider="OracleClient-2.0" connectionString="Data Source=${db.server};User Id=${db.user};Password=${db.password};" />
I believe it is the data access object for 10g
Could you please let me know how to create a DSN for teradata in Spring .Net Currently I have a DataAccess.xml page with the configuration:
<db:provider id="dbProvider" provider="Teradta" connectionString="Data Source=${db.server};User Id=${db.user};Password=${db.password};" /> - <object id="adoTemplate" type="Spring.Data.Generic.AdoTemplate, Spring.Data"> <property name="DbProvider" ref="dbProvider" /> </object>
You will likely need to install the Teradata ODBC driver, create a DSN, and use the Spring.Net ODBC 1.1 or ODBC 2.0 DBProvider.
EDIT:
The web server will need the DSN created. Whether you use a single 'service' account for the application or individual user accounts (which you will need to provide their credentials in your Spring.Net connection) is a decision for you and/or your company to arrive at.
According to the tomcat docs, tomcat7 is not vulnerable to session fixation attack. But my tomcat 7.0.25 as well as 7.0.27 is vulnerable to this attack. JSESSIONID cookie value is not getting changed on successful login.
I added following Valves to my conf/context.xml. But this didn't work. Please help me.
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.DigestAuthenticator" changeSessionIdOnAuthentication="true" />
<Valve className="org.apache.catalina.authenticator.FormAuthenticator" changeSessionIdOnAuthentication="true" />
I have also come to know that JSESSION ID cookie value only changes on authentication. What does authentication means ? Is it switching the application from http to https ?
Is there anything already built which can change the the jsession id value on login ? Right now I am changing this via code.
Thanks in advance. Please let me know if you need more info.
Regards,
Prashant Gupta
Are you sure your application uses server security.
These configuration only affect this behaviour if you're using it.
If your authentication uses for example custom or spring security authentication they will not apply and you will have to do this yourself.
For example in spring sec there are parameters for that.
Regards
I am hoping that someone will help me out with a really frustrating problem I have.
Currently I am trying to get Spring Security 3.0 Web App to authenticate with an AD LDS instance but I keep getting this error 'Bad Credentials'. Unfortunately I dont have anything more to go on at the moment.
Below is a copy of the Security configuration being used:
<authentication-manager alias="ldapAuthenicationManager">
<ldap-authentication-provider user-dn-pattern="CN={0},OU=Users,O=JLP,C=UK" >
</ldap-authentication-provider> </authentication-manager>
<ldap-server url="ldap://servner ip/o=JLP,c=UK" manager-dn="CN=Manager,O=JLP,C=UK" manager-password="manager" />
I suspect the problem is caused by the <Ldap server> tag and that the manager-dn is not configured correctly. The DN of the Manager is copied directly from AD LDS - have I not provided enough information? Or does the password need to encrypted\hashed?
Has anyone done anything like this with LDS - how did you work around this problem?
Applogies that this is so vague, but this is as much information as I have to go on. Does any one have any suggestions of things to look at or for solutions?
All help is gratefully recieved!
Cheers
Mo
I am not sure if things would be significantly different for LDS but can you try upgrading to spring security 3.1 as it has a specialized Authenticator for AD.
It does not need manager account as it tries to bind using the username/password being authenticated. Also the configuration is minimal (No DN, search pattern, etc to be provided)
<security:authentication-manager>
<security:authentication-provider ref="activeDirectoryAuthenticationProvider"/>
</security:authentication-manager>
<bean id="activeDirectoryAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="${activedirectory.domain}" />
<constructor-arg value="${activedirectory.server}" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
where domain = example.com (from your example, jlp.uk) and server = ldap://ip
I remember that I came across with the same issue and the solution was to set the value of manager-dn
to manageruser#yourdomain
e.g.
<ldap-server url="ldap://servner ip/o=JLP,c=UK" manager-dn="morrislgn#example.com" manager-password="manager" />
Thanks for your answers they were very helpful.
Also found that the user account you are using for the manager-dn needs to be added to the reader role within LDS to allow it to search.
If you add the user role to the Administrators group you can connect but not search.
Cheers for your help
Slight necromancy here, but for those who stumble across this via Google, the most helpful tool I found regarding configuring my LDAP connection was to install Apache Directory Studio LDAP browser. It was via this tool that I was able to get verbose enough error messages to discover what was wrong with my LDAP configuration, and how to correct it.