I've been trying to configure Sonar with Active Directory for a while with no luck so I was really excited to see the new LDAP 1.5 plug-in. Unfortunately it's still not working for me but it's so close! The lookup is successful but then something fails:
DEBUG web[w.s.NegotiateSecurityFilter] logged in user: CORP\My.UserName (S-1-5-21-1305660829-1405082133-723345943-15257)
DEBUG web[w.s.NegotiateSecurityFilter] roles: CORP\My.UserName, CORP\Domain Users, Everyone, BUILTIN\Administrators, BUILTIN\Users, NT AUTHORITY\NETWORK, NT AUTHORITY\Authenticated Users, NT AUTHORITY\This Organization, [etc.]
INFO web[w.s.NegotiateSecurityFilter] successfully logged in user: CORP\My.UserName
DEBUG web[o.s.p.l.w.s.s.SsoAuthenticationFilter] Validating authenticated user
DEBUG web[http] GET /sessions/new?return_to=%2F | time=1527ms
ERROR web[rails] Error from external users provider: exception Java::Com4j::ComException: 80040e37 (Unknown error) : A referral was returned from the server.
DEBUG web[http] GET /ldap/validate | time=1738ms
This was with the Negotiate protocol but I got the same error using the default NTLM protocol as well. Running Sonar 5.2.
The 1.5.1 update fixed this issue for me.
https://jira.sonarsource.com/browse/LDAP-49
Related
After reading the following article:
http://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoft-account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx
I tried to implement an OpenID Connect/Oauth code flow per the documentation at:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-appmodel-v2-overview/
I'm using mod_auth_openidc as my Relying Party (that I have working with both Google and my own OpenID Provider.
I've registered my app at https://apps.dev.microsoft.com, and gone through all the steps. I get the login screen at microsoft, then the permissions screen and when it redirects back to my site and hits mod_auth_openidc, I get an error that says:
Error:
The OpenID Connect Provider returned an error: Error in handling response type.
In my Apache Error logs I get:
oidc_proto_validate_code_response: requested flow is "code" but no "access_token" parameter found in the code response, referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&scope=openid&client_id=xxx&state=yyy&redirect_uri=https%3A%2F%2Fdst-dev.mydomain.com%2Foauth2callback&nonce=zzz
and
oidc_proto_resolve_code_and_validate_response: code response validation failed,
What I'm trying to figure out is where the problem lies. Is there an issue with what Microsoft is sending mod_auth_openidc, or is there a bug or configuration issue on the mod_auth_openidc side?
The example at MS webpages uses a different response mode and response type in the authentication request:
&response_mode=form_post&response_type=code+id_token
both are supported by mod_auth_openidc so you could apply something similar by including:
OIDCResponseType id_token
OIDCResponseMode form_post
in the Apache configuration or using the associated primitives in the .conf file for Microsoft when using multiple providers.
I am trying to use ADALJS(https://github.com/AzureAD/azure-activedirectory-library-for-js) to access Azure Active Directory. I am successfully able to perform the login however when I try to make a webapi call I get the following error
Error description:AADSTS65001: No permission to access user information is configured for 'clientid' application, or it is expired or revoked.
You can follow this sample to verify your application configuration : https://github.com/AzureADSamples/SinglePageApp-WebAPI-AngularJS-DotNet
You may be missing to enable Oauth2 implicit flow in the manifest.
idp-process.log
ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37] - Inbound message issuer was not authenticated.
shibd.log
ERROR OpenSAML.SOAPClient [109]: SOAP client detected a SAML error: (urn:oasis:names:tc:SAML:2.0:status:Responder) (Message did not meet security requirements)
ERROR Shibboleth.AttributeResolver.Query [109]: attribute authority returned a SAML error
The Shibboleth Authentication process is working properly. The Active Directory server (LDAP) is configured properly to work over SSL, which was verified using LDP.exe. I also coded a simple Java program to try to connect to the Active Directory server over SSL protocol. I was able to connect to the server using port 636, passed user credentials including password, and the server responded properly.
Certificates are already trusted by corresponding JVM cacerts.
Setup instructions are already followed as documented from https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector
However, there is still an error during Attribute query from the Active Directory server. Below are snippet of the configurations.
Any idea as to why there is an error on the Attribute Query?
Thanks.
attribute-resolver.xml
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://WIN-1GB01UK5SL6.VECISADTEST.com"
baseDN="CN=Users,DC=vecisadtest,DC=com"
principal="Administrator#vecisadtest.com"
principalCredential="XXX"
useStartTLS="false"
>
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
<StartTLSTrustCredential xsi:type="sec:X509Filesystem"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UA_AD_CA_Certificate">
<sec:Certificate>C:\Progs\ShibbolethIdP\certs\VECISADTEST.pem</sec:Certificate>
</StartTLSTrustCredential>
<StartTLSAuthenticationCredential xsi:type="sec:X509Filesystem"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="IdPtoLDAPCredential">
<sec:PrivateKey>C:\Progs\ShibbolethIdP\credentials\idp.key</sec:PrivateKey>
<sec:Certificate>C:\Progs\ShibbolethIdP\credentials\idp.crt</sec:Certificate>
</StartTLSAuthenticationCredential>
</resolver:DataConnector>
login.config
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="WIN-1GB01UK5SL6.VECISADTEST.com"
port="636"
base="CN=Users,DC=vecisadtest,DC=com"
tls="false"
serviceCredential="XXX"
userRoleAttribute="sAMAccountName"
serviceUser="Administrator#vecisadtest.com"
ssl="true"
subtreeSearch = "true"
userField="sAMAccountName";
idp-metadata.xml
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.janet.org:8444/idp/profile/SAML1/SOAP/AttributeQuery"/><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.janet.org:8444/idp/profile/SAML2/SOAP/AttributeQuery"/>
Thanks.
The issue was resolved by updating the config file shibboleth2.xml on the Service Provider. The signing attribute must be set to true.
[Shibboleth Service Provider install location] \etc\shibboleth\shibboleth2.xml
SPConfig > ApplicationDefaults#signing
Default installation of Shibboleth Service Provider 2.5.2, signing attribute is false.
I am having some issues with launching my first app from Google App Engine Launcher. I have already signed up for an account at the App Engine site. After I click on the deploy button, I get the deploy application to Google popup where I enter in the info I gave at sign up. I then get this error:
Starting update of app: isabelleengineapp, version: 1
12:49 PM Getting current resource limits.
Password for swissian#gmail.com: Use an application-specific password instead of your regular account password.
See http://www.google.com/support/accounts/bin/answer.py?answer=185833
However, now the recommended way to log in is using OAuth2. See
https://developers.google.com/appengine/docs/python/tools/uploadinganapp#oauth
2013-01-29 12:49:22,607 ERROR appcfg.py:2203 An error occurred processing file '': HTTP Error 401: Unauthorized. Aborting.
Error 401: --- begin server output ---
Must authenticate first.
--- end server output ---
2013-01-29 12:49:22 (Process exited with code 1)
Now, I think that this may because I have 2 step verification set up for my Google account but I have no idea what to do other than trying using an application specific password when getting the deploying popup, but that did not work. Any ideas?!
You can try passing the --oauth2 option to appcfg.py.
This is an alternative way of authenticating that avoids having to deal with passwords.
More details here: https://developers.google.com/appengine/docs/python/tools/uploadinganapp#Python_Password-less_login_with_OAuth2
I can't run facebook connect on localhost.
I am using app-engine on pydev.
I configured the site in facebook to : http://localhost:8080
but it returns an error :
API Error Code: 100
API Error Description: Invalid parameter
Error Message: next is not owned by the application.
Is there a way to work with facebook on localhost?
Thanks,
Gavriel
Set both your Site URL and Post-Authorize Redirect URL to http://localhost:8080/
Also, if you're using Internet Explorer, see here:
Facebook Connect / Graph - problems in Internet Explorer with fb:login dialog (not closing)
I found that using http://127.0.0.1:8080 in the browser instead of http://localhost:8080/ fixed a problem I was having in IE.
For future reference, the issue arises because of IE security settings. I fixed it by setting the local intranet zone (i.e. localhost) enhanced security checkbox, same as internet zone.