I'm using WSO2-IS version 5.8.0. I have successfully established ReadOnly connection with my Active Directory LDAP Server, but faced another problem:
I have configured LDAP for users like in example below:
Connection URL: ldaps://your.domain.com:686
Connection Name: CN=John Dee,OU=Users,DC=your,DC=domain,DC=com
Connection Password: mygoodpassword
User Search Base: OU=Users
Username Attribute: sAMAccountName
User Search Filter: (&(objectClass=user)(sAMAccountName=?))
User List Filter: (objectClass=person)
Everything works fine, users were added and I was able to login to my services using SSO.
The problem has appeared when I have tried to add Roles(Groups from AD):
Below a parameters which I used for AD groups adding:
Group Search Base: OU=Groups
Group Name Attribute: sAMAccountName
Group Search Filter: (&(objectClass=group)(sAMAccountName=?))
Group List Filter: (objectClass=group)
Membership attribute: member
Afterwards I have clicked on "Update" button, and User Store has disappeared, but .xml file on the server still exists.
I tried to configure ReadOnly LDAP using .xml on the server, but after any edits in the User Store from UI - the same issue appears.
I found a solution for the problem. By unknown reason when I initially installed all parameters in UI, but there was a problem in XML file:
/usr/lib64/wso2/wso2is/5.8.0/repository/deployment/server/userstores/Example.xml:
Initial value:
<Property name="GroupNameSearchFilter">(&(objectClass=group)(sAMAccountName=?))</Property>
After my changes:
<Property name="GroupNameSearchFilter">(&(objectClass=group)(sAMAccountName=?))</Property>
I have restarted wso2 service and now everything work fine.
However, it seems the problem in UI fields verification, I don't know why wso2 UI didn't validate fields in User Stores.
Related
I've checked the docs, but so far haven't found how to change the default admin password in ActiveMQ Artemis 2.27.1 created when using the artemis create command.
Here are the contents of the etc/login.config:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
These are the contents of artemis-users.properties:
admin = ENC(1024:EE12ADBFA02C8DB4AF73E22F44C9BD2C12861A2CD01186CA07A874FAA824A757:BA04C1C3F55B0F68EFB2804BB001EAC2C5105EC1662DCBF96E158F9DA3E0C1BB9D8ECA2FF77BBD391938BCB1E69D865322981AB134BF81B1378AFBBE9C040350)
#admin = ENC(1024:389da8e6db1d6dc50b300ec99ea5604a)
I tried masking the the password as described here, (this is the commented admin), but got invalid credentials when I tried to login after restarting the server.
I generated it like this:
./artemis mask <plaintextPassword>
By default credentials are stored in the etc/artemis-users.properties. Each line represents a user and its password in the format:
<user> = <password>
Passwords are hashed by default and stored using the ENC() syntax, but you can use plain text password if you want. Also, by default any changes to artemis-users.properties and artemis-roles.properties are reloaded automatically (since reload=true in login.config) so there's no need to restart the broker.
More details are available in the documentation for the PropertiesLoginModule.
If you want to update the file manually with a hashed password you need to use the following command in the bin directory:
$ ./artemis mask --hash <password>
This is documented in the "Masking Passwords" chapter.
Additionally, if you have at least one valid, working user account with the manage permission or if you have anonymous login enabled then you can use the user commands to list, add, remove, and reset users. As before, more details can be found in the documentation.
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I am currently running a local Sitecore at version 7.2 rev 140526 and Web Forms for Marketers at 2.4 rev 150619. I am currently experiencing an SMTP failure to authenticate error when using the WFFM SendEmailMessage default save action.
After some investigation, I discovered that this is because WFFM's internal EmailAttributes class that stores the SMTP config (that comes from either the web.config or the Parameters field on the SaveAction itself, as per their documentation) was using an old SMTP password that was changed over a year ago.
That is to say, the values retrieved by the following two lines of code were different despite the fact that the mail server password in the webconfig and Parameters fields specify the same value:
var configPassword = Sitecore.Configuration.Settings.GetSetting("MailServerPassword");
// EmailAttributes.Password
var basePassword = Password;
This old password that is returned when accessing the EmailAttributes.Password field is not present in the web.config in either the solution or the Sitecore/Website directory nor is it present in my local showconfig. Futhermore, the old password is not present in the Parameters field of the default WFFM SendEmailMessage save action and the following Sitecore query executed against Core, Master and Web database yields no results:
fast://*[#Parameters = '%fooBar%']
It is also worth noting that if the value contained in the configPassword variable (which is the correct password) is used to overwrite the value contained in the EmailAttribute's Password field (e.g. Password = configPassword) mail is sent successfully and there is no authentication error with the SMTP server.
We have a custom SendEmail save action that inherits from Sitecore.Form.Submit.SendMessage, overrides the Execute method, manipulates the fields collection and calls base.Execute() and emails are sent successfully.
Also, in WFFM v 2.3.0 rev 130118 there is no SMTP failure to authenticate exception thrown when using the default SendEmailMessage save action provided by WFFM when using the same SMTP configuration in the web.config file and config injected into the Parameters field of the SendEmailMessage save action.
I am at a loss for how/why the EmailAttributes.Password field would be getting a value that is not present in config, not coming from the Paremeters field on the SaveAction in sitecore, and isn't configured manually in the SMTP Email IIS module.
Any insight would be much appreciated!
The issue is most likely due to the way that the WFFM parameters are stored. Unfortunately the save action is not stored as a reference to the original when you add an action to a form. What actually happens is the parameters are copied from the parameters field of the Save Action to the Save Actions field on the form when it is added. Since it is a copy and not a reference, changing the parameters on the original save action does not change any existing forms using that save action.
You can verify this by going to the the form in Content Editor, go to View ribbon and ensure Standard Fields and Raw Values are both checked. Then check the Save Actions field under the Submit section. You should find the password within the XML in the <parameters> node.
There are 2 options to fix this:
Delete the send email save action from your form and add it in again
Edit the XML from the Save Actions field to remove the Password
I'm trying to log in a new user, but i have some problems.
I've created admin role, admin user, RoleMapping and the Principal. Then i've created the client services using the command below:
lb-ng ../server/server.js js/lb-services.js
When i try to login using the command
User.login({"email":"email","password":"password"})
I receive:
POST http://localhost:3000/users/login?include=user 404 (Not Found)
What is the query string parameter ?include=user?
I've tried to login with PostMan and everything works correctly.
What I'm doing wrong?
Thanks in advance.
Good afternoon, it seems to be a little bit old post but I had this same problem and found a solution about it.
If we check the file generated by lb-ng for login function it states:
Login a user with username/email and password.
*
* #param {Object=} parameters Request parameters.
*
* - include – {string=} - Related objects to include in the response. See the description of return value for more details.
* Default value: user.
And if we check return value's description:
* The response body contains properties of the AccessToken >created on login.
* Depending on the value of `include` parameter, the body may contain additional properties:
*
* - `user` - `{User}` - Data of the currently logged in user. (`include=user`)
So include=user seems to add to response a property with user logged in data in a property called "user" in this case, but you can change the property's name for whatever you want.
In my case the solution was following Robins answer, and change the default server. It seems that lb-ng solution create code to look API calls into the server where is running the client. If you use another server you must change app.config this way, stated in loopback docs:
angular.module('my-app-module')
.config(function(LoopBackResourceProvider) {
// Use a custom auth header instead of the default 'Authorization'
LoopBackResourceProvider.setAuthHeader('X-Access-Token');
// Change the URL where to access the LoopBack REST API server
LoopBackResourceProvider.setUrlBase('http://api.example.com/');
});
Let the header line if you want that change, but it's mandatory to use the second line changing 'http://api.example.com' with the server you use to serve the REST API.
(Hope it helps to anyone with this problem).
There is a table in our WSO2 DB (SQL Server) called [IDN_OPENID_USER_RPS] and it has a column - LAST_VISIT. I have searched to find a configuration setting that will turn this feature on, but no success. It is used for OpenId. Any help or ideas would be appreciated.
When users login to OpenID relying party applications where the OpenID authentication is provided by the Identity Server, the login details are stored in this table. USER_NAME column contains the username of the logged in user. RP_URL contains the URL of the relying party where it should be redirected upon successful login. TRUSTED_ALWAYS column contains the value of TRUE or FALSE which indicates whether the user has given the “Approve Always” or “Approve” options of the application for authentication. LAST_VISIT column contains the date of the last login of the user. VISIT_COUNT is the number of successful login attempts for the user.
Configuration of OpenID can be found here https://docs.wso2.com/display/IS500/Managing+OpenID+Connect