I am trying to configure LDAP server in the WSO2 api manager so that I would be able to login with my LDAP username.
I made the configurations as per the docs available and I do not get any issues during server startup but when I try to login with the username, it fails to log me in and gives the error as below in the console :
WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'sm38553[-1234]' at [2016-03-31 15:51:42,564+0530] from IP address 10.42.47.196
[2016-03-31 15:51:42,566] WARN - AuthenticationHandler Illegal access attempt at [2016-03-31 15:51:42,0566] from IP address 10.42.47.196 while trying to authenticate access to service LoggedUserInfoAdmin
[2016-03-31 15:51:42,567] ERROR - AUDIT_LOG Illegal access attempt at [2016-03-31 15:51:42,0566] from IP address 10.42.47.196 while trying to authenticate access to service LoggedUserInfoAdmin
If you want to use different username for super admin, you have to change it in user-mgt.xml file
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>abimaran</UserName>
<Password>abimaran</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
Related
Wso2 identity server version : 5.11.0
After changing the admin password , I am getting below error during username recovery.
Error!
Callback URL validation failed. org.wso2.carbon.identity.mgt.endpoint.util.client.IdentityRecoveryException: Error while instantiating IdentityProviderMgtServiceStub
Error logged in Wso2 identity server wso2carbon.log:
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Login failed. Unauthorized login attempt 'admin[-1234]' at [2021-09-06 03:29:02,012+0000]
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2021-09-06 03:29:02,0012] from IP address 127.0.0.1 while trying to authenticate access to service IdentityProviderMgtService
Can someone please advise.
I changed admin password from WSO2 console, and login is working fine with updated password.
However during username recovery, it throws illegal access attempt in logs.
What am I missing here?
I already updated the new password in cipher-text.properties and user-mgt.xml file too.
You can do config overriding in the RecoveryEndpointConfig.properties file which located in
<IS_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/WEB-INF/classes
Change the
identity.server.service.access.password=admin
to the one that you updated in the admin console.
I'm using WSO2 with the Airavata science gateway software, and unfortunately some of the instructions for getting started are a little opaque. Two things I'm trying to accomplish:
1) set the "starting" admin username and password. As I understand it, these are set in WSO2 itself / its built in "H2" database, not whatever user/password store it's connected to such as LDAP. I can't find where to set that. I thought it was in user-mgt.xml, but the credentials you set there in the tags appear not to do anything.
2) Airavata uses an API key and secret key to connect to WSO2 IS. I can't find anywhere in the WSO2 setup where this is created.
Help?
1) If you want to set an existing admin user belonging an external user store such as LDAP. You can use the following section in user-mgt.xml
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>{Add_Your_Admin_User_Here}</UserName>
<Password>admin</Password>
</AdminUser>
....
</Configuration>
Change "AddAdmin" to false if you do not want to create a new admin user. You can keep the password as it is or leave it blank since it doesn't get used in this mode.
If you want to create a new one then keep the AddAdmin value to true and correct your user store in ReadWrite mode.
2) You should be able to find the under inbound authentication section of the Service Provider,
Service Providers --> [your service provide] --> Inbound Authentication Configuration --> OAuth/OpenID Connect Configuration
I am attempting to setup both the Password Change and Password Reset features.
When I attempt to change my test accounts password I see this message
{org.wso2.carbon.identity.password.mgt.ChangePasswordServlet} - Change Password Failed
org.wso2.carbon.user.mgt.common.UserAdminException: Can not access the directory service for user : <my test account>
I am using Active Directory, I am using an LDAPS connection, the connecting user does have permission to change the password.
I can login to federated services using the test account.
Thanks,
...pat
This is Ellucian's distribution 2.0.2 of WSO2 Identity Server 5.1.0.
If the AD is the PRIMARY userstore, then in user-mgt.xml file, you need to add credentials of a administrative level user account of AD.
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
If the AD is a secondary userstore, then in the particular userstore's configuration, you need to do the same as mentioned above.
It turns out that I needed to alter my Referral setting from 'ignore' to 'follow'. Once I made that change both Password Change and Password Reset features started to work.
...pat
I have two instances of WSO2 on two different machines, with the same policy published to both instances. Both WSO2 instances have admin/admin.
I use SOAPUI (running on 192.168.0.9) to try to test against the EntitlementService webservice and:
If I use SOAPUI to test against the EntitlementService webservice on the same machine that SOAPUI is running on (192.168.0.9), using either localhost or IP address, I get a XACML response with a Permit. However,
If I used SOAPUI to test against the EntitlementService webservice on the other machine (192.168.0.210), I get a XACML response with a Deny, and an "Illegal access attempt" error in the 192.168.0.210 WSO2 log:
Illegal access attempt at [2014-05-12 15:26:47,0563] from IP address
192.168.0.9 while trying to authenticate access to service EntitlementService
In both cases above, I have BASIC authentication and the 'admin' username and password setup in SOAPUI.
If I run Tryit on the 192.168.0.210 WSO2 admin to test against the 192.168.0.210 WSO2, I get a Permit, i.e., this shows that the policy on the 192.168.0.210 should return a Permit.
Finally, I'm pretty sure that this is something with WSO2, and not with SOAPUI, as I also tested from the 192.168.0.9 machine using Firefox and a plugin called RESTclient, to test doing the POST of the XACML request in the content body.
Is there something in WSO2 Identity Server that would cause it to return a Deny if the requests are coming from a different machine?
Thanks,
Jim
P.S. I'm seeing the following in the WSO2 wso2carbon.log file:
TID: [0] [IS] [2014-05-12 15:59:40,798] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected. {org.wso2.carbon.core.services.authentication.AbstractAuthenticator}
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:171)
{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
Is there some way to turn off the remote address validation?
I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.