I am creating user using UserInformationRecoveryServiceStub, but Identity store saves the user password as Plain Text, but user-mgt.xml has SHA
I think this must be due to configuration issue defined in here. Could you please try to change the configuration as following, i.e with capital P and restart the server. Then try to create a new user and see
<Property name="PasswordHashMethod">SHA</Property>
Related
i can't encrypt Embedded LDAP password in repository/conf/identity/embedded-ldap.xml file on Identity Server 5.6.0.
I encrypted a password in embedded-ldap.xml file.
In "cipher-tool.properties" file i have string:
EmbeddedLdap.Property.ConnectionPassword=repository/conf/identity/embedded-ldap.xml//EmbeddedLDAPConfig/EmbeddedLDAP/Property[#name='connectionPassword'],false.
In cipher-text.properties i have encrypted password for it.
But when i launch Identity Server i get error:
LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=system.
How to encrypt Embedded Ldap Password?
Also there is "PartitionAdmin" password in embedded-ldap.xml file. I encrypted it. IS is started normal with this encrypted password.
I tested the scenario and found out that it does not retrieve the value from cipher-text.properties file for the "connectionPassword" property in the <IS_HOME>/repository/conf/identity/embedded-ldap.xml by following secretAlias="EmbeddedLdap.Property.ConnectionPassword".
Instead, it uses the value defined inline within the embedded-ldap.xml file. Because, server startup does not fail if we add the correct password in embedded-ldap.xml file as following. (Ps: "test123" is the password I've defined as "ConnectionPassword" for the UserStoreManager in user-mgt.xml)
<EmbeddedLDAP>
<Property name="connectionPassword" svns:secretAlias="EmbeddedLdap.Property.ConnectionPassword">test123</Property>
So this seems to be a bug/limitation in the WSO2 Identity Server and you can report it by opening an issue in the GitHub repository.
However please note that the embedded LDAP is provided only for evaluations purposes. Please use an external user store (LDAP or JDBC) in production environments.
I am attempting to setup both the Password Change and Password Reset features.
When I attempt to change my test accounts password I see this message
{org.wso2.carbon.identity.password.mgt.ChangePasswordServlet} - Change Password Failed
org.wso2.carbon.user.mgt.common.UserAdminException: Can not access the directory service for user : <my test account>
I am using Active Directory, I am using an LDAPS connection, the connecting user does have permission to change the password.
I can login to federated services using the test account.
Thanks,
...pat
This is Ellucian's distribution 2.0.2 of WSO2 Identity Server 5.1.0.
If the AD is the PRIMARY userstore, then in user-mgt.xml file, you need to add credentials of a administrative level user account of AD.
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
If the AD is a secondary userstore, then in the particular userstore's configuration, you need to do the same as mentioned above.
It turns out that I needed to alter my Referral setting from 'ignore' to 'follow'. Once I made that change both Password Change and Password Reset features started to work.
...pat
Currently if we want to reset admin password of wso2(not through UI), We edit the password in repository/conf/user-mgt.xml file. We would like to use encrypted the password instead of clear text. Is there any way i can give supply my encryption logic to wso2 so that it uses while decrypting the password on authentication. Thanks in Advance
You can encrypt passwords in configuration files using Cipher Tool shipped with all WSO2 Products. Please refer [1] for more detail on it.
[1] https://docs.wso2.com/display/Carbon420/Securing+Passwords+in+Configuration+Files
I have this problem when using SAML SSO authentication. I have successfully set up WSO2IS 5.0.0 Identity server, I also succeeded setting up (at least I hope so) secondary user store. I used JDBCUserStoreManager implementation. I have set this store as DOMAIN. This user store works nice, at least I think it does. Because it is storing user attributes into its tables (USER_ATTRIBUTES) and those attributes are read by WSO2IS administration ...
https://localhost:9443/carbon/userprofile/edit.jsp?username=DOMAIN/demo_jbu&profile=default&fromUserMgt=true
Users are identified as DOMAIN\username so when I want to log in user from this DOMAIN, request goes to my AUTHENTICATOR implementation so I can manage authentication for users from this domain.
What is strange is, that if I use WSO2IS administration pages, I can set and read users's attributes well. And if I use SAML SSO authentication (have already set up service provider & claim mappings) for users from PRIMARY domain, everything goes fine and calling SP gets all attributes - mapped in WSO2IS administration here:
https://localhost:9443/carbon/application/configure-service-provider.jsp
If I use SAML SSO authentication, but I want to log user from my DOMAIN, SP doesn't get anything.
I can override this behavior in DefaultResponseBuilder, I can put into SAMLResponse anything I want, but I don't feel this approach is OK. Can anyone tell me, where to look for an error? What may be wrong? Where should I start looking for problems? I have already tried to debug it, and it seems it (SAML SSO/AUTHENTICATOR) doesn't find any claim for DOMAIN user.
Thank you in advance.
Josef
I think this is bug in Identity Server 5.0.0. When you are using SAML2 SSO, user can login to Identity Server with both username with domain name and username without domain name. Basically
bob and foo.com/bob must both works and returns the bob user's attributes from foo.com user store. However there is issue with IS 5.0.0, if secondary user store user login without domain name, Identity Server does not returns the user attributes. But, please try to login with foo.com/bob , Then it would return the user's attributes.
You can find the public jira. It contains source diff. It must be a simple fix and you even can compile the source and add fix in to the Identity Server.
I am trying to run JAXR sample in Governance Registry in WSO2 which deals with UDDI support.It say before running I should add a user with UDDIPublisher Permission to scoutv3.properties file .I dont know which username and password I need to add to this file in order to run the sample.Please help.
The role which user belongs to should have UDDIPublisher permission to publish a service to UDDI registry. Therefore you should add a valid username and password in scoutv3.properties file (instead of root/root).
To tryout this sample you can use the admin/admin for userid and password. (admin has all the permissions)