Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-02-14

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:35 aldaris joined #openam
07:34 tsmalmbe joined #openam
07:52 fatbloke joined #openam
08:29 rghose joined #openam
08:30 rghose hello all, I added my Active Directory servr for authentication in advanced settings screen but cannot get authenticated with OpenAM.
08:30 rghose can someone help me with this please?
08:34 aldaris joined #openam
08:53 rghose I followed this: https://wikis.forgerock.org/confluence/display/ope​nam/Add+Active+Directory+as+an+External+Directory but the subjects tab is empty, any help ?
08:54 aldaris well probably you misconfigured something then
08:54 rghose where do I check for what is going wrong?
08:54 rghose the logs are not much of help.
08:54 aldaris IdRepo debug log would be a good start
09:00 rghose when I got to Configuration -> Authentication -> Active Directory, I find some settings are wrong. Where is this used?
09:00 aldaris don't bother about those
09:01 aldaris the Subjects tab uses the Data Store settings
09:11 rghose This is what I do: In login ID, I gave the full dn of the admin user of the AD (int the Other User Data Store section), think that could be the problem?
09:11 rghose also host name is just an ip address.
09:11 aldaris have you checked the debug logs yet?
09:25 asyd /s 25
09:25 asyd oups
09:35 aldaris1 joined #openam
11:03 rghose I could not find any ldRepo log in the log folder. which logs should I check?
11:03 aldaris1 check the debug folder then
11:03 rghose I get this: ERROR: An error occurred while executing persistent search
11:04 rghose IdRepo file
11:04 rghose CoreSystem: ERROR: ConfigMonitoring.configureMonitoring: getMonServiceAttrs returns -1, monitoring disabled
11:04 aldaris psearch is not closely related, but if there are connection problems then yeah that could tell why
11:05 rghose also this: org.forgerock.opendj.ldap.ConnectionException: Server Connection Closed
11:05 aldaris read the IdRepo log a few more times there should be a more useful message there..
11:06 rghose org.forgerock.opendj.ldap.EntryNotFoundException: No Such Entry: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=<admin>,DC=<xxx>,DC=<yyy>,DC=com
11:06 rghose Btw, the username is in a different case than what I normally use
11:07 aldaris should be case insensitive..
11:07 rghose ERROR: Unexpected error occurred during search
11:07 aldaris find the last error message..
11:07 rghose was the connection refused ?
11:07 rghose from the active dir. sever?
11:08 rghose or some wring parameters sent by OpenAM's ldap plyugin
11:08 rghose ?
11:08 rghose wrong*
11:09 rghose how do I know which IP is the connection being made to?
11:09 aldaris you configured the data store didn't you
11:09 aldaris then that's the IP it will try to connect to
11:09 rghose yes I did
11:09 aldaris have you checked with telnet if it is accessible?
11:10 rghose let me check
11:11 rghose would I get the current setting under "Data Stores -> Active Directory" ?
11:12 rghose btw, the uid should be sAMAccountName, I did not configure that.
11:12 rghose there was no option regarding that as well
11:13 aldaris the default settings also configure an uid=samaccountname attribute mapping
11:13 rghose yes telnet from that host works to the ad server
11:13 aldaris I wonder if you could just tail the IdRepo debug log and simply hit save on the data store configuration screen
11:14 aldaris that should initiate a new psearch, hence you should see the actual problem…
11:14 rghose ok I will do that. I opened the Subjects tab earlier btw
11:15 rghose nothing, when I hit save, do I have to change something for that new thing to happen?
11:15 rghose Also "Load schema when saved" is unchecked
11:16 aldaris nope, just pressing save should be sufficient
11:16 rghose nothing appears
11:16 rghose I disabled log buffering also
11:17 aldaris that is audit logging, argh
11:17 aldaris have you modified debug logging level?
11:17 rghose no, it is the same. I just did that to see the am*.(access|error) logs
11:18 aldaris have a read: https://wikis.forgerock.org/confluence/displa​y/openam/Collect+debug+log+files+from+OpenAM
11:20 rghose Debug Level is "Error"
11:21 rghose Make it message?
11:21 aldaris yeah, let's try that
11:21 rghose I do get this: ERROR: An error occurred while executing persistent search org.forgerock.opendj.ldap.TimeoutResultException: Client-Side Timeout
11:22 rghose so this is from the heartbeat i guess?
11:22 aldaris right, that's a bug
11:23 rghose IdCachedServicesImpl.dirtyCache(): Cache dirtied because of Event Notification. Parameters - eventType: 4, cosType: false, aciChange: false, fullDN: id=<username>,ou=realm,dc=o​penam,dc=forgerock,dc=org; rfcDN =id=<username>,ou=realm,dc=​openam,dc=forgerock,dc=org; cachedID=id=<username>,ou=realm​,dc=openam,dc=forgerock,dc=org
11:23 rghose what is that ? ^
11:23 rghose The usernames are valid AD usernames
11:23 aldaris don't worry about those
11:23 rghose looks like it is creating a copy of the AD server?
11:25 rghose I still get this: at org.forgerock.opendj.ldap.ErrorResultException​.newErrorResult(ErrorResultException.java:178)
11:25 rghose when I visit the subjects tab
11:25 aldaris that is part of the stacktrace and not the actual error message you know
11:27 rghose yes, just saying
11:28 rghose search invoked with type: IdType: user pattern: * avPairs: null maxTime: 5 maxResults: 100 returnAttrs: null returnAllAttrs: false filterOp: 0 recursive: false
11:29 rghose ERROR: Unexpected error occurred during search
11:29 rghose org.forgerock.opendj.ldap.EntryNotFoundException: No Such Entry: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match
11:29 rghose yes same
11:30 rghose sending out a mail to the list with this error
11:31 aldaris you clearly misconfigured something
11:31 aldaris this message means that the connection details are at least correct
11:31 rghose but?
11:32 aldaris but the suffix or the people container settings are incorrect.
11:32 rghose this is the bind_dn/password I use! With this root suffix as well!
11:33 rghose I am not sure about the other settings
11:33 rghose sAMAccount type is another setting I use
11:33 aldaris so check the people container settings
11:34 rghose how do I know the exact error message that the Active Directory server gives here?
11:34 rghose maybe due to the number of results in each search?
11:34 aldaris No Such Entry: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match
11:34 aldaris this is the AD error message
11:34 rghose ok, thanks
11:40 MegaMatt joined #openam
11:49 rghose let me send full error log. Maybe that could help.
11:58 rghose In the LDAP page, LDAP User Object Class is give, what is that? and how is it used in the search?
12:01 rghose Attribute Name for Group Membership is empty. Is that normal?
12:01 aldaris I think you should read some about LDAP and Active Directory first
12:02 aldaris or try the OpenAM admin guide that details all the different settings
12:02 rghose ok
12:08 rghose btw, ldapsearch works fine: ldapsearch -x -h ipaddr -p port -b 'ou=xxx,dc=yyy,dc=zzz,dc=com' -D 'cn=admin,ou=xxx,dc=yyy,dc=zzz,dc=com' -w password -z 1000
12:19 rghose @aldaris: I just learned we have a max limit to number of results returned
12:25 rghose1 joined #openam
12:35 fatbloke joined #openam
12:38 rghose1 btw, can someone tell me what LDAP pluginsearch scope is?
12:59 aldaris joined #openam
13:15 rghose1 LDAP People Container Value= users changed to Users, still same error.
13:15 aldaris case insensitive…
13:16 rghose1 LDAP Users Search Attribute is cn and filter is (objectclass=person)
13:16 rghose1 Using the same filter works
13:16 rghose1 with ldapsearch
13:17 aldaris if you are not using ssl you may as well just capture the network traffic to see what the actual search ends up to be
13:17 rghose1 ok
13:21 rghose1 so is the LDAP like a plain text like protocol? since I am getting garbled bytes when i do a tcpdump on the openam server
13:22 aldaris use wireshark
13:22 rghose1 also does Attribute name of User status have to be sAMAccount?
13:23 aldaris user status is not samaccount
13:23 aldaris should be more like useraccountcontrol or whatsitsname
13:26 rghose1 we dont have cn=Users
13:32 rghose1 should I keep ldapPeopleContainer value ?
13:32 rghose1 found the userstatus attribute, it seems to be right
13:43 rghose joined #openam
13:58 fatbloke joined #openam
14:15 dean Hey guys, I want to set up a web server for  static files which will only return requests which include a valid openam auth token. What's the best way to do this?
14:24 rghose hey @aldaris, it works now, thanks for your help.
14:24 rghose :)
14:27 rghose btw, I am also trying to get an OpenID consumer to work with OpenAM
14:27 asyd dean: install an agant on the web server?
14:28 rghose the consumer can connect to the server but gets access_denied
14:28 rghose I get a json response that contains this: state": "af0ifjsldkj"
14:28 dean Excellent that's the search term I needed. Cheers asyd.
14:29 rghose I am using this: https://svn.forgerock.org/openam/t​runk/community/extensions/openid/
14:32 aldaris that's an openid provider
14:57 dean Is there a good analysis of the pros and cons of using a web policy agent somewhere? Just wondering why you don't see them more often and why applications tend to implement thier own authentication processes.
15:02 MegaMatt You'd never even notice if you were using a web agent....
15:03 MegaMatt I think lots of people use the WPA
15:03 aldaris joined #openam
15:08 dean True it might be they're used a lot and I'm not aware of it. My background is web development though and I can't say I've come across one before. I've heard the idea discussed but never seen it implemented.
15:09 dean Was wondering if this was just because I've not been exposed to a lot of sites that are using them or if because there is some downside to using them so a lot of places dont?
15:11 MegaMatt Well, I think the web agent for openam uses proprietary sso... but in general there are plenty of places that use similar methodology
15:14 MegaMatt Lots of places use SAML for authentication, for example.. but then authorization..........
15:15 asyd as far I understand saml is for authentication, but can also transmit authorizations informations, like XACML profils etc
15:16 asyd so SAML is not for authorizaiton :)
15:16 aldaris that's what Matt said :)
15:17 asyd oh sorry
15:17 MegaMatt Sorry, yeah, I sort of implied more than directly said
16:13 aldaris joined #openam
16:17 aldaris joined #openam
16:25 fatbloke joined #openam
17:15 kim_ joined #openam
17:36 aldaris joined #openam
22:56 MegaMatt joined #openam
23:08 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary