Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2016-12-01

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:34 aldaris joined #openam
02:48 ilbot3 joined #openam
02:48 Topic for #openam is now Chat about the OpenAM project - https://backstage.forgerock.com/#/downloads - OpenAM 13.5.0 is out! OpenAM 12.0.3 is out! Channel logs at: http://irclog.perlgeek.de/openam/today
08:18 aldaris joined #openam
08:50 abyss aldaris: it is possible to restore only part of opendj backup when I used bin/backup for did it? For example can restore whole backup by: opendj/backup-2016-10-10/userRoot --backupID 20161010083323Z but I'd like to restore only one ou not all.
08:50 aldaris hi abyss
08:51 abyss hi :)
08:51 aldaris apologies, but I haven't done that myself, not sure I'm the best person to give advice on this
08:51 aldaris I can ask around ;)
08:52 abyss Thank you :)
08:54 abyss It's my bad - sorry, I thought you know everything - you've helped me so many times :)
08:55 abyss aldaris: do you know what happened? I restored opendj from other instance and everything works (I mean openam). Then I restarted tomcat (openam) and then I got following error: com.sun.identity.common.configuration.ConfigurationException: Configuration store is not available
08:55 abyss ;)
08:56 abyss I don't know what happened but now I'd like to set up new opendj, configure openam again and  restore only ou=People from other opendj's instance;)
08:57 aldaris restore the full backup on a dummy DJ instance then export-ldif?
08:59 abyss ok, I thought about it, but another tool to understand;)
09:00 abyss I was hoping it is possible by backup/restore tool from opendj :)
09:00 aldaris the configuration store is not available message can mean a few thing, but most likely the directory server was not available when you started up OpenAM, or there were problems with the credentials, or maybe the base DN is missing
09:00 abyss thank you.
09:00 aldaris it may as well be possible, just don't know :)
09:00 abyss aldaris: I suppose there were problems with the credentails because I restored backup from other opendj instance
09:00 abyss but why it was working during whole time?;)
09:01 abyss until I restarted ;)
09:01 aldaris I find it unlikely though, backup saves a full backend, I don't believe you can selectively restore suffixes from that
09:02 abyss ok, thank you, luckily export-ldif is not so hard (I'm reading man;))
10:04 abyss aldaris: could you give me a little help with export-ldif? Again?;)
10:04 aldaris like?
10:04 abyss I did: export-ldif --includeBranch ou=People,dc=ydp,dc=eu --backendID userRoot --ldifFile /ydp/backups/people.ldif
10:04 abyss everything is fine  Ican see people in file
10:06 abyss so... I did: import-ldif --includeBranch ou=People,dc=ydp,dc=eu --backendID userRoot -l /ydp/backups/people.ldif on the second instance and what I see is empty dc=ydp,dc=eu (nothing at all)
10:06 abyss there should be configuration of openam and tree people
10:06 abyss I have to do something wrong but what;)
10:08 abyss ofcourse before I import I can see ou with configuration openam etc.
10:11 aldaris have you tried using the —append switch?
10:13 abyss An error occurred while parsing the command-line arguments:  Argument --append is not allowed for use with this program
10:13 abyss ;)
10:13 aldaris with import-ldif I mean
10:19 abyss yes
10:19 abyss there's no such option, there's only overwrite ;)
10:21 aldaris well it does have such a setting on my version, and it's not a new one
10:22 aldaris http://pastebin.com/mnA25N6h
10:22 abyss I'm using import-ldif from opendj 3.0
10:23 abyss http://pastebin.com/Nd015pp3
10:23 abyss ;)
10:25 aldaris hmm, my DJ instances are 2.6.3
10:27 aldaris I'll ask around, give me a sec :)
10:27 aldaris I'd probably work this around by using ldapdelete with subtree control then using ldapmodify -a with the ldif
10:30 aldaris well that's what I got: https://backstage.forgerock.com/docs/opendj/3/release-notes#changed-functionality
10:32 abyss_ joined #openam
10:34 abyss_ aldaris: sorry I'm lost connection, did you write something before that?;)
10:44 KermitTheFragger joined #openam
10:59 aldaris joined #openam
11:01 aldaris @abyss check the logs ;)
11:10 abyss I used option: --rejectFile /ydp/backups/rejectfile
11:10 abyss # The parent entry 'ou=people,dc=ydp,dc=eu' does not exist
11:11 abyss whyyyyyy?????!!!!
11:11 abyss there is ou=people
11:11 aldaris http://irclog.perlgeek.de/openam/today
11:11 aldaris import-ldif on 3.0.0 always overrides as far as I can tell
11:11 abyss oh, thats logs;)
11:12 aldaris my suggestion is still ldapdelete with subtree and ldapmodify -a
11:13 abyss aldaris: ok, thank you very much. I have to switch to different task (my boss insist:/). But I'll back to this;)
11:38 sam___ joined #openam
11:40 MegaMatt joined #openam
11:41 sam___ hi
11:41 aldaris hi
11:41 sam___ Good UGT !!
11:42 sam___ do anyone have knowledge on SAML SSO ?
11:42 aldaris one could say I do
11:43 sam___ @aldaris, thanks for ur reply..
11:43 sam___ i'm a newbie to SAML
11:43 sam___ can u help me on my queries ?
11:44 aldaris yes, bear in mind my response may as well be read the spec :)
11:46 sam___ sorry, i'm not clear ..
11:46 sam___ on what u try to say ??
11:46 aldaris don't worry, I'll try my best to answer with patience :)
11:47 sam___ thanks a lot for that :)
11:48 sam___ just for info, is openam related to SAML ?
11:49 aldaris I'm gonna go on a lunch break in 12 mins tho :)
11:49 aldaris OpenAM implements the SAML spec, yes
11:50 sam___ thank God, i finally reached the correct channel..
11:51 sam___ my query: including response signature in auth response is controlled by IDP or SP's metadata ?
11:52 aldaris so you want to send back a SAML response, and you are wondering what controls the signature of the <Response> element?
11:52 aldaris is OpenAM the IdP in this case?
11:53 sam___ ya, exactly the same. my IDP is ADFS
11:53 aldaris then this will be most likely matter of ADFS configuration
11:54 sam___ so SP cannot get the signature unless IDP is configured right ?
11:56 aldaris it really depends on how ADFS does any of this really
11:56 sam___ aldaris, u there ?
11:57 aldaris https://social.msdn.microsoft.com/Forums/vstudio/en-US/18187bdd-6536-49c5-a220-12de0fefbb4b/signed-saml-assertions-with-adfs?forum=Geneva talks about some powershell commands for example
11:58 sam___ ya, i already saw that..
11:59 sam___ now i'm using spring saml
11:59 sam___ as SP
11:59 aldaris so how are your questions openam related
11:59 sam___ it has property to verify sign in assertion
12:00 aldaris gotta go now, sorry, bbl
12:00 sam___ when will u back ?
12:01 sam___ so i will be waiting for u..
12:02 sam___ anybody there to help me ?
12:06 sam___ anyone please ?
12:14 sam___ aldaris, when u will be back ?
13:09 abyss sam___: be patient, aldaris has a great knowledge about openam and around but sometimes he has to rest and eat :D And sometimes do his job :D He will back don't worry.
13:11 sam___ abyss, thanks for that
13:11 sam___ seems the channel has less user ??
13:13 sam___ abyss, do u have idea on SAML ?
13:21 abyss sam___: sorry I'm only here because I'm using aldaris's knowledge because I inherited openam and opendj from former company;)
13:22 abyss but if you have a trouble with backuping opendj/openam, restoring, configuring replication for opendj etc dont hesitate - ask :)
13:24 sam___ sorry abyss, i'm not using either..
13:43 aldaris joined #openam
13:50 abyss aldaris: so you suggest that I should imort this file not by ldif import but by ldapmodify -a? Nice improvement btw:/
13:51 abyss but it impossible to do from that ldif file , yes?
13:52 abyss I don't get it how to move only ou=people to another instance;)
13:52 aldaris hey abyss
13:52 aldaris so where are we?
13:52 aldaris sam___ got more questions?
13:52 MegaMatt Why would it be impossible to do from an ldif file?
13:53 MegaMatt ldapmodify can read ldif files
13:54 abyss yes?
13:54 MegaMatt Yes.
13:54 abyss ok I tried but I get: additional info: Entry ou=people,dc=ydp,dc=eu cannot be added because it includes attribute createTimestamp which is defined as NO-USER-MODIFICATION in the server schema ;)
13:54 sam___ aldaris, welcome back
13:54 abyss ok I'm going to google;p
13:54 sam___ i have one query
13:55 sam___ i'm using spring saml as SP
13:55 sam___ it has property to verify sign in assertion
13:56 sam___ i want to verify the sign in response if response is signed
13:57 sam___ do u have idea on spring saml ?
13:57 sam___ aldaris ??
13:57 MegaMatt Last I looked, this is #OpenAM …
13:59 aldaris hmm abyss, that's a good point
14:00 aldaris sam___ I haven't used it personally I'm afraid
14:01 abyss aldaris: ;) Thank you.
14:02 sam___ aldaris, np. i need a info regarding metadata
14:02 aldaris I'm gonna try to set up a test environment and see if this can be achieved in a pleasant way
14:03 aldaris ^cc abyss
14:04 sam___ suppose if the IDP sends signed auth response, will its metadata contain a indication for that ?
14:04 sam___ aldaris..
14:05 sam___ like that of md:SPSSODescriptor AuthnRequestsSigned="true" in SP metadata
14:05 aldaris https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
14:05 aldaris according to the metadata XSD: no
14:06 sam___ i.e., like AuthnRequestsSigned="true", is there any in IDP metadata for reponse signed
14:06 aldaris you can ask for AuthnRequests and Assertions to be signed, can't see anything for responses
14:08 sam___ so how SP knows whether that IDP sends response signed ?
14:09 aldaris out of bound config
14:10 sam___ my requirement is to verify sign in response if response is signed
14:10 sam___ at SP side
14:10 sam___ for auth response
14:10 aldaris then read spring saml docs
14:11 sam___ ya gone thru that but no use
14:12 sam___ usually the check for sign is decided on the basis of metadata info, right ?
14:12 aldaris and out of bound config
14:13 sam___ out of bound config ?
14:14 sam___ i'm not clear on that ??
14:15 sam___ u mean we can't configure that ?
14:15 aldaris config that was agreed upon between the IdP and the SP
14:15 aldaris but outside the SAML metadata
14:16 sam___ ok....
14:17 sam___ i was searching this in metadata doc of SAML spec for long time..
14:18 sam___ so its because of lack of info in XSD, right ?
14:19 aldaris the metadata XSD does not list such settings, as such those things can't be included in SAML metadata
14:19 sam___ i.e., in document http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
14:20 sam___ for ur info i have no much knowledge in XSD..
14:21 sam___ anyway thanks a lot for ur patience and support, aldaris :)
14:21 aldaris just search for "Signed" in the XSD
14:21 aldaris you'll find the supported attributes
14:23 sam___ ya, i got that
14:24 sam___ thanks aldaris, i'm leaving. bye :)
14:25 aldaris bye
14:26 abyss aldaris: ok, during that time I will try to import by ldapmodify, thank you.
15:30 abyss aldaris: here my enconter finish;) Pre-encoded passwords are not allowed for the password attribute userPassword
15:44 abyss aldaris: I've done:D
15:44 abyss I had to modify: set-password-policy-prop
15:58 aldaris joined #openam
20:51 aldaris joined #openam
22:48 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary