| Author |
Message
|
| ganesh |
 Posted: Tue Sep 11, 2012 1:56 pm Post subject: LDAP authentication for webservice. |
 |
|
Master
Joined: 18 Jul 2010
Posts: 294
|
Hi,
I have a message flow with the following nodes as shown below.
SOAPINPUT--->Compute---->SOAPREPLY.
I am trying to validate the incoming soap request by looking up a ldap server for the username and password, for this i created a security profile for the broker, executed mqsisetdbparms for setting the ldap server name, user name and password, added the security profile in the bar file (policy set, policy set bindings and security profile for soap input node)and deployed it.
When i send a request using SOAP UI i get an exception as shown below,
| Code: |
soapenv:Fault xmlns:axis2ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>axis2ns3:FailedAuthentication</faultcode>
<faultstring>CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: WebSphere Message Broker BIP2702</faultstring>
<detail>
<Exception>org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: WebSphere Message Broker BIP2702
|
The user trace shows this,
| Code: |
10088 ImbJSecurityProviderJNIManager::getJavaExceptionTextAndLogStack 'Stack trace for the exception was:' , 'Frame : 0 com.ibm.broker.plugin.MbConfigurationException: [BIPmsgs:2721]BIP2721E: Failed to bind to the LDAP server 'ldaps://xxx.uuuu.com:636' with user name 'yy1234'. Possible explanation: [b]javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax] [/b]
Ensure that the server address is correct.
Use mqsisetdbparms to check that the user name and password are valid. |
Broker version is 7.0.0.4, O/S- win XP sp2, has any one faced this issue before - "LDAP: error code 34 - Invalid DN Syntax" ?
Thanks |
|
| Back to top |
|
 |
| marko.pitkanen |
| Posted: Tue Sep 11, 2012 8:57 pm Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
HI ganesh,
I'm not an expert at this subject but
| Quote: |
If you include special characters like comma (,), equals (=), plus (+), less than (<), greater than (>), number sign (#), semicolon (;), backslash (\), and quotation marks ("") in the user role name or security role name, the following error occurs:
COPCOM132E An error occurred during the LDAP operation:
cn=#dffded: [LDAP: error code 34 - Invalid DN syntax].
Cause
The Distinguished Name (DN) syntax supported by the directory server does not support special characters. This is a known problem with the IBM Tivoli Directory Server and is described in detail in the Tivoli Directory Server Administration Guide that is available at http://publib.boulder.ibm.com/tividd/td/IBMDirectoryServer5.2.html.
Solution
Escape these special characters or other characters in an attribute value in a distinguished name string by preceding it with a backslash (\). |
--
Marko |
|
| Back to top |
|
|
| ganesh |
| Posted: Wed Sep 12, 2012 5:05 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 12, 2012 5:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ganesh wrote: |
| However the password in the SOAP message ( wsse:Password)has a special character $ and i tried to escape that but still the same result. |
You need to be careful. If you have special characters in the mqsisetdbparms (i.e. there's a $ in the -p parameter) that will be parsed by the command shell before it's parsed by the command.
If only for experimentation purposes, repeat the mqsisetdbparms but omit the -p parameter. The command will then prompt you to enter the password. Use your password with the $ and then retry the web service.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| marko.pitkanen |
| Posted: Wed Sep 12, 2012 6:05 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Hi ganes,
Can you show here all the configurations you did / used? Perhaps someone can then point you the pain point.
One quote more ;-)
| Quote: |
Error: Error in bind from LDAP source: [LDAP: error code 34 - invalid DN] javax.naming.InvalidNameException
Cause: This is caused by a bad prefix specified in the Settings tab, on most LDAP/AD systems. This could mean you did not specify a prefix at all, which means the LDAP/AD server did not receive a full DN from CPS or that you did not specify a correct prefix, such as CN instead of UID, which results in the LDAP/AD server not receiving a correct DN from CPS. Can also be caused by a missing comma at the beginning of the suffix or an extra comma at the end of the suffix. This error could also mean the authentication type is incorrect. |
--
Marko |
|
| Back to top |
|
|
| marko.pitkanen |
| Posted: Wed Sep 12, 2012 6:37 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Or because this concerns confidential data raise a PMR and you get official help to solve this.
--
Marko |
|
| Back to top |
|
|
| ganesh |
| Posted: Wed Sep 12, 2012 7:11 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
SecurityProfile_4
Authentication - LDAP
Authentication Config ldap://xxx.yyyy.com:636/ou=Employees, ou=People, o=yyyy?cn?base
Mapping - None
Authorization - LDAP
Authorization Config -ldap://xxx.yyyy.com:636/
Propagation - FALSE
Password value - PLAIN
LDAP Host - ldap://xxx.yyyy.com:636
LDAP baseDN ou=Employees, ou=People, o =yyyy
LDAP uid attr - cn
LDAP Search scope = base
mqsisetdbparms MB7BROKER ldap::xxx.yyyy.com -u xx12345 |
|
| Back to top |
|
|
| ganesh |
| Posted: Wed Sep 12, 2012 8:57 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| Vitor wrote: |
| ganesh wrote: |
| However the password in the SOAP message ( wsse:Password)has a special character $ and i tried to escape that but still the same result. |
You need to be careful. If you have special characters in the mqsisetdbparms (i.e. there's a $ in the -p parameter) that will be parsed by the command shell before it's parsed by the command.
If only for experimentation purposes, repeat the mqsisetdbparms but omit the -p parameter. The command will then prompt you to enter the password. Use your password with the $ and then retry the web service. |
Thanks Vitor i tried that too and still erroring out, I will try to create a profile for a different broker and start from scratch and test it. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 14, 2012 8:30 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ganesh wrote: |
| Thanks Vitor i tried that too and still erroring out, I will try to create a profile for a different broker and start from scratch and test it. |
Did this assist & did you apply the functionality of FP4 or just the maintenance?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ganesh |
| Posted: Fri Sep 14, 2012 1:34 pm Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| Vitor wrote: |
| ganesh wrote: |
| Thanks Vitor i tried that too and still erroring out, I will try to create a profile for a different broker and start from scratch and test it. |
Did this assist & did you apply the functionality of FP4 or just the maintenance? |
I have got rid of the BIP 2702 error but now i am getting a BIP 2703 error after applying fixpack on the broker.
| Code: |
<faultcode>axis2ns2:FailedAuthentication</faultcode>
<faultstring>CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: WebSphere Message Broker BIP2703</faultstring>
|
| Code: |
UserTrace BIP3484E: ''CWWSS5514E: An exception while processing WS-Security message.''
An embedded component has written the diagnostic message included here.
Refer to the appropriate message in the embedded component's documentation.
2012-09-14 17:12:12.864266 8332 com.ibm.ws.wssecurity.util.LoggerTraceImpl.log 'SoapMbLogHandler:SEVERE' , 'CWWSS5514E: An exception while processing WS-Security message.'
2012-09-14 17:12:12.864373 8332 com.ibm.ws.wssecurity.util.LoggerTraceImpl.log 'SoapMbLogHandler:FINER' , 'Fault Code = {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}FailedAuthentication'
2012-09-14 17:12:12.864450 8332 } Axis2Invoker.processInboundRequest
2012-09-14 17:12:12.864482 8332 Axis2Invoker.invokeAxis2 'Axis Fault Exception: org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: WebSphere Message Broker BIP2703' |
I am not sure whether the broker is still able to connect to ldap server itself.
Is there way to check whether the broker is able to connect to ldap server? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Sep 14, 2012 9:51 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| ganesh wrote: |
Is there way to check whether the broker is able to connect to ldap server? |
Yes, use a tool such as Wireshark. Be careful though some network admins and security guys go into a rampant hissy fit about such tools being used on their precious networks. It can expose all sorts of bad configuration esp wtr CISCO devices . Plus, if you deep dive into some packets I am sure you will find all sorts of passwords being sent over the network in Clear. Also, using a tool like this in certain parts of the world is illegal unless it is on a totally dicsonnected network. By disconnected, physically separate from any other network.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Sep 16, 2012 9:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| ganesh wrote: |
| Is there way to check whether the broker is able to connect to ldap server? |
Aside from using a network sniffer tool - like wireshark - you can run a broker service trace and see if you can find relevant information in there. I'm sure it's there, but I'm also reasonably sure it may not be straight forward to identify.
But if you can't find any useful info in the service trace , it's good practice for capturing the information you need to send in to a PMR. |
|
| Back to top |
|
|
| ganesh |
| Posted: Mon Sep 17, 2012 5:38 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| Quote: |
you can run a broker service trace and see if you can find relevant information in there. I'm sure it's there, but I'm also reasonably sure it may not be straight forward to identify.
|
Yes jeff i have captured that and the trace says the error is due to identity authentication failure.
| Quote: |
2012-09-16 21:39:27.884387 6316 MbLDAPSecurityProvider.authenticate file:F:\build\S700_P\src\DataFlowEngine\NativeTrace\ImbNativeTrace.cpp line:159 message:2702.BIPmsgs 'xxxx.yyyyy.com:636; socket closed Exception text is: xxxx.yyyyy.com:636; socket closed' , 'Username and password', 'cn=abc-serviceid,ou=TrustedApplications, ou=FrameworkSystems, o=efg', '', 'ldap://xxxx.yyyyy.com:636'
2012-09-16 21:39:27.884387 6316 UserTrace BIP2702W: The identity token type ''Username and password'', issued by '''', failed authentication with security provider ''ldap://xxxx.yyyyy.com:636''. (For a 'username' token type, the token is: ''cn=abc-serviceid,ou=TrustedApplications, ou=FrameworkSystems, o=efg''.)
The security provider specified failed to authenticate the provided identity token.
Ensure that the provided identity token is valid and that the specified security provider is configured to authenticate the specified identity token. If the security provider is shown as 'Cached', the authentication result is now being returned from the broker security cache. You can use the 'mqsireloadsecurity' command to clear the broker security cache. Check your security provider logs for information about why the identity token could not be authenticated. |
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Sep 17, 2012 7:03 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| So that says that the Id you are presenting to the LDAP server to authenticate the broker to authenticate users is not valid. |
|
| Back to top |
|
|
| ganesh |
| Posted: Mon Sep 17, 2012 7:07 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| mqjeff wrote: |
| So that says that the Id you are presenting to the LDAP server to authenticate the broker to authenticate users is not valid. |
You are right but the id exists on the ldap server and i am using the same id and password for the input message and in the mqsisetdbparms command for ldap user name and password. |
|
| Back to top |
|
|
|
|
