MQSeries.net :: View topic - Problem in configuring LDAP Authorization

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Problem in configuring LDAP Authorization

Problem in configuring LDAP Authorization

« View previous topic :: View next topic »

Author

Message

ksrocks9

Posted: Thu Aug 20, 2015 9:50 am Post subject: Problem in configuring LDAP Authorization

Apprentice

Joined: 11 Mar 2015
Posts: 35

I want to set LDAP Authorization for my flow. I gave these values to configure Security Profile in MQ.

Field Name : Value
Authentication : None
Authorization : LDAP
LDAP server : My host name
Identity mapping : No
Identity propagation : False
Reject Eampty Password : False
LDAP baseDn : OU=users,DC=corp,DC=mycorpname,DC=com
LDAP Group BaseDN : CN=myGroupName,OU=All Groups,DC=corp,DC=Mycorpname,DC=com
Ldap UID Attr : Accname
Ldap Group Member : member

I am a member in that group, but I am unable to access the flow. I am configuring Security Profile in SOAP Input bar file level properties. I configured policy set to WSS10Default and Policy set Bindings to WSS10Default.
I am using this wssecurityÂ header. I am sending SOAP request with wssecurity header and an empty password.Â

<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:actor="" SOAP-ENV:mustUnderstand="0">
<wsse:UsernameToken>
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"></wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>

This is the error request without password:

BIP3113E: Exception detected in message flow testflow.SOAP Input (broker IB9NODE)
BIP2703W: The identity token type ''username'', issued by ''SOAP_WS_SECURITY'', was not authorized by security provider ''LDAP'' to access message flow ''testflow''. (For a 'username' token type, the token is: ''USERNAME''.)
<soapenv:Detail>
<Text>BIP2703W: The identity token type ''username'', issued by ''SOAP_WS_SECURITY'', was not authorized by security provider ''LDAP'' to access message flow ''testflow''. (For a 'username' token type, the token is: ''USERNAME''.)
If access is expected, ensure that the specified security provider has been configured to allow access to the specified message flow. If the security provider is shown as 'Cached', the authorization result is now being returned from the broker security cache. You can use the 'mqsireloadsecurity' command to clear the broker security cache. Check your security provider logs for information about why the identity token could not be authorized. : F:\build\slot1\S900_P\src\SecurityProviders\Ldap\ImbLdapSecurityProvider.cpp: 162: ImbLdapSecurityProvider::authorize: MessageFlow: e2754248-4f01-0000-0080-f5ffac27c799</Text>
</soapenv:Detail>

This is the error SOAP request with password:

<soapenv:Value> axis2ns1:FailedAuthentication
<soapenv:Detail>
<Exception>org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: IBM Integration Bus BIP2703
â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦â€¦

Please help me to solve this problem.

Thanks in advance,
KS

Vitor

Posted: Thu Aug 20, 2015 9:58 am Post subject: Re: Problem in configuring LDAP Authorization

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ksrocks9 wrote:

Please help me to solve this problem.

What does the LDAP server have to say about why it rejected the user id / password combination?
_________________
Honesty is the best policy.
Insanity is the best defence.

ksrocks9

Posted: Thu Aug 20, 2015 12:07 pm Post subject:

Apprentice

Joined: 11 Mar 2015
Posts: 35

I am getting different exceptions for both the requests. In the security profile I set Reject Empty Password is NULL. My Question is why it is not allowing me to access the flow. Do I need configure any thing else along with the security profile?

Vitor

Posted: Thu Aug 20, 2015 12:33 pm Post subject:

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ksrocks9 wrote:

I set Reject Empty Password is NULL.

ksrocks9 wrote:

Reject Empty Password : False

That's not NULL, that's false (the default), which I suspect is what you get if you supply NULL to a field that can only take true or false.

ksrocks9 wrote:

My Question is why it is not allowing me to access the flow.

According to this:

Quote:

In the Reject Empty Password field, specify whether you want the security manager to reject a username that has an empty password token, without passing it to LDAP. The default is False, which means that a username is passed to LDAP even if it has an empty password token

So your setting says "even though there's no password, pass it to LDAP anyway". LDAP has refused to authorize the user id (because it expects a password) and you get the exception back in broker. Functioning as designed.

As to why you're getting the exception when you do pass a (presumably correct) password, I repeat my question about what the LDAP server has to say on why it rejected the attempt..

ksrocks9 wrote:

Do I need configure any thing else along with the security profile?

Not on the evidence you're provided.
_________________
Honesty is the best policy.
Insanity is the best defence.

ksrocks9

Posted: Thu Aug 20, 2015 1:33 pm Post subject:

Apprentice

Joined: 11 Mar 2015
Posts: 35

I set reject empty password FALSE. Sorry you are correct. I am sending request with correct user name and password. It's not allowing me to access. I am getting "Failed Authentication".
This is my complete exception details:
<soapenv:Text xml:lang="en-US">CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: IBM Integration Bus BIP2703</soapenv:Text>
</soapenv:Reason>
<soapenv:Detail>
<Exception>org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: IBM Integration Bus BIP2703
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:131)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(WSSecurityConsumerHandler.java:537)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:236)
at org.apache.axis2.handlers.AbstractHandler.invoke_stage2(AbstractHandler.java:133)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:343)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:372)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:199)
at com.ibm.broker.axis2.Axis2Invoker.processInboundRequest(Axis2Invoker.java:3624)
at com.ibm.broker.axis2.Axis2Invoker.invokeAxis2(Axis2Invoker.java:3166)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAxis2(TomcatNodeRegistrationUtil.java:669)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAxis2(TomcatNodeRegistrationUtil.java:615)
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: IBM Integration Bus BIP2703
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:138)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.getSoapSecurityException(CommonTokenConsumer.java:592)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:487)
at com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSConsumer.java:2563)
at com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSConsumer.java:2382)
at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:815)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:110)
... 11 more
Caused by: IBM Integration Bus BIP2703
at com.ibm.broker.wssecurity.ImbUNTAuthenticatorLoginModule.login(ImbUNTAuthenticatorLoginModule.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:94)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:619)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:781)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:215)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:706)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:704)
at java.security.AccessController.doPrivileged(AccessController.java:366)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:609)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:462)
... 15 more
Caused by: BIP2703W: com.ibm.broker.axis2.MbSoapException: Error Making Security JNI Call: MbLDAPSecurityProvider_authorize
at com.ibm.broker.axis2.SecurityManagerInteraction.validateUsernameAndPassword(Native Method)
at com.ibm.broker.axis2.SecurityManagerInteraction.validateUserAndStoreInTLS(SecurityManagerInteraction.java:132)
at com.ibm.broker.wssecurity.ImbUNTAuthenticatorLoginModule.login(ImbUNTAuthenticatorLoginModule.java:55)
... 27 more</Exception>
</soapenv:Detail>

Thanks,
KS

mqjeff

Posted: Fri Aug 21, 2015 4:29 am Post subject:

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Again.

You *need* to talk to the LDAP admins to find out what it says about why you are failing authentication with valid credentials.
_________________
chmod -R ugo-wx /

Vitor

Posted: Fri Aug 21, 2015 4:52 am Post subject:

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mqjeff wrote:

You *need* to talk to the LDAP admins to find out what it says about why you are failing authentication with valid credentials.

Just because it's reported as an exception in the broker log doesn't mean the problem is within broker.
_________________
Honesty is the best policy.
Insanity is the best defence.

ksrocks9

Posted: Mon Aug 24, 2015 1:03 pm Post subject:

Apprentice

Joined: 11 Mar 2015
Posts: 35

Thanks Vitor and jeff.I think there is no problem from LDAP server It's working in MB7 with same security profile.
Steps I fallowed in Message broker 7 for LDAP authorization:
Creating Security Profile
mqsicreateconfigurableservice IIB9Node -c SecurityProfiles -o Test -n authorization,authorizationConfig,propagation,passwordValue -v "LDAP, \"ldap://ldap.corp.mycorp.com:389/CN=myGroupname,OU=All Groups,DC=corp,DC=MycropName,DC=com?member?sub?x-userBaseDN=OU=usersOU=Splusers%2cDC=corp%2cDC=Mycorpname%2cDC=com,x-uid_attr=attrname\",FALSE,PLAIN"

Configuring HTTP Port & Listeners

mqsichangeproperties IIB9Node -b httplistener -o HTTPListener -n startListener -v false

mqsichangeproperties IIB9Node -e Test -o ExecutionGroup -n httpNodesUseEmbeddedListener -v true

mqsichangeproperties IIB9Node -e Test -o HTTPConnector -n explicitlySetPortNumber -v 7890

I configured Security Profile in bar file level
Soap Input Node-> Properties -> Configure :
Policy Set: WSS10Default
Policy Set Bindings: WSS10Default
Security Profile :Test

I fallowed the same procedure in Message Broker 7 LDAP Authorization is working successfully. I tried to implement the LDAP authorization in IIB I am getting error .

Soap Request:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:get="http://www.mycorp.com/xyzzzzz">
<soap:Header>
<wsse:Security soapenv:actor="" mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="unt_907818524">username</wsse:Username>

</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
â€¦â€¦â€¦â€¦â€¦â€¦â€¦..
â€¦â€¦â€¦â€¦â€¦â€¦â€¦..
</soap:Body>
</soap:Envelope>

SOAP Response:

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Body>
<soapenv:Fault>
<soapenv:Code>
<soapenv:Value>soapenv:Receiver</soapenv:Value>
</soapenv:Code>
<soapenv:Reason>
<soapenv:Text xml:lang="en">BIP3113E: Exception detected in message flow Authorization_Test.Authorization_Test.SOAP Input (broker IIB9Node)</soapenv:Text>
</soapenv:Reason>
<soapenv:Detail>
<Text>BIP2703W: The identity token type ''username'', issued by ''SOAP_WS_SECURITY'', was not authorized by security provider ''LDAP'' to access message flow ''Authorization_Test.Authorization_Test''. (For a 'username' token type, the token is: ''username''.)
If access is expected, ensure that the specified security provider has been configured to allow access to the specified message flow. If the security provider is shown as 'Cached', the authorization result is now being returned from the broker security cache. You can use the 'mqsireloadsecurity' command to clear the broker security cache. Check your security provider logs for information about why the identity token could not be authorized. : F:\build\slot1\S900_P\src\SecurityProviders\Ldap\ImbLdapSecurityProvider.cpp: 162: ImbLdapSecurityProvider::authorize: MessageFlow: f8eda960-4f01-0000-0080-cf7b4c5d1cde</Text>
</soapenv:Detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>

In message broker 7 without configuring HTTP port 3 commands I got the same error. After execution of those commands its resolved.

In IIB I am getting error even after fallowing the same procedure. Do I need to configure anything other than this along with in IIB for authorization ?

Please help me. Thanks in advance.

smdavies99

Posted: Mon Aug 24, 2015 11:03 pm Post subject:

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

Please don't double post!
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.

Vitor

Posted: Tue Aug 25, 2015 4:22 am Post subject:

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

smdavies99 wrote:

Please don't double post!

The duplicate is locked.
_________________
Honesty is the best policy.
Insanity is the best defence.

ksrocks9

Posted: Tue Aug 25, 2015 7:38 am Post subject:

Apprentice

Joined: 11 Mar 2015
Posts: 35

Sorry Vitor I won't post like this.I don't know about the duplicates. I am using IIB9.0.0.3 . There is any way to solve this problem?

Vitor

Posted: Tue Aug 25, 2015 8:04 am Post subject:

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ksrocks9 wrote:

Sorry Vitor I won't post like this.I don't know about the duplicates.

The etiquette of this forum frowns on duplicates.

ksrocks9 wrote:

I am using IIB9.0.0.3

So you said.

ksrocks9 wrote:

There is any way to solve this problem?

Find out why the LDAP server is refusing you, as described above. Once you've determined that, you'll determine what other steps are needed (if any) in IIB.
_________________
Honesty is the best policy.
Insanity is the best defence.

ksrocks9

Posted: Thu Aug 27, 2015 12:51 pm Post subject:

Apprentice

Joined: 11 Mar 2015
Posts: 35

I found this error in user trace

Failed to search LDAP for user ''ldap://ldap.corp.name.com:389'' with user name ''anonymous'' for binding. The following explanation was returned: 'javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db10000]'

An attempt was made to get the full Distinguished Name of ''ldap://ldap.corp.name.com:389'', using a bind with user name ''anonymous''.
Ensure that the user name supplied has permission to look up the given user. If necessary use mqsisetdbparms to specify a different user name and password to bind to the server.

I am unable to binding with LDAP. Why it is sending as anonymous?

mqjeff

Posted: Thu Aug 27, 2015 12:58 pm Post subject:

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Because you forgot to mqsisedbparms?
_________________
chmod -R ugo-wx /

ksrocks9

Posted: Thu Aug 27, 2015 1:16 pm Post subject:

Apprentice

Joined: 11 Mar 2015
Posts: 35

All ready my BROKER associated with the username (ABC.DEV) and password. Do I need to run mqsisetdbparms command again?

I am in a confusion, I don't know broker sends broker associated name for binding with LDAP or anonymous name. (OR) broker associated username doesn't have permissions to binding with LDAP. The broker sends anonymous name or associated name?

In MB7 I am able to binding with LDAP with same security profile.

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Problem in configuring LDAP Authorization

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP