Develop Reference

How to resolve LDAP: error code 19 - pwdFailureTime: no user modification allowed for OPEN LDAP

While unlocking an account I am getting error message as :
LDAP: error code 19 - pwdFailureTime: no user modification allowed
Tried giving different values for the attribute 'pwdAccountlockedtime' on LDAP managed system from apache Directory Studio, but getting same error message.

Error Code 19 : constraintViolation
"Indicates that the client supplied an attribute value that does not conform to the constraints placed upon it by the data model." See OpenLdap Doc
You are not allowed to change pwdFailureTime. It is defined in the passwordpolicy.
Unlock User:
Modify userPassword with admin Privileges. Depending on your policy settings (passwordMustChange, etc.) user should change his initial password to a final (not initial Password). Then will be nsAccountLock "automatically" cleared.

Add Roles fetched from SQL Server as Claims to AD FS Relying Party Trust

I'm authenticating users of an asp.net mvc web site by using ADFS Server 2016 passive redirection, and I cannot get claims from a SQL attribute store. I'm interested in discovering what I am doing wrong or missing.
Side note: I'm using the System.Identity libraries from Framework 4.5 (I'm not referencing the Microsoft.Identity libraries created for older framework versions; most ADFS code samples that I stumble across use these old libraries).
The basics are working well. All of this is in one domain. I have my asp.net web.config set up to redirect users to my ADFS server for authentication. The ADFS server successfully authenticates and redirects users back to my asp.net web site. On the ADFS I have one Claim Issuance Policy rule where I simply pass back all claims from the Active Directory.
On the web site I am able to iterate through the user's Claims collection and display them. Here is the code from the *.cshtml page where I iterate though the claims, it works fine:
#using System.Security.Claims;
#{
var currentPrincipalIdentity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity;
}
#foreach (Claim claim in currentPrincipalIdentity.Claims)
{
<br/>#claim.Type : #claim.Value
}
In addition to these claims from Active Directory, I want to fetch a bunch of roles from a SQL Server database and add them to the Claims collection as roles. I'm fetching the roles from a legacy asp.net Membership database. As step 1 I just want to hard-code the username in the SQL statement (eventually I will need to figure out how to pass the username as a parameter to the SQL statement, but that will be step 2).
First, I gave the identity that the ADFS server runs under read/write/execute permissions on my SQL Server (when I take these permissions away I get a permissions error, which gives me confidence that my SQL statement is executing).
In my AD FS I added a SQL Server Attribute Store by right-clicking the "Attribute Stores" node, selecting an Attribute store type of "SQL", named is "SQLServer", and added a connection string like so:
Server=SqlDev01; Database=MyLegacyMembershipDatabase; Integrated Security=SSPI;
I then select the "Relying Party Trusts" folder, select the trust I am interested in, and select "Edit Claim Issuance Policies." I have one rule there that works; it simply passes back all Active Directory claims. I can see all of these claims on my web page (upn, name, windowsaccountname, all of my group sids, and etc):
c:[]
=> issue(claim = c);
I'm trying to add a 2nd custom rule to read a legacy membership database. In my ADFS I click "Add Rule", "Send Claims Using a Custom Rule", and add this as the rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> add(store = "SQLServer", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query =
"select r.RoleName AS Role from dbo.aspnet_Roles r INNER JOIN
dbo.aspnet_UsersInRoles uir ON r.RoleId = uir.RoleId INNER JOIN
dbo.aspnet_Users u ON uir.UserId = u.UserId WHERE u.UserName = '[hard-coded
value here]' OR u.UserName={0}", param = c.Value);
It saves fine, but when I re-run the page nothing changes; I still get the original collection of Active Directory claims, but not the data from SQL Server.
I am confident the SQL Server statement is executing, because if I remove permissions for the identity that ADFS runs under from the SQL Server I get an error, and if I deliberately garble the SQL syntax I get an error. If I reverse these deliberate mistakes then the page functions properly again. But I never see the Roles that I want to see in the Claims collection.
From my understanding of custom rules, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" is passed as a parameter into the query, that is why I have the OR statement above; my ultimate goal is to pass the user's UPN as a parameter into the SQL query.
Am I missing something or doing something wrong? Bonus question--assuming I get this working, can you tell me how to pass the user's UPN as a parameter into the SQL query?

Try an "issue" rule rather than an "add".

kapua , Kura client is not authorized to write to: topic://VirtualTopic.hahaha.kapua

When the kura published to localhost:1883 on Kapua, I got the following errors:
WARN o.e.k.b.c.p.KapuaSecurityBrokerFilter - User 1:kapua-broker
(kapua-broker - tcp://10.0.2.2:56178 - conn id is not authorized to
write to: topic://VirtualTopic.hahaha.kapua
1840321435420579455)-broker.DHT11Sensor.DHT11Data 13:26:43.493
[ActiveMQ NIO Worker 5] WARN o.a.a.b.TransportConnection.Service -
Security Error occurred on connection to: tcp://10.0.2.2:56178, User
1:kapua-broker (kapua-broker - tcp://10.0.2.2:56178 - conn id
1840321435420579455) is not authorized to write to:
topic://VirtualTopic.hahaha.kapua-broker.DHT11Sensor.DHT11Data
13:26:43.493 [ActiveMQ NIO Worker 5] WARN
o.a.a.t.mqtt.MQTTProtocolConverter - Failed to send MQTT Publish:
13:26:48.495 [ActiveMQ NIO Worker 6] WARN
o.e.k.b.c.p.KapuaSecurityBrokerFilter - User 1:kapua-broker
(kapua-broker - tcp://10.0.2.2:56178 - conn id 1840321435420579455) is
not authorized to write

As I know, Kapua has a ACL access rules that define who can publis / subscribe / admin different topics/channels on broker.
If you connected to Kapua with user that has broker privileges, than you could write only to topic:
topic://VirtualTopic.{account-name}.{client-id}
now in you case that would mean that you have account hahaha and client with id kapua-broker. Is that the case? If not set the topic accordingly.
For example to something like this:
topic://VirtualTopic.kapua-sys.client-1.DHT11Sensor.DHT11Data
and when you connect wiht kapua-broker user specify client-1 as client id. Kapua-broker user is under kapua-sys account (that is a bit confusing as kapua-sys is als
o a user).
Does this help you?

I cannot comment #uros-mesaric question. Its answer is correct.
Below there is just a clarification
In Kapua you are allowed to publish/subscribe according to your user permission.
If your user has only broker:connect permission you can publish/subscribe only on topic:
{account-name}/{connectionClientId}/{semanticTopic}
In your specific case you should publish/subscribe on topic:
kapus-sys/1840321435420579455/DHT11Sensor/DHT11Data
kapua-sys is the account name to which the user kapua-broker belongs,
while 1840321435420579455 is the clientId used to create the connection.
Please note that username used to connect and account name are two different things in Kapua. An account has multiple users.

OpenAM J2EE agent installation bringing down tomcat

OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
but I am getting the error as asked below
Not able to configure J2ee agent on adding my customized data store for users
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error
but it did not help me much.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------

The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.
To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
network error, firewall issues preventing the agent from contacting OpenAM
SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)

Cannot create new connection or login to added user?

I am using Oracle SQL Developer to connect to Oracle Express 11g and create a new user. I keep on getting the same error when I try to create a new connection (and test it) or when I try to login with a newly created username and password (mad by right-clicking "other users" table in default connection "xe")
The error-
Failure - Test Failed: ORA-01017: invalid username/password; logon denied
How can I fix this issue ?

Seems you're using an user with not enough privilegies, try with "system" user.
That should solve your problem.
Verify the priviligies of the user you created.