WSO2 User Management API Sample and Active Directory - wso2-api-manager
I have the sample code working perfectly if I use the default user store.
Using AD as the user store, I can add users with the WSO2 Management Console, but the some API calls fail.
The API does create the role, and it looks like it partially creates the user, but then it craps out.
Here is the relevant part of the server log:
[2015-08-27 20:36:44,306] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - wso2_admin user has permitted role : admin
[2015-08-27 20:36:44,307] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'WSO2_Admin#carbon.super [-1234]' logged in at [2015-08-27 20:36:44,307+0000]
[2015-08-27 20:36:44,458] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : wso2_admin resource /permission/admin/configure/security action : ui.execute
[2015-08-27 20:36:44,459] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/configure/security Action: ui.execute
[2015-08-27 20:36:44,459] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: admin
[2015-08-27 20:36:44,459] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/configure/security action : ui.execute
[2015-08-27 20:36:44,459] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : admin
[2015-08-27 20:36:44,459] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - wso2_admin user has permitted role : admin
[2015-08-27 20:36:44,460] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: localhost
[2015-08-27 20:36:44,460] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=localhost))
[2015-08-27 20:36:44,680] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in OU=IAM,DC=local
[2015-08-27 20:36:44,686] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: localhost exist: false
[2015-08-27 20:36:44,753] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: localhost
[2015-08-27 20:36:44,754] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=localhost))
[2015-08-27 20:36:44,982] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in OU=IAM,DC=local
[2015-08-27 20:36:44,983] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: localhost exist: false
[2015-08-27 20:36:45,326] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user WSO2_Testuser_7
[2015-08-27 20:36:45,552] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=user)(cn=WSO2_Testuser_7)) in SearchBase:
[2015-08-27 20:36:45,553] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for WSO2_Testuser_7 is null
[2015-08-27 20:36:45,554] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: WSO2_Testuser_7 exist: false
[2015-08-27 20:36:45,623] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user WSO2_Testuser_7
[2015-08-27 20:36:45,832] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=user)(cn=WSO2_Testuser_7)) in SearchBase:
[2015-08-27 20:36:45,833] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for WSO2_Testuser_7 is null
[2015-08-27 20:36:45,834] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: WSO2_Testuser_7 exist: false
[2015-08-27 20:36:45,834] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: localhost
[2015-08-27 20:36:45,834] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=localhost))
[2015-08-27 20:36:46,035] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in OU=IAM,DC=local
[2015-08-27 20:36:46,037] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: localhost exist: true
[2015-08-27 20:36:46,037] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: loginOnly
[2015-08-27 20:36:46,037] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=loginOnly))
[2015-08-27 20:36:46,254] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in OU=IAM,DC=local
[2015-08-27 20:36:46,256] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: loginOnly exist: true
[2015-08-27 20:36:46,257] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user WSO2_Testuser_7
[2015-08-27 20:36:46,484] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=user)(cn=WSO2_Testuser_7)) in SearchBase:
[2015-08-27 20:36:46,486] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for WSO2_Testuser_7 is null
[2015-08-27 20:36:46,486] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: WSO2_Testuser_7 exist: false
[2015-08-27 20:36:46,699] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - AttributeName: sn AttributeValue: Powell
[2015-08-27 20:36:46,699] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - AttributeName: mail AttributeValue: andy.powell#outlook.com
[2015-08-27 20:36:46,699] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - AttributeName: givenName AttributeValue: Andrew
[2015-08-27 20:36:46,955] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=user)(cn=WSO2_Testuser_7)) in SearchBase:
[2015-08-27 20:36:46,957] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for WSO2_Testuser_7 is CN=WSO2_Testuser_7,OU=IAM,DC=local
[2015-08-27 20:36:47,176] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: localhost
[2015-08-27 20:36:47,176] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=localhost))
[2015-08-27 20:36:47,376] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in OU=IAM,DC=local
[2015-08-27 20:36:47,378] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: localhost exist: true
[2015-08-27 20:36:47,379] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - Modifying role: CN=localhost with type: 1 user: CN=WSO2_Testuser_7,OU=IAM,DC=local in search base: OU=IAM,DC=local
[2015-08-27 20:36:47,642] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - User: CN=WSO2_Testuser_7,OU=IAM,DC=local was successfully modified in LDAP group: CN=localhost
[2015-08-27 20:36:47,643] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: loginOnly
[2015-08-27 20:36:47,643] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=loginOnly))
[2015-08-27 20:36:47,925] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in OU=IAM,DC=local
[2015-08-27 20:36:47,927] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: loginOnly exist: true
[2015-08-27 20:36:47,929] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - Modifying role: CN=loginOnly with type: 1 user: CN=WSO2_Testuser_7,OU=IAM,DC=local in search base: OU=IAM,DC=local
[2015-08-27 20:36:48,145] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - User: CN=WSO2_Testuser_7,OU=IAM,DC=local was successfully modified in LDAP group: CN=loginOnly
NOTE: WSO2_Testuser_7 was not actually created in AD.
Here is the Eclipse Console message:
org.wso2.carbon.user.core.UserStoreException: Error while enabling the user account. Please check password policy at DC
at org.wso2.carbon.um.ws.api.WSUserStoreManager.handleException(WSUserStoreManager.java:485)
at org.wso2.carbon.um.ws.api.WSUserStoreManager.addUser(WSUserStoreManager.java:139)
at org.wso2.identity.um.sample.IdentityServerClient.main(IdentityServerClient.java:99)
Caused by: org.apache.axis2.AxisFault: Error while enabling the user account. Please check password policy at DC
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
at org.apache.axis2.description.RobustOutOnlyAxisOperation$RobustOutOnlyOperationClient.handleResponse(RobustOutOnlyAxisOperation.java:91)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.um.ws.api.stub.RemoteUserStoreManagerServiceStub.addUser(RemoteUserStoreManagerServiceStub.java:2276)
at org.wso2.carbon.um.ws.api.WSUserStoreManager.addUser(WSUserStoreManager.java:136)
... 1 more
Maybe try checking over the user-mgt.xml password parameter regex.
https://docs.wso2.com/display/IS500/Configuring+an+Active+Directory+User+Store
As a thought (may not be wrong) I would have thought these log messages should be coming from the org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager, class not org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager. Your user-mgt.xml is set up to use that class, yes?
Related
Symfony custom channel / logger
I am trying to add a simple logger channel "brp" with the following SF6.2-DEV environment: monolog: channels: - deprecation # Deprecations are logged in the dedicated "deprecation" channel when it exists - brp type: stream path: "%kernel.logs_dir%/%kernel.environment%.log" level: info channels: ["!event","!doctrine","!console"] Few things, I need this one channel to log to the database into a table I specify, also I am only interested in info, warning and errors captured in the "brp" channel. I've managed to get access to that channel with a simplified config: monolog: channels: - deprecation # Deprecations are logged in the dedicated "deprecation" channel when it exists - brp But this logs to a file, and includes all the errors levels, and so on. TIA
You need to do someting like this, according to the official doc here : monolog: channels: [deprecation,brp] handlers: deprecation: type: stream channels: [deprecation] level: error path: '%kernel.logs_dir%/deprecated.log' brp: type: stream path: "%kernel.logs_dir%/%kernel.environment%.log" level: info channels: ["!event","!doctrine","!console"]
Cannot add a new channel to monolog for prod environment
I wanted to add a new block in my monolog config in order to have logs of a specific bundle in a separate log file. Say that the channel is called purchase config_dev.php / config_prod.php purchase: type: rotating_file max_files: 10 path: %kernel.logs_dir%/purchase_%kernel.environment%.log level: debug channels: purchase In dev mode, every thing works great and the puchase logs are written in purchase_dev.log. However, although the log configuration of prod mode is the same as dev mode, I'm getting this error Fatal error: Uncaught exception 'Symfony\Component\DependencyInjection\Exception\InvalidArgumentException' with message 'The service definition "monolog.logger.purchase" does not exist.' in /home/users/me/projects/ecoback/vendor/symfony/symfony/src/Symfony/Component/DependencyInjection/ContainerBuilder.php:798
monolog: channels: ["purchase"] handlers: purchase: type: rotating_file max_files: 10 path: %kernel.logs_dir%/purchase_%kernel.environment%.log level: debug channels: ["purchase"]
#Security Symfony annotation denies access - but states lack of authentication
Here's my annotation:
#Security("
request.getHost() == 'example.com' or
request.getHost() == 'google.com'
")
This works, but throws the following error:
Full authentication is required to access this resource.
This results in a 500 rather than a 403 as expected. The debug log:
DEBUG - Access denied, the user is not fully authenticated; redirecting to authentication entry point.
CRITICAL - Uncaught PHP Exception Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: "Full authentication is required to access this resource." at /[path]/[to]/[project]/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php line 131
But there's no authentication point setup (or that needs to be setup):
security.yml:
firewalls:
dev:
pattern: ^/(_(profiler|wdt))/
security: false
no_auth:
pattern: ^/(|css|images|js|admin/login)/
security: false
admin:
anonymous: ~
pattern: ^/admin
guard:
authenticators:
- admin.form_login
logout:
path: admin_logout
main:
anonymous: ~
pattern: ^/
The annotation is on a controller that exists in ^/.
How do I get Symfony to throw a simple Access Denied?
When I do this on my admin controller, it behaves as expected - I don't get the lack of authentication, I get access denied. However, I need to have an unauthenticated resource, but limited by IP.
Configure OAuth2 access for shop users
I would like to add social connect buttons in my Sylius shop but I can't manage to do that. I installed HWIOAuthBundle via composer : $ composer require hwi/oauth-bundle Then, according to HWIOAuthBundle documentation, here are my config files: app/config/routing.yml hwi_oauth_redirect: resource: "#HWIOAuthBundle/Resources/config/routing/redirect.xml" prefix: /connect hwi_oauth_connect: resource: "#HWIOAuthBundle/Resources/config/routing/connect.xml" prefix: /connect hwi_oauth_login: resource: "#HWIOAuthBundle/Resources/config/routing/login.xml" prefix: /login facebook_login: path: /login/check-facebook app/config/config.yml hwi_oauth: firewall_names: [secured_area] resource_owners: any_name: type: facebook client_id: <client_id> client_secret: <client_secret> options: display: popup #dialog is optimized for popup window auth_type: rerequest # Re-asking for Declined Permissions app/config/security.yml firewalls: secured_area: anonymous: ~ oauth: resource_owners: facebook: "/login/check-facebook" login_path: /login use_forward: false failure_path: /login oauth_user_provider: service: sylius.oauth.user_provider When I start the server, I get this error : [Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException] The service "sylius.oauth.user_provider" has a dependency on a non-existent service "sylius.factory.admin_user_oauth". Do you have any idea on how to fix it ? The documentation of Sylius is pretty brief and even by searching in commit comments, I can't any clue. Thanks for your help !
So I will answer to myself. It seems to be a bug and there is allready a pull request in order to fix it : https://github.com/Sylius/Sylius/pull/5763
Installation HWIOAuthBundle?
I try 10 times to find out how to install HWIOAuthBundle But there is no enough documentation, I install the Bundle and I follow exactly the documentation in Git But it shows me this error: InvalidConfigurationException: Unrecognized options "anonymous" under "security.firewalls.secured_area.oauth" Somehow I didn't understand the Part A) 'Have a user provider that implements'.What should I do?Or where can I find easy documentation A) Have a user provider that implements OAuthAwareUserProviderInterface The bundle needs a service that is able to load users based on the user response of the oauth endpoint. If you have a custom service it should implement the interface: HWI\Bundle\OAuthBundle\Security\Core\User\OAuthAwareUserProviderInterface. The HWIOAuthBundle also ships with three default implementations: OAuthUserProvider (service name: hwi_oauth.user.provider) - doesn't persist users EntityUserProvider (service name: hwi_oauth.user.provider.entity) - loads users from a database FOSUserBundle integration (service name: hwi_oauth.user.provider.fosub_bridge). Checkout the documentation for integrating HWIOAuthBundle with FOSUserBundle for more information: (todo) what should I do here ?
You should replace/comment out the line of the service: oauth_user_provider: service: my.oauth_aware.user_provider.service and then replace by: oauth_user_provider: oauth: ~ Source: https://github.com/hwi/HWIOAuthBundle/issues/72 Go further: https://gist.github.com/danvbe/4476697 http://m2mdas.github.io/blog/2013/11/21/integrate-hwioauthbundle-with-fosuserbundle/
Ahh, seems like a typo in docs, could you move that anonymous 4 spaces lower to something like: # app/config/security.yml security: firewalls: secured_area: anonymous: ~ oauth: resource_owners: facebook: "/login/check-facebook" login_path: /login failure_path: /login oauth_user_provider: service: my.oauth_aware.user_provider.service
Easy fix for this is to define a service like this : In security.yml keep this : oauth_user_provider: service: my.oauth_aware.user_provider.service In services.yml put this : services: my.oauth_aware.user_provider.service: class: HWI\Bundle\OAuthBundle\Security\Core\User\FOSUBUserProvider arguments: userManager: "#fos_user.user_manager" properties: ["pass properties as array"] Thats it !