Re: PSC - ldap attributes mapping

Michal Rzepecki · ‎06-26-2017

Hi,

What LDAP attribute should I map to PSC attribute - "New Password". This is mandatory but I don't know what it is for.

Thanks,

Mike

Paul Jeffrey · ‎06-26-2017

Hi Michal

This sets the default internal password for the user (we normally just map this to sAMAccountName). However ,you could make this any mapping or default value via an expression as one would generally use External Authentication or SSO for user sign in so this password would not be relevant unless using backdoor login.

Regards,

Paul

Michal Rzepecki · ‎06-27-2017

Hi Paul,

Thanks for explanation. What should I do if I don't want anybody to have backdoor login? Map it to some empty AD attribute? I can't just leave this field empty because this is one of required fields.

BTW how does it work? Can this "new password" be used only when PSC has no communication with AD or user can use this password anytime?

Regards,

Mike

Paul Jeffrey · ‎06-27-2017

Hi Mike

The backdoor login is something that is generally kept private and only admins or support teams should know about, in addition you can change what the backdoor URL is and also only limit it to the admin account thereby prevent any of the users to log in.

This 'New Password' would only ever be used if for some reason you disabled you login events and external authentication/sso - not something one would typically do if they had AD integration enabled - If integration with the AD does go down (for networking or other reasons) then users would be able to log into the system at all, it would not fall back to the local password - in the this scenario only the admin who knows about this backdoor URL would be able to login.

In short, we've been using the sAMAccountName mapping for this attribute for several years on our implementations and not had any issues, it is just a case of ensuring only the correct users can access the backdoor URL.

Regards,

Paul

Michal Rzepecki · ‎06-27-2017

I've done following mapping:

PSC - AD

---------------------------------

First Name - givenName

Last Name - sn

Login ID - userPrincipalName

Person Identification - description

Email Address - mail

Home Organizational Unit - postOfficeBox

New Password - sAMAccountName

I've configured this mapping for event - "login", step - "external authentication".

In AD , postOfficeBox attribute for my user is set to "Site Administration" which is one of Organization units in PSC.

I can't log in to PSC using my AD account michal.rzepecki@mche.edu.pl ( or MCHE\michal.rzepecki).

What else should I do?

I've used the same bind user twice (michal.rzepecki@mche.edu.pl) - at datasource configuration (test is passed) and in options for event - "login", step - "external authentication". Why I had to repeat bind user in this option?

Regards,

Michal

Paul Jeffrey · ‎06-27-2017

Hi Mike

The login event will require at least two steps:

Step 1:

Either SSO or External Authentication

Step 2:

Person Import - This is required to create the person object in PSC and the login event will not complete without this.

Step 3 (OPTIONAL):

Import Manager - This can be used to import the manager based on the person's supervisor field mapping.

The BindDN for the External Authentication is slightly different, this is used to authenticate the user that is logging in, this is typically set to #AnyDomain#\#LoginId# where #LoginId# is substituted with the username entered on the login screen.

However, I see you are using UPN for your Login ID, therefore you would only need to configure #LoginId# for your External Authentication event.

If you are still experiencing issues after that please post some screenshots of your config for reference.

Regards,

Paul

Michal Rzepecki · ‎06-27-2017

I've written wrong account name in last post. I'm using PSCbinduser@mche.edu.pl at datasource configuration and in options for event - "login", step - "external authentication". Person Import also was configured.

I dont understand this "#LoginId# is substituted with the username entered on the login screen". I thought that I can configure single "login" event for any user. I wanted to achieve this using universal binduser.

I still can't login using AD account.

Paul Jeffrey · ‎06-27-2017

Hi Mike

#LoginId# is a variable that is replaced with the login details of which ever user is logging in at the time, therefore in your EUA Bind DN you would simply just configure the value #LoginId#, this is then what's used to authenticate the user at login time.

I can't see any obvious issues with the mappings at this point, but what you could do is enable directory integration debugging in administration (Administration > Debugging tab on the right) - this will then allow you to test your mappings and ensure they are returning data. Also ensure that the global setting under administration is enabled for directory integration as this is disabled by default.

Lastly, if you are still facing issues I would refer to the server.log files (should be able to find this under Administration > Utilities). Could you also confirm what version of PSC you are using?

Regards,

Paul

Michal Rzepecki · ‎06-28-2017

Hi Paul,

PSC is virtual appliance version 12.0.1

I've enabled directory inegration in global settings but sill I have a problem.

Configuration is as follows

When I execute "test connection" I'm getting this log on AD server

but when I try to log in to PSC request center using AD user I'm getting this two loggs

Than I changed EUABindDN option from "MCHE\#LoginId#" to "MCHE\psc.bind" and when trying to log in to PSC request center using AD user I'm getting this one log

Of course authentication doesn't work in any case. I'm affraid bind user authentication was not succesful in any case, even if "test connection" indicates that it is ok.

Do you have any idea what is wrong?

PSC server.log doesn't show more informations that we can read from AD log.

BTW do you know where to set ntp server in PSC?

Regards,

Mike

Paul Jeffrey · ‎06-28-2017

Hi Mike

So regarding the EUA Bind DN, since you are mapping to UPN you would only configure this as #LoginId# with no domain prefix, if you were using sAMAccountName then you would include the domain prefix - what username are you entering in PSC when logging in?

Secondly, I would enable the directory debugging and then perform a search for the user under Directory Mappings to make sure all data is coming through successfully, if any of the top attributes were missing or not mapped correctly then the person import operation would fail.

Lastly, the server.log would give you a lot more detail, you can find this under the Administration > Utilities section.

NTP would probably need to be done on the OS level as root, I don't think PSC specifically has this option.

Regard,s

Paul

Michal Rzepecki · ‎06-28-2017

Ok I cleaned up my configuration -

BindDN is MCHE\psc.bind

EUABindDN is MCHE\#LoginId#

Binduser is propably working because I can perform search for "michal" and I'm geting proper data

With this configuration (MCHE\#LoginId#) I should login to PSC winth username "michal.rzepecki". Am I right?

When I try to do this following loggs are collected:

2017-06-28 06:20:51,869 INFO [com.newscale.bfw.signon.filters.AuthenticationFilter] (default task-47) COR-ID=-3866691454554821206::Request initiated by: 10.249.248.9 on URI: /RequestCenter/login.signon

2017-06-28 06:20:51,885 WARN [com.newscale.bfw.ldap.util.CertConfigFileUtil] (default task-47) COR-ID=-3866691454554821206::Certificate file not found. Using default

2017-06-28 06:20:51,888 WARN [com.newscale.bfw.ldap.util.CertConfigFileUtil] (default task-47) COR-ID=-3866691454554821206::Certificate file not found. Using default

2017-06-28 06:20:51,920 WARN [com.newscale.bfw.ldap.util.CertConfigFileUtil] (default task-47) COR-ID=-3866691454554821206::Certificate file not found. Using default

2017-06-28 06:20:51,921 WARN [com.newscale.bfw.ldap.util.CertConfigFileUtil] (default task-47) COR-ID=-3866691454554821206::Certificate file not found. Using default

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Logger is enabled for cryptographic connection

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log : LDAP Server Current IP address : 10.180.102.81LDAP Server Port 389LDAP Server Secure port 0

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:Client IP address 10.180.102.83

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:LDAP Bind DN MCHE\michal.rzepecki

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log for LDAP ************

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:Authentication DN: MCHE\michal.rzepecki

2017-06-28 06:20:51,941 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:Host and Port: 10.180.102.81 389

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Logger is enabled for cryptographic connection

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log : LDAP Server Current IP address : 10.180.102.81LDAP Server Port 389LDAP Server Secure port 0

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:Client IP address 10.180.102.83

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:LDAP Bind DN MCHE\psc.bind

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log for LDAP ************

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:Authentication DN: MCHE\psc.bind

2017-06-28 06:20:51,956 WARN [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (default task-47) COR-ID=-3866691454554821206::Cryptographic log:Host and Port: 10.180.102.81 389

2017-06-28 06:20:51,958 ERROR [com.newscale.bfw.eui.ldap.ExtUserDatasource_Ldap] (default task-47) COR-ID=-3866691454554821206::No person(customer) returned from getPerson ldap search

2017-06-28 06:20:51,958 ERROR [com.newscale.bfw.eui.ldap.EUIImportPersonOperation_Ldap] (default task-47) COR-ID=-3866691454554821206::Exception in EUI Import Person Operation: com.newscale.bfw.eui.EUIException: No person(customer) returned from getPerson ldap search

at com.newscale.bfw.eui.ldap.ExtUserDatasource_Ldap.getExternalPerson(ExtUserDatasource_Ldap.java:199) [classes:]

at com.newscale.bfw.eui.ldap.EUIImportPersonOperation_Ldap.importPerson(EUIImportPersonOperation_Ldap.java:211) [classes:]

at com.newscale.bfw.eui.ldap.EUIImportPersonOperation_Ldap.importPersonCommon(EUIImportPersonOperation_Ldap.java:156) [classes:]

at com.newscale.bfw.eui.ldap.EUIImportPersonOperation_Ldap.importPerson(EUIImportPersonOperation_Ldap.java:89) [classes:]

at com.newscale.bfw.eui.EUIOperationManager.performImportPerson(EUIOperationManager.java:578) [classes:]

at com.newscale.bfw.eui.EUIEventManager.performPostSSO(EUIEventManager.java:184) [classes:]

at com.newscale.bfw.signon.AuthenticationManager.execute(AuthenticationManager.java:840) [classes:]

at com.newscale.bfw.signon.AuthenticationManager.execute(AuthenticationManager.java:674) [classes:]

at com.newscale.bfw.signon.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:499) [classes:]

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at com.newscale.bfw.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:142) [newscale_common.jar:13.2.0.1159]

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at com.newscale.bfw.uiframework.filters.ContentResponseFilter.doFilter(ContentResponseFilter.java:34) [newscale_uiframework.jar:13.2.0.1159]

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_102]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_102]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]

2017-06-28 06:20:51,961 ERROR [com.newscale.bfw.signon.AuthenticationManager] (default task-47) COR-ID=-3866691454554821206::EUI Flow exception: : com.newscale.bfw.eui.EUIException: No person(customer) returned from getPerson ldap search

at com.newscale.bfw.eui.ldap.EUIImportPersonOperation_Ldap.importPersonCommon(EUIImportPersonOperation_Ldap.java:165) [classes:]