Monday, January 12, 2009
Attempt to login as amAdmin to module LDAP denied due to internal users restriction
Introduction
This is a side effect of AM 7.1 patch 2 and seems only happen in legacy mode.
patch 2 :
126356-02 Sun Java System Access Manager 7.1 Solaris Readme
Version
observed on AM 7.1 patch 2 on Solaris 10.
Symptoms
The AM administrator cannot log in anymore ! The AM administrator cannot use the console anymore !
Error(s)
Returned to the console and found into the debug of Access Manager server side.
amAuth : WARNING: LoginState.isValidAuthForInternalUser():Attempt to login as:amAdmin, to module:LDAP, at realm:dc=iam,dc=finbel,dc=intra, denied due to internal users restriction
Solution
2 ldapmodify to be executed into Directory Server(5.2 in our env).
module=DataStore has to be used to enter AM.
docs.sun.com
ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ds-rootdn
changetype: modify
add: sunRegisteredServiceName
sunRegisteredServiceName: sunAMAuthDataStoreService
ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ou=default,ou=OrganizationConfig,ou=1.0,ou=sunAMAuthDataStoreService,ou=services, ds-rootdn
changetype: modify
add: sunkeyvalue
sunkeyvalue: sunAMAuthDataStoreAuthLevel=0
Notice that it was not to necessary to execute the second ldapmodify. It was already into Directory Server.
Restart AM.
Now the log in to AM as amadmin is done entering :
https://yourdomain/amserver/UI/Login?module=DataStore
References
some explanations on the authentication module "DataStore"
more here
https://opensso.dev.java.net/issues/show_bug.cgi?id=3924
and here
https://opensso.dev.java.net/issues/show_bug.cgi?id=3961
...Hope this helps...
-rudy-
This is a side effect of AM 7.1 patch 2 and seems only happen in legacy mode.
patch 2 :
126356-02 Sun Java System Access Manager 7.1 Solaris Readme
Version
observed on AM 7.1 patch 2 on Solaris 10.
Symptoms
The AM administrator cannot log in anymore ! The AM administrator cannot use the console anymore !
Error(s)
Returned to the console and found into the debug of Access Manager server side.
amAuth : WARNING: LoginState.isValidAuthForInternalUser():
Solution
2 ldapmodify to be executed into Directory Server(5.2 in our env).
module=DataStore has to be used to enter AM.
docs.sun.com
ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ds-rootdn
changetype: modify
add: sunRegisteredServiceName
sunRegisteredServiceName: sunAMAuthDataStoreService
ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ou=default,ou=
changetype: modify
add: sunkeyvalue
sunkeyvalue: sunAMAuthDataStoreAuthLevel=0
Notice that it was not to necessary to execute the second ldapmodify. It was already into Directory Server.
Restart AM.
Now the log in to AM as amadmin is done entering :
https://yourdomain/amserver/UI/Login?
some explanations on the authentication module "DataStore"
more here
https://opensso.dev.java.net/
and here
https://opensso.dev.java.net/
...Hope this helps...
-rudy-
Thursday, January 8, 2009
amclientsdk authentication as anonymous
This is the AM 7.1 documentation related to "anonymous".
This is the AM 7.1 documentation related to "AuthContext".
If the anonymous authentication has to be done through a browser, the parameter "service" is used.
By example,
https://lb-am-i.iam.finbel.intra/amserver/UI/Login?service=KioskMode
KioskMode is the name that was given to a module instance type "Anonymous" on the AM server.
After a user entered the URL into his browser, the user is authenticated as "anonymous". Good point !
So ? What has to be done to do the same using the amclientsdk ?
Very easy. The parameters service and name of the service have to be passed at "login time".
Example,
lc = new AuthContext(orgName);
lc.login(AuthContext.IndexType.SERVICE, "KioskMode");
The login context is used to retrieve the requirements and in the case of an anonymous only the username has to be passed.
If a "non anonymous" login has to be done, replace the parameters passed to lc.login by...nothing.
Example,
lc = new AuthContext(orgName);
lc.login();
In this case, the password has to be passed.
-rudy-
This is the AM 7.1 documentation related to "AuthContext".
If the anonymous authentication has to be done through a browser, the parameter "service" is used.
By example,
https://lb-am-i.iam.finbel.intra/amserver/UI/Login?service=KioskMode
KioskMode is the name that was given to a module instance type "Anonymous" on the AM server.
After a user entered the URL into his browser, the user is authenticated as "anonymous". Good point !
So ? What has to be done to do the same using the amclientsdk ?
Very easy. The parameters service and name of the service have to be passed at "login time".
Example,
lc = new AuthContext(orgName);
lc.login(AuthContext.IndexType.SERVICE, "KioskMode");
The login context is used to retrieve the requirements and in the case of an anonymous only the username has to be passed.
If a "non anonymous" login has to be done, replace the parameters passed to lc.login by...nothing.
Example,
lc = new AuthContext(orgName);
lc.login();
In this case, the password has to be passed.
-rudy-
Subscribe to:
Posts (Atom)
