RBAC with Identity Server

Right now I'm writing my final thesis.
I have developed a model for role-based access control and now I'm conducting a short evaulation of Identity Server to see how well it handles my model.
It's obvious Identity Server is highly expandable to suit the most needs anyone can have, BUT with some/much effort in developing plug-ins.
Have I missed something here? Where do I configure which rights a role has got?
Does anyone know of any documents describing RBAC with Identity Server or is RBAC just a nice buzz-word for the White papers?
best regards,
Peter

Two ways to enforce the permissions:
Policy Agents
ssoToken Properties
from:
http://docs.sun.com/source/816-6774-10/prog_sso.html#wp36428
A policy agent polices the web container on which a protected resource lives by enforcing a user�s assigned policies. They are an integral part of the cross-domain SSO functionality. Two types of policy agents are supported by Identity Server: the web agent and the J2EE/Java agent. The web agent enforces URL-based policy while the J2EE/Java agent enforces J2EE-based security and policy. Both types are available for installation separately from Identity Server and can be downloaded. Additional information can be found in the Sun ONE Identity Server Web Policy Agents Guide and J2EE Policy Agents Guide . General information on the Policy Service can be found in Chapter 7, "Policy Service," of this manual:
http://docs.sun.com/source/816-6774-10/prog_policy.html#wp27085
ssoToken Property
Access the session object called ssoToken that contains Role and Service for the logged in user.
from
http://docs.sun.com/source/816-6774-10/prog_sso.html#wp36428
/* get the sso token from http request */
SSOToken ssoToken = SSOTokenManager.getInstance().createSSOToken(request);
String appValue = ssoToken.getProperty(appPropertyName);
more:
http://docs.sun.com/source/816-6774-10/prog_intro.html#wp19687
david.

Similar Messages

Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1

Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1
Does anybody has a working combination of the above ? I get a ID login page and after that I always get a access denied page. I get this exception on the agent logs:
2004-10-14 16:28:00.917 Warning 6347:c1818 PolicyAgent: in get_cookie: no cooki
e in ap_table
2004-10-14 16:28:01.895 Warning 6359:c1818 PolicyAgent: Invalid URL for propert
y (com.sun.am.policy.agents.accessDeniedURL) specified
2004-10-14 16:28:56.742 Warning 6349:c1818 PolicyAgent: am_web_is_access_allowe
d(http://xx.xx.xx.net:8080/, GET) denying access: status = access de
nied (20)
2004-10-14 16:28:56.743 128 6349:c1818 RemoteLog: User testuser1 was denie
d access to http://xx.xx.xx.net:8080/.
2004-10-14 16:28:56.831 -1 6349:c1818 PolicyAgent: URL Access Agent: acces
s denied to testuser1
We can ignore Invalid URL property part because its just looking for a custom url in place there. I have cookies enabled in my browser. I even turned on the prompt option. No luck yet.
Any suggestions would be of great help.
Thanks,
Sunil.

From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

Proxy Server 3.6 with Identity Server 5.1!

Hi All,
I'm doing a Proof of Concept on integrating Identity Server 5.1 with proxy server 3.6. The proxy server is configured as a reverse proxy for another web server (since the web server is not supported by agent pack).
I've configured the reverse proxy and add the agent to the proxy. However, each time after auth. in the Identity server and return back to the reverse proxy, it'll go to http://rproxy.domain.com/.domain.com not http://rproxy.domain.com.
Moreover, even the user session is invalid, the user can go to the reverse proxy without re-auth even I've disable all the cache in the proxy server.
Is it possible to use reverse proxy with identity server? If yes, how to config?
Thanks
Clive Chan

Hi Clive Chan,
i am also have the same problem, can you tell me which patch have you add to solve the problem?
Thanks a lot!
Angus

Security solution with Identity server for SOX compliance

Hi all,
Has anybody used Identity Server as security solution to achieve SOX compliance? i want to know general view, opinions , experiance of ppl while implementing such solution.
Just a little background of SOX: It is Created by US Congress in the wake of corporate scandals like Enron in 2001 and 2002.it is an attempts to tighten controls over corporate financial reporting and transparency.
I am basically interested in implementing security solutions using Identity server for SOX compliance. Section 404 of this act deals with internal controls, which essentially requires organizations to provide following facilities -
1. User Identification, authorization and access
2. User control of user accounts
3. Central identification and access rights/permissions management
4. Violation and security activity report
Has anybody developed such solution? What are your general experiance, problems , issues etc? Please share your view....

Just too quick to draw conclusion: See below FAQ
If you are not in the same AS container, let me know. Jerry
Copy from J2EE agent FAQ
Question - Is it possible to install a J2EE 2.1agent and Identity Server on the same instance of the application server ?
Installing the IS60SP1/IS61 server and J2EE 2.1 policy agent on the sameninstance of Application server is not a supported configuration. We do support the 21 J2EE agent and IS installed on different instances of the application server. So, users can install theJ2EE 2.1 agent on a one instance of the application server and install IS on a different instance of the apps server.

Does URL Policy Agent of SunONE Web Server 6.1 works with Identity Server 6

Hi,
I'm using URL Policy Agent of SunONE Web Server 6.1, and using Identity Server 6.1 to configure policy to access web resource such as http://myweb.org.cn/test/*
After configyration, I try to access the resources http://myweb.org.cn/test/test.html
The redirection is ok, the IS login appear, but after login successfully, it still tell me that I don't have permission to view this web page.
Is this because of URL policy agent don't support IS 6.1?
Many thanks,

Can anybody help me with the steps to generate core for this issue.. I followed the steps as said in http://blogs.sun.com/meena/entry/troubleshooting_server_crashes_enabling_core but I don't see any core generated when server crashes..
Setup Info:
- OS is RHEL 4.0
- Sun ONE Web Server 6.1SP7
- Policy Agent 2.2

Integrating Messaging Server and Identity Server

I've got JES 2004Q2, and I'm trying to install the various components on different workstations to prove that a) the software works, and b) it's a viable alternative to Exchange (so please please help me get it working!)
The problem I have is getting Messenger Server and Directory Server talking properly so that I can create users and then log in as those users. After days of frustrating searching for solutions to this problem (and also find people who have successfully done this), I decided to install the components onto one server.
And it worked. Installing Messaging Server, Identity Server, Web Server (contained for Identity Server), Directory Server, and Admin Server all on the same box, configuring them all to use the same directory server for UG and preferences, running the various configuration tools that come with the software, and it all works together fine. Using "./commadmin domain modify .... -S mail", I get "OK". I can add users with the "-S mail" option, log in as those users, and send emails between those users. So this tells me that the software does work, albeit on one box.
When I try to separate the services out to separate boxes, they don't seem to integrate properly. I thought that maybe the order in which you configured applications made a difference (ie. configuring Identity Server after Messenger Server means IS will pick up on the changes made to the directory by MS, and enable it). I also tried to see if using the same options directory server from different boxes helped, but nothing. I've even tried patching them using 116568-52 and 116585-10 but no luck.
Therefore, I've found that installing all servers on one box works, but installing them on separate boxes doesn't (despite using the same directory servers). My conclusion in this is that one of two things must be the case:
a) there's something in the install that has to be changed to reflect the fact that the services are running on different boxes
b) the install of the services adds files to the system somewhere which other packages in JES pick up on (hence the reason why installing everything on one box works), and this isn't documented anywhere
Unfortunately, the output of commadmin when it fails isn't that helpful (nothing against the developers, however it doesn't really help in the fault finding process). I do believe however that the problem is with Identity Server and its configuration, rather than Messaging Server.
Here's some (possibly) useful info:
kipling# ./imsimta version
Sun Java(tm) System Messaging Server 6.1 HotFix 0.01 (built Jun 24 2004)
libimta.so 6.1 HotFix 0.01 (built 12:52:04, Jun 24 2004)
SunOS kipling 5.8 Generic_117350-02 sun4u sparc SUNW,Sun-Blade-1500
kipling#
(on UG server)
# ./commadmin domain modify -D admin -w <password> -d uwe.ac.uk -n uwe.ac.uk -S mail -H kipling.uwe.ac.uk
FAIL
Unable to set attribute(s)
(some verbose mode output)
[Debug]: Contacting : http://bronte.uwe.ac.uk:10080/commcli/TaskManager
[Debug]: To servlet: task=ModifyDomain&objecttype=Domain&domain=uwe.ac.uk&add_services=mail&add_preferredmailhost=kipling.uwe.ac.uk
[Debug]: RECV: FAIL
[Debug]: RECV: Unable to set attribute(s)
[Debug]: CLITask: status returned =FAIL
FAIL
Unable to set attribute(s)
[Debug]: DBG: doOne returned code=6
[Debug]: Contacting : http://bronte.uwe.ac.uk:10080/commcli/logout
[Debug]: Logout ...
[Debug]: RECV: SSOToken id AQIC5wM2LY4SfcyW5hbVBGXqCdsYYDjVarSFRMd6HIxsGho=@AAJTSQACMDE=#
[Debug]: RECV: destroyed
Root suffix: dc=uwe,dc=ac,dc=uk (all "o=" references have been dropped)
All services have their own local options directory server.
Can anyone give me any suggestions? If I log a support call with Sun, what is the likely resolution time? My ultimate goal is to get the whole suite running together, then install Portal server. Once that's working, download the connectors for Outlook and get it all working with Outlook. As I said at the start, we're hoping to show this is a viable alternative to Exchange (certainly for the backend) so any help will be greatly appreciated!
Iain

slo_chewie wrote:
Does the email recipient address change when the email is sent to gmail i.e. does an email sent to [email protected] become [email protected]?
We've got google for domains setup, so users would retain a @domain.com address regardless if there mailbox was hosted on the internal server or hosted at google.You can make use of the mailRoutingAddress: user attribute and source routing to get the desired behaviour e.g.
=> Set the following value to the LDAP entry of the user who is hosted on the gmail server. The "[email protected]" address should match the users mail: address:
mailRoutingAddress: @gmail.com:[email protected]=> Ensure the following option has been tcp_local channel in your imta.cnf file. This option strips off the "@gmail.com" value of the recipient address before sending the email to the gmail.com servers.
dequeue_removerouteMake sure you run "./imsimta cnbuild;./imsimta restart" after modifying the imta.cnf file.
Regards,
Shane.

Identity Server Cookie not found

Hi all.
Iam getting a cookie related error message when trying to access a protected web application;
sequence :
When i type in the url of my web application, as obvious, i was redirected to my identity login page.
I also get the this error message ;) in my amAgent log :
"2003-07-31 12:22:13.832 Warning 7048:d1168 PolicyAgent: Identity Server Cookie not found"
To add something to this cookie issue:
when i get authernticated from my identity server, i was successfuly redirected to my web application; but if i invoke any web resource or link, buttons .... - trigger any event, i was thrown way to the login page of the web application - if i login again in my web app, i go to the last page that i was accessing;
I guess all this funny thing happens because of the cookie, which is missing.
anyone have an idea, what this cookie is? and what should be done to fix it?
regards
Kumar

Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
Here are some of tips for debugging Web agent.
From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
Don't forget to restart the whole IIS service using internet
management console after making agent changes.
Some of the common error codes:
20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.

Integrating portal/identity server with netegrity siteminder?

Has anyone integrated identity server/portal server with Netegrity Siteminder for single sign on?
Both products seem to support SAML and the Liberty Alliance project. Can a new auth module in the identity server just exchange the appropriate messages to create a single sign on token in netegrity and then validate the token on each request?

We are running Identity Server 6.1 on Solaris.
The logs are in /var/opt/SUNWam/debug/
The most useful one is amAuth. You might also want to look at amAuthInternal, amSession, amAuthLDAP, and amAuthContext.
If you are seeing these, checkout AMConfig.properties (in /opt/SUNWam/lib). It should have the log level set to warning or message for you to get all these logs. Here's the setting from my AMConfig.properties:
com.iplanet.services.debug.level=warningPS Sorry for the unix paths, but hopefully they map closely to the windows directories.

Sun Identity Server 6.1 with Weblogic 8.1 sp2

Hi,
I've installed the IS 6.1 with WLS 8.1 sp2 and the agent 2.1.1 and followed the agent configuration guide to configure the xml files (web.xml and weblogic.xml) and agent authenticator.
When I login to the restricted resource, the browser is redirected to the IS server login page. After login, the browser is redirected back to the resource with 403 forbidden.
Is there any step missing? Should I additional add some policy in the IS console? .....
Clive

I have just installed Sun Identity Server 6.2 with WebLogic 8.1 SP3 and am experiencing the same results. Have you resolved this issue in your environment? We are evaluating Portal Server running on a BEA WLS Container and thus do not have Sun Support on the Identity Server Component of this configuration.

Problem with a dual Identity Server

Hi!
We are currently deploying MS 6.0p1. We have two servers for Identity Server and Directory Server is replicating its database on both machines. Problem that we have is that on second Identity Server we can not log on with simple user name but with this "uid=admin, ou=people, dc=domain, dc=com". On first server we can log on with simple user name.
Any ideas?

Found the log, but the log does not tell much!
05/16/2004 08:37:30:406 PM CEST: Thread[Thread-23,5,main]
adminDN-> uid=amAdmin,ou=People,dc=bih,dc=net,dc=ba
Host: sis2.bih.net.ba
PORT : 389
05/16/2004 08:37:30:585 PM CEST: Thread[Thread-23,5,main]
LDAP resbundle locale=en_US
05/16/2004 08:37:31:067 PM CEST: Thread[Thread-23,5,main]
currentState : 1
05/16/2004 08:37:31:068 PM CEST: Thread[Thread-23,5,main]
you are in LoginScreen:1
05/16/2004 08:37:31:069 PM CEST: Thread[Thread-23,5,main]
LDAP initialize()
05/16/2004 08:37:31:070 PM CEST: Thread[Thread-23,5,main]
attrs is : []
05/16/2004 08:37:31:283 PM CEST: Thread[Thread-23,5,main]
bindDN-> cn=amldapuser,ou=DSAME Users,dc=bih,dc=net,dc=ba
baseDN-> o=bih.net.ba,dc=bih,dc=net,dc=ba
userNamingAttr-> uid
userSearchAttr(s)-> [uid]
userCreationAttrs-> []
searchFilter->
searchScope-> 2
ssl-> false
authLevel: 0
Host: sis1.bih.net.ba
PORT : 389
Pattern : *|(|)|&|!
05/16/2004 08:37:31:295 PM CEST: Thread[Thread-23,5,main]
Connecting to sis1.bih.net.ba:389
Searching o=bih.net.ba,dc=bih,dc=net,dc=ba for (uid=amdin)
scope = 2
05/16/2004 08:37:31:296 PM CEST: Thread[Thread-23,5,main]
Create ConnectionPool: sis1.bih.net.ba:389
05/16/2004 08:37:31:297 PM CEST: Thread[Thread-23,5,main]
LDAPAuthUtils.LDAPAuthUtils: min=1, max=10
05/16/2004 08:37:31:308 PM CEST: Thread[Thread-23,5,main]
Cannot authenticate
05/16/2004 08:37:31:313 PM CEST: Thread[Thread-23,5,main]
Invalid password.
05/16/2004 08:37:46:648 PM CEST: Thread[Thread-28,5,main]
LDAP resbundle locale=en_US
05/16/2004 08:37:46:728 PM CEST: Thread[Thread-28,5,main]
currentState : 1
05/16/2004 08:37:46:728 PM CEST: Thread[Thread-28,5,main]
you are in LoginScreen:1
05/16/2004 08:37:46:729 PM CEST: Thread[Thread-28,5,main]
LDAP initialize()
05/16/2004 08:37:46:730 PM CEST: Thread[Thread-28,5,main]
attrs is : []
05/16/2004 08:37:46:730 PM CEST: Thread[Thread-28,5,main]
bindDN-> cn=amldapuser,ou=DSAME Users,dc=bih,dc=net,dc=ba
baseDN-> o=bih.net.ba,dc=bih,dc=net,dc=ba
userNamingAttr-> uid
userSearchAttr(s)-> [uid]
userCreationAttrs-> []
searchFilter->
searchScope-> 2
ssl-> false
authLevel: 0
Host: sis1.bih.net.ba
PORT : 389
Pattern : *|(|)|&|!
05/16/2004 08:37:46:760 PM CEST: Thread[Thread-28,5,main]
Connecting to sis1.bih.net.ba:389
Searching o=bih.net.ba,dc=bih,dc=net,dc=ba for (uid=amdin)
scope = 2
05/16/2004 08:37:46:766 PM CEST: Thread[Thread-28,5,main]
Cannot authenticate
05/16/2004 08:37:46:768 PM CEST: Thread[Thread-28,5,main]
Invalid password.
05/16/2004 08:41:50:583 PM CEST: Thread[Thread-29,5,main]
LDAP resbundle locale=en_US
05/16/2004 08:41:50:614 PM CEST: Thread[Thread-29,5,main]
currentState : 1
05/16/2004 08:41:50:614 PM CEST: Thread[Thread-29,5,main]
you are in LoginScreen:1
05/16/2004 08:41:50:615 PM CEST: Thread[Thread-29,5,main]
LDAP initialize()
05/16/2004 08:41:50:616 PM CEST: Thread[Thread-29,5,main]
attrs is : []
05/16/2004 08:41:50:616 PM CEST: Thread[Thread-29,5,main]
bindDN-> cn=amldapuser,ou=DSAME Users,dc=bih,dc=net,dc=ba
baseDN-> o=bih.net.ba,dc=bih,dc=net,dc=ba
userNamingAttr-> uid
userSearchAttr(s)-> [uid]
userCreationAttrs-> []
searchFilter->
searchScope-> 2
ssl-> false
authLevel: 0
Host: sis1.bih.net.ba
PORT : 389
Pattern : *|(|)|&|!
05/16/2004 08:41:50:622 PM CEST: Thread[Thread-29,5,main]
Connecting to sis1.bih.net.ba:389
Searching o=bih.net.ba,dc=bih,dc=net,dc=ba for (uid=amdin)
scope = 2
05/16/2004 08:41:50:628 PM CEST: Thread[Thread-29,5,main]
Cannot authenticate
05/16/2004 08:41:50:629 PM CEST: Thread[Thread-29,5,main]
Invalid password.
05/16/2004 08:43:45:894 PM CEST: Thread[Thread-30,5,main]
LDAP resbundle locale=en_US
05/16/2004 08:43:45:974 PM CEST: Thread[Thread-30,5,main]
currentState : 1
05/16/2004 08:43:45:974 PM CEST: Thread[Thread-30,5,main]
you are in LoginScreen:1
05/16/2004 08:43:45:975 PM CEST: Thread[Thread-30,5,main]
LDAP initialize()
05/16/2004 08:43:45:975 PM CEST: Thread[Thread-30,5,main]
attrs is : []
05/16/2004 08:43:45:978 PM CEST: Thread[Thread-30,5,main]
bindDN-> cn=amldapuser,ou=DSAME Users,dc=bih,dc=net,dc=ba
baseDN-> o=bih.net.ba,dc=bih,dc=net,dc=ba
userNamingAttr-> uid
userSearchAttr(s)-> [uid]
userCreationAttrs-> []
searchFilter->
searchScope-> 2
ssl-> false
authLevel: 0
Host: sis1.bih.net.ba
PORT : 389
Pattern : *|(|)|&|!
05/16/2004 08:43:45:984 PM CEST: Thread[Thread-30,5,main]
Connecting to sis1.bih.net.ba:389
Searching o=bih.net.ba,dc=bih,dc=net,dc=ba for (uid=amdin)
scope = 2
05/16/2004 08:43:45:989 PM CEST: Thread[Thread-30,5,main]
Cannot authenticate
05/16/2004 08:43:45:991 PM CEST: Thread[Thread-30,5,main]
Invalid password.
05/16/2004 08:45:46:145 PM CEST: Thread[Thread-31,5,main]
LDAP resbundle locale=en_US
05/16/2004 08:45:46:172 PM CEST: Thread[Thread-31,5,main]
currentState : 1
05/16/2004 08:45:46:173 PM CEST: Thread[Thread-31,5,main]
you are in LoginScreen:1
05/16/2004 08:45:46:173 PM CEST: Thread[Thread-31,5,main]
LDAP initialize()
05/16/2004 08:45:46:174 PM CEST: Thread[Thread-31,5,main]
attrs is : []
05/16/2004 08:45:46:174 PM CEST: Thread[Thread-31,5,main]
bindDN-> cn=amldapuser,ou=DSAME Users,dc=bih,dc=net,dc=ba
baseDN-> o=bih.net.ba,dc=bih,dc=net,dc=ba
userNamingAttr-> uid
userSearchAttr(s)-> [uid]
userCreationAttrs-> []
searchFilter->
searchScope-> 2
ssl-> false
authLevel: 0
Host: sis1.bih.net.ba
PORT : 389
Pattern : *|(|)|&|!
05/16/2004 08:45:46:179 PM CEST: Thread[Thread-31,5,main]
Connecting to sis1.bih.net.ba:389
Searching o=bih.net.ba,dc=bih,dc=net,dc=ba for (uid=admin)
scope = 2
05/16/2004 08:45:46:184 PM CEST: Thread[Thread-31,5,main]
Cannot authenticate
05/16/2004 08:45:46:185 PM CEST: Thread[Thread-31,5,main]
Invalid password.

Custom Authentication Module on Identity Server

Hi,
I have a custom authentication module which I am trying to access through the policy agent.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
My login module code is something like this:
package com.iplanet.am.samples.authentication.providers;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import java.rmi.RemoteException;
import java.io.FileInputStream;
import java.util.Properties;
public class LoginModule1 extends AMLoginModule
private String userName;
private String userTokenId;
private HashMap usersMap;
private java.security.Principal userPrincipal = null;
public LoginModule1() throws LoginException
public void init(Subject subject, Map sharedState, Map options)
          System.out.println("LoginModule1 initialization");
          usersMap = new HashMap();
          ResourceBundle bundle = ResourceBundle.getBundle("users");
          Enumeration users = bundle.getKeys();
          while (users.hasMoreElements())
               String user = (String)users.nextElement();
               String password = bundle.getString(user.trim());
               usersMap.put(user, password);
public int process(Callback[] callbacks, int state) throws AuthLoginException
          int currentState = state;
          if (currentState == 1)
               userName = ((NameCallback) callbacks[0]).getName().trim();
               char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
               String passwdString = new String (passwd);
               if (userName.equals(""))
                    throw new AuthLoginException("names must not be empty");
               if (userName.equals("testuser") && passwdString.equals("testuser"))
                    userTokenId = userName;
                    return -1;
               if (usersMap.containsKey(userName))
                    if (usersMap.get(userName).equals(new String(passwd)))
                         userTokenId = userName;
                         return -1;
               return 0;
     public java.security.Principal getPrincipal()
          if (userPrincipal != null)
               return userPrincipal;
          else
          if (userTokenId != null)
               userPrincipal = new SamplePrincipal("testuser");
               return userPrincipal;
          else
               return null;
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Srinivas

Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

Error inserting a row into a table with identity column using cfgrid on change

I got an error on trying to insert a row into a table with identity column using cfgrid on change see below
also i would like to use cfstoreproc instead of cfquery but which argument i need to pass and how to use it usually i use stored procedure
update table (xxx,xxx,xxx)
values (uu,uuu,uu)
     My component

    <cffunction name="cfn_MediaType_Update" access="remote">
        <cfargument name="gridaction" type="string" required="yes">
        <cfargument name="gridrow" type="struct" required="yes">
        <cfargument name="gridchanged" type="struct" required="yes">
        
        <cfset var colname="">
        <cfset var value="">
        
        <cfswitch expression="#ARGUMENTS.gridaction#">
            
            <cfcase value="U">
                
                <cfset colname=StructKeyList(ARGUMENTS.gridchanged)>
                <cfset value=ARGUMENTS.gridchanged[colname]>
                
                <cfquery datasource="#application.dsn#">
                UPDATE SP.MediaType
                SET #colname# = '#value#'
                WHERE MediaTypeID = #ARGUMENTS.gridrow.MediaTypeID#
                </cfquery>
            </cfcase>
            
            <cfcase value="D">
                
                <cfquery datasource="#application.dsn#">
                update SP.MediaType
                set Deleted=1
                WHERE MediaTypeID = #ARGUMENTS.gridrow.MediaTypeID#
                </cfquery>
            </cfcase>
            <cfcase value="I">
                
                <cfset colname=StructKeyList(ARGUMENTS.gridchanged)>
                <cfset value=ARGUMENTS.gridchanged[colname]>
                
               <cfquery datasource="#application.dsn#">
                insert into SP.MediaType (#colname#)
                Values ('#value#')
                </cfquery>
            </cfcase>
        </cfswitch>
    </cffunction>
my table
mediatype:
mediatypeid primary key,identity
mediatypename
my code is
<cfform method="post" name="GridExampleForm">
        <cfgrid format="html" name="grid_Tables2" pagesize="3" selectmode="edit" width="800px"
        delete="yes"
        insert="yes"
            bind="cfc:sp3.testing.MediaType.cfn_MediaType_All
                                                            ({cfgridpage},{cfgridpagesize},{cfgridsortcolumn},{cfgridsortdirection})"
              onchange="cfc:sp3.testing.MediaType.cfn_MediaType_Update({cfgridaction},
                                            {cfgridrow},
                                            {cfgridchanged})">
            <cfgridcolumn name="MediaTypeID" header="ID" display="no"/>
            <cfgridcolumn name="MediaTypeName" header="Media Type" />
        </cfgrid>
</cfform>
on insert I get the following error message ajax logging error message
http: Error invoking xxxxxxx/MediaType.cfc : Element '' is undefined in a CFML structure referenced as part of an expression.
{"gridaction":"I","gridrow":{"MEDIATYPEID":"","MEDIATYPENAME":"uuuuuu","CFGRIDROWINDEX":4} ,"gridchanged":{}}
Thanks

Is this with the Travel database or another database?
If it's another database then make sure your columns
allow nulls. To check this in the Server Navigator, expand
your DataSource down to the column.
Select the column and view the Is Nullable property
in the Property Sheet
If still no luck, check out a tutorial, like Performing Inserts, ...
http://developers.sun.com/prodtech/javatools/jscreator/learning/tutorials/index.jsp
John

Identity Server has not been configured for this new user/group suffix

Hi all
I am having a problem trying to configure the Directory Server (5.2) for Messaging Server.
My configuration is as follows:
SJES Q12005
Server 1 - Directory Server 5.2
Server 1 - Access Manager (formerly Identity Server)
Server 1 - Web Server 6.1
I have successfully installed the above and can login to Access Manager.
I next installed Calendar & Messengar Server on "Server 1". Upon running "comm_dssetup.pl" from /opt/SUNWcomds/sbin, I get the following error:
"Identity Server has not been configured for this new user/group suffix"
Copy and paste of what I entered:
bash-2.05# perl comm_dssetup.pl
Welcome to the Directory Server preparation tool for
Sun Java(tm) System communication services.
(Version 6.3 Revision 1.0)
This tool prepares your directory server for use by the
communications services which include Messaging, Calendar and their components.
The logfile is /var/tmp/dssetup_20050830165940.log.
Do you want to continue [y]:
Please enter the full path to the directory where the Sun ONE
Directory Server was installed.
Directory server root [var/opt/mps/serverroot] : /opt/mps/serverroot
Please select a directory server instance from the following list:
[1] slapd-sunldap
Which instance do you want [1]:
Please enter the directory manager DN [cn=Directory Manager]: cn=DirMan
Password:
Detected DS version 5.2
Will this directory server be used for users/groups [Yes]:
Please enter the Users/Groups base suffix [dc=samplecompany-dev,dc=co,dc=uk] : ou=infrastructure,o=sampletown,dc=samplecompany-dev,dc=co,dc=uk
There are 3 possible schema types:
1 - schema 1 for systems with iMS 5.x data
1.5 - schema 2 compatibility for systems with iMS 5.x data
that has been converted with commdirmig
2 - schema 2 native for systems using Identity Server
Please enter the Schema Type (1, 1.5, 2) [1]: 2
Identity Server has not been configured for this new user/group suffix
You can opt to continue, but you will not be able to use
features that depend on Identity Server
Are you sure you want this schema type? [n]:
I have entered my user group suffix exactly as specified during the Access Manager install (hence I am able to login as "amadmin").
Looking at the LDAP logs to try and figure out whats going wrong I see its not getting hits on all searches it is performing:
[30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
Resource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - RESULT err=4 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:18 +0100] conn=299 op=160 msgId=162 - ABANDON targetop=NOTFOUND msgid=161
[30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - SRCH base="ou=people,ou=infrastructure,o=northampton,dc=dataforce-de
v,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(objec
tClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscapeRe
source)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - RESULT err=0 tag=101 nentries=0 etime=0
[30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - SRCH base="ou=clientdata,ou=infrastructure,o=northampton,dc=dataforc
e-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(o
bjectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netsca
peResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:18 +0100] conn=299 op=163 msgId=165 - ABANDON targetop=NOTFOUND msgid=164
[30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=1 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - RESULT err=0 tag=101 nentries=41 etime=0
[30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:28 +0100] conn=299 op=166 msgId=168 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
Resource)(objectClass=domain))" attrs="objectClass numSubordinates ref aci"
[30/Aug/2005:16:41:29 +0100] conn=299 op=166 msgId=168 - RESULT err=0 tag=101 nentries=41 etime=1
[30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - SRCH base="ou=iplanetamauthservice,ou=services,ou=infrastructure,o=n
orthampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectC
lass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServ
er)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:29 +0100] conn=299 op=168 msgId=170 - ABANDON targetop=NOTFOUND msgid=169
[30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - SRCH base="ou=iplanetamauthldapservice,ou=services,ou=infrastructure
,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(obj
ectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscape
Server)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:29 +0100] conn=299 op=170 msgId=172 - ABANDON targetop=NOTFOUND msgid=171
[30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - SRCH base="ou=iplanetampolicyconfigservice,ou=services,ou=infrastruc
ture,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)
(objectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=nets
capeServer)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:29 +0100] conn=299 op=172 msgId=174 - ABANDON targetop=NOTFOUND msgid=173
[30/Aug/2005:16:41:29 +0100] conn=299 op=173 msgId=175 - SRCH base="ou=iplanetamauthenticationdomainconfigservice,ou=services
,ou=infrastructure,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(
--More--(83%)
The list goes on.
Can anyone give me any pointers?
Thanks

Hi
Thanks for your reply!
I did mis-type, my mistake - sorry about that.
If I dont over-ride the default it works, I've pretty much got the whole setup working now but I'm not particularly over the moon about the way the ldap tree is setup, I'd like finer granuality as we are going to attempt to get syncronization working with AD.
I have an idea about how I'd like to set up our Mail/Calendar/LDAP infrastructure the 2nd time around (I'm just testing at the mo) - so I might have a question or two for you if you dont mind taking a look when you have a minute?
Thanks Jay

OAM Identity Server user search is very slow after upgrading to 10.1.4.2

We recently upgraded Identity-Server from 7.0.4 to 10.1.4.2 + BP10. The new webpass (version 10.1.4.2) is on iPlanet webserver, which does not have any bundled patch available. After this upgrade, we found the user search is very slow. It is taking double the time compare to version 7.0.4. The search performance for NetPoint admin users is fine.
The new version is connecting to the same LDAP (Sun 5.2) as the old one. The 7.0.4 version was well tuned (like Ldap connections, caching, etc) for the performance. The migration suppose to carryover those performance configuration to the new version. Is there any new parameter (related to performance) I should look for in version 10 ? Anybody have faced these issues after migration and found a fix for it ?
Thanks!
Kabi

More in this thread - Re: OAM- "You do not have sufficient access rights" message with Master Adm
-Vinod

Role in Portal6.1/Identity Server 6.0

I created a role in Identity Server, and assigned myself to the role. When I browse my entry in the LDAP, I do not see any nsRole attribues , nor do I see the role definition. This also applies to the roles that came installed with IS such as People Admin, Top-Level Admin Role. If I create a group in the Identity Server, the group shows up fine in the LDAP. Is there something wrong with the configuration?

I think I know why it is not showing up now. Because the nsRole attributes are virtual attributes, they are computed and not stored in the entry so an ldapsearch will not return any result. But if I use the directory server console, they do show up. My next question is that if I want to put hundreds or thousands of users in a role, and since Identity Server does not support Filtered Role, I would have to write a script to add the users to the role using command line. is this correct?

RBAC with Identity Server

Similar Messages

Maybe you are looking for