4 Replies Latest reply on Feb 17, 2013 6:11 PM by Sham HC

    SSO and LDAP working together

    crestenst

      Hello everyone!


      I'm currently running CQ5.5 Update 2.

       

      What I am trying to accomplish:

       

      So, I have a user logged into a windows remote desktop. He connects to a locally hosted dispatcher instance, which authenticates the user, forwards the header to CQ5, and logs him in.

       

      Additionally, when the user logs in, CQ5 will ask an Active Directory instance for the SSO user's information. If he does not yet exist, he will be created with the appropriate attributes, and logged in.

       

       

      What I have been able to accomplish

       

      Currently I have the two working separately. But, if I have both enabled neither work.

       

      So, if I have only the LDAP configuration enabled, I can enter the user's common name, and it will import him. (Basic LDAP works)

       

      If I have the user already created, and have my SSO configuration enabled, it will allow him to log on. (Basic SSO works)

       

      But, if he does not yet exist, it gives me the following error: (When trying to log in VIA SSO, CQ5 will not request credentials / user information through LDAP)

       

       

      22.10.2012 09:53:21.329 *INFO* [10.110.41.162 [1350917601328] GET /libs/cq/core/content/login.html?resource=%2F&$$login$$=%24%24login%24%24&j_reason=User+n ame+and+password+do+not+match HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate XXX: LoginModule ignored Credentials

       

      22.10.2012 09:53:21.329 *ERROR* [10.110.41.162 [1350917601328] GET /libs/cq/core/content/login.html?resource=%2F&$$login$$=%24%24login%24%24&j_reason=User+n ame+and+password+do+not+match HTTP/1.1] com.day.cq.auth.impl.LoginSelectorHandler requestCredentials: Abort login due to apparent misconfiguration.

      22.10.2012 09:53:21.329 *ERROR* [10.110.41.162 [1350917601328] GET /libs/cq/core/content/login.html?resource=%2F&$$login$$=%24%24login%24%24&j_reason=User+n ame+and+password+do+not+match HTTP/1.1] com.day.cq.auth.impl.LoginSelectorHandler requestCredentials: Possible reasons: login page not existing or not accessible

       

      Any help would be tremendous. I'll reply to this post with my configuration files.

        • 1. Re: SSO and LDAP working together
          crestenst Level 1

          Here is my ldap.conf file:

           

           

          com.day.crx {

           

          com.day.crx.core.CRXLoginModule sufficient;

          com.day.crx.security.ldap.LDAPLoginModule required

          principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"

          host="thehost.google.com"

          authDn="distinguishedname"

          authPw="bacon"

          port="389"

          secure="false"

          userRoot="CN=Users,DC=blah,DC=local"

          userFilter="(|(memberof=distinguishedname)(memberof=distinguishedname))"

          userIdAttribute="sAMAccountName"

          groupRoot="CN=Users,DC=blah,DC=local"

          groupMembershipAttribute="member"

          groupFilter="(|(CN=blah)(CN=distinguishednmae))"

          groupNameAttribute="cn"

          autocreate="create"

          autocreate.user.c="rep:fullname"

          autocreate.user.mail="profile/email"

          autocreate.user.info="profile/notes"

          autocreate.user.employeeID="profile/employeeID"

          autocreate.user.givenname="profile/givenName"

          autocreate.user.membership="administrators"

          autocreate.user.sn="profile/familyName"

          autocreate.group.description="profile/aboutMe"

          autocreate.group.mail="profile/email"

          autocreate.group.cn="profile/name"

          autocreate.path="none"

          cache.expiration="10"

          cache.maxsize="100";

          };

          • 2. Re: SSO and LDAP working together
            crestenst Level 1

            And here is my repository.xml file:

            <Security appName="com.day.crx">

             

            <!-- security manager: class: FQN of class implementing the JackrabbitSecurityManager

            interface -->

            <SecurityManager class="com.day.crx.core.CRXSecurityManager">

            <WorkspaceAccessManager

            class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager" />

            <UserManager class="com.day.crx.core.CRXUserManagerImpl">

            <param name="usersPath" value="/home/users" />

            <param name="groupsPath" value="/home/groups" />

            <param name="defaultDepth" value="1" />

            </UserManager>

            </SecurityManager>

            <AccessManager

            class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager>

             

            <LoginModule class="com.day.crx.core.CRXLoginModule">

            <param name="anonymousId" value="anonymous" />

            <param name="adminId" value="admin" />

            <param name="anonymous_principal" value="anonymous" />

            <param name="trust_credentials_attribute" value="TrustedInfo" />

            </LoginModule>

            </Security>

            • 3. Re: SSO and LDAP working together
              konradhh

              You need to add the trusted header authetication to your ldap.conf, something like:

               

              trust_credentials_attribute="TrustedInfo"

               

              http://dev.day.com/docs/en/crx/2-3/administering/ldap_authentication.html#Auto%20Creation

               

              LDAP with Single Sign On

              If you are using LDAP with SSO, you need to configure the trust_credentials_attribute parameter. Otherwise, you see an error that indicates that "principalProvider configuration entry missing."

               

               

              trust_credentials_attribute="TrustedInfo"The trust_credentials_attribute value must be the same as the one you define in the Felix Console for the SSO configuration.
              • 4. Re: SSO and LDAP working together
                Sham HC Level 7

                Hi crestenst,

                 

                    How does your login id looks like ?  Does it uses emails OR Domain\uid as CQ user name?   Could you please try with uid with alphabets only & let me know if it works ?

                 

                Thanks,

                Sham