LDAP Authentication using FAST BIND

[vmlk...@gmail.com]

Hi,

I have been working on creating a login p

[vmlk...@gmail.com]

Hi,

I have been working on creating a simple login page. I should be able to connect to the LDAP server for authenticating a user and I am new to LDAP. When I researched a bit about this, I found that FAST BIND mechanism is used to authenticate a user.

In the example provided here, http://wiki.orbeon.com/forms/doc/developer-guide/processors-ldap , it explains how to connect to the ldap server and store the retrieved information in XML format.

Does the same example can also be referenced to authenticate a user? If not, how can I use LDAP processors to authenticate a user?


Thanks,
Vimalkumar Chellam

[Alessandro Vernet]

For those finding this thread through a search, the discussion on this topic
is on:

http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-td4660459.html

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660458p4660462.html
Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.

[Alessandro Vernet]

Hi Vimalkumar,

Not at all :). In general, you don't want to use the LDAP processor to
authenticate users. You want to setup your servlet container, e.g. Tomcat,
to do that. In Tomcat, this is done by setting up a "realm". I'll let you
google "LDAP tomcat", with the version of Tomcat you're using to find the
relevant doc.

In some cases you could have a use for the LDAP processor, e.g. cases where
you want to retrieve more information about users from LDAP *after* they
have been authenticated, but this situation is pretty rare.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660463.html

[vmlk...@gmail.com]

Thanks, ALex. I am able to create a LDAP authentication with tomcat itself.

After creating a login authentication for orbeon, it enables us to login with our credentials successfully.

When I try to access my xml file where the data will be stored, it pops up one more authentication window and prompts for a username and password. When I use the same credentials as before, it's not allowing me to access it.
URL for my xml file: http://localhost/orbeon/exist/rest/db/orbeon/orbeonforms/userinfo.xml

Please, help me on how to remove that authentication pop-up while accessing the xml file. Or Is there any other way to get through this?

Vimalkumar

[Alessandro Vernet]

Hi Vimalkumar,

I'm not sure if this is what you're hitting, but by default there is a
security filter protecting access to eXist, as you wouldn't want your eXist
database to open. If you want to be able to access it through the REST API,
and don't care about security, you can comment out the <filter> and
<filter-mapping> for orbeon-exist-filter in your Orbeon Forms web.xml.
You'll let us know if this helps,

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660514.html

[vmlk...@gmail.com]

Hello Alex,

Thanks for your reply.

<filter-mapping> is already commented out. <filter> is left uncommented. So, I commented the <filter> element too.

But, it's not helping me. It still shows the authentication pop up when I try to access my xml file. I also found out when I click on the save button of my forms, it's showing a error message.

If remove the security constraints for my forms, everything works fine.

What would be the solution for this?

Vimalkumar Chellam

[vmlk...@gmail.com]

Hi Alex,

For your information, today I tried with the username and password which are provided in the <cluster> element of exist-conf.xml file. It actually worked intially. But, after sometime, the same username and password stopped working and does not let me to access the xml file. It looks so weird to me.

If I remove the LDAP authentication for Orbeon forms, everything works fine.

Let me know of any solutions for this.

Vimalkumar Chellam

[Alessandro Vernet]

Hi Vimalkumar,

I suspect that this is because the user is authenticated to the web app, and
that authentication information gets to the eXist servet, which say "Is John
Smith allowed to access this resource? No." This might seem
counterintuitive, but eXist can deny access to a given user, but allow
access to the same resource to a non-authenticated user.

So I'd recommend you edit the web.xml, look for the <security-constraint>
without child <auth-constraint>; search for "Form Runner services and public
pages and resources", and add there a <url-pattern>/exist/*</url-pattern>.
You'll let us know if this works for you.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660550.html

[vmlk...@gmail.com]

Thanks Alex, I uncommented the <security-constraint> with <url-pattern> /exist/*</url-pattern> and it worked.

Vimalkumar Chellam

[Alessandro Vernet]

Excellent Vimalkumar, I am glad it worked, and thank you for the update.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660582.html

[vmlk...@gmail.com]

Hello Alex,

I have two questions

I have created a BASIC LDAP authentication for Orbeon forms. Next, I have to create a FORM based authentication. When I researched a bit about this, all the sites I have referred creates an html form for login page. In that html form, they set the action element of form tag to j_security_check to access the security feature of the servlet container. Now my first questions: Is it possible to create a login page using Orbeon forms which calls the security feature of a servlet container?

My second question: Is it possible to create a logout like button in orbeon forms which invalidates/kills the session created using LDAP authentication?

Any suggestions on this would be appreciated.

Vimalkumar

[Alessandro Vernet]

Hi Vimalkumar,

Yes, it is possible to "host" such a login page within Orbeon Forms; in fact
Form Runner already comes with such page, which you can access on /fr/login:

https://github.com/orbeon/orbeon-forms/blob/master/src/resources/apps/fr/login.xhtml

If you're using form-based auth, yes, you can create a logout link, and that
page can invalidate the session. There is no such page built-in, but you
create one. The simplest would probably be to do it as a JSP, e.g.
http://stackoverflow.com/a/5188772/5295.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660592.html

[vmlk...@gmail.com]

Thanks Alex, I'm able to create a login page with /fr/login. I also created a logout button using JSP.

I have one issue now. I mentioned my login page in web.xml under the tag <form-login-page>. Whenever someone tries to access the Orbeon forms for the first time, it redirects to the login page. But, when someone gives wrong credentials it is not redirecting to the error page which I mentioned under the tag <form-error-page> in web.xml. Instead it shows 403

I have been looking for an explanation on all possible site and forums. I don't find anything useful. Any idea on why it is happening and how can I solve it?

Vimalkumar Chellam

[vmlk...@gmail.com]

Hi Alex,

I found some workaround for that issue. When I set my <form-error-page> to some customized error pages, it sends 403 error for wrong credentials. But, when I set something like this <form-error-page>/<form-error-page>, it redirects me to the conf/unauthorized.xhtml for wrong credentials. So, I customized my unauthorized.xhtml to behave in the way I want. I don't know whether is a good solution or not. For the time being, I implemented this.

Vimalkumar Chellam

[Alessandro Vernet]

Hi Vimalkumar,

Regarding your earlier message, I am wondering if you're not getting a 403
when accessing the error page because you haven't setup that page (the path
in <form-error-page>) to not require authentication, e.g. as done in the
web.xml that ships with Orbeon Forms:

https://github.com/orbeon/orbeon-forms/blob/c35e0a9feb75f8dbf88a8176f9693c7d21607ec8/descriptors/orbeon-war-web.xsl#L460

Regarding your second message, I'm not sure to follow you, but I'm glad to
read you've found some kind of workaround.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660659.html

[vmlk...@gmail.com]

Hello Alex,

I am having one issue now. So far I have been using HTTP put method during submission. As put method replaces the previous data on each submission, I want to use post method.

To use the post method, I need to have a server side script to handle it. Can I use servlet to handle the submissions with post method?

Also, I find no examples on how to handle the xforms submissions using post method. Will you direct me to some good examples available online?

Thanks,
Vimalkumar Chellam

[Alessandro Vernet]

Hi Vimalkumar,

Which submission are you referring to? Is this an implementation of the
persistence API you did, and which is called by Orbeon Forms when a document
is saved? I missing some context here :).

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660729.html

[Vimalkumar]

I didn't implement any persistence API yet. I just want to use the post method while submitting in the in-built eXist database.

Thanks,
Vimalkumar Chellam

Alessandro Vernet <ave...@orbeon.com> wrote:

>--
>You received this message because you are subscribed to a topic in the Google Groups "Orbeon Forms" group.
>To unsubscribe from this topic, visit https://groups.google.com/d/topic/orbeon/mlVNSl7PJtE/unsubscribe.
>To unsubscribe from this group and all its topics, send an email to orbeon+un...@googlegroups.com.
>To post to this group, send email to orb...@googlegroups.com.

[Alessandro Vernet]

Hi Vimalkumar,

The provided implementation of the persistence API for eXist-db will do a
PUT to update the data in the database when saving. In that context, a POST
won't work: I think that it you POST something to eXist-db, it expects
XQuery. Or am I misunderstanding your comment?

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660740.html

[vmlk...@gmail.com]

Hi Alex,

If I use PUT method to save the data in the in-built exist database, it rewrites over the previous data. I just want new data to be appended to the xml file every time when I hit the save button. How can I do this?

Thanks,
Vimalkumar Chellam

[Alessandro Vernet]

Vimalkumar,

But if you have the persistence API do that, Orbeon Forms won't be able to
read the data back for further editing. If you want to have this happen, I'd
do it independently from the persistence API, with a button in your form
(which could be the "Save" button, if you'd like), that as, part of a
process, calls the send() action doing a POST to your XQuery in eXist that
appends the data somewhere. Would this make sense?

http://doc.orbeon.com/form-runner/advanced/buttons-and-processes/index.html

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--

View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660750.html