[Shib-Users] IDP authentication from database
499 views
Skip to first unread message
ap1285
Apr 23, 2010, 11:05:39 AM4/23/10
to shibbole...@internet2.edu
Hi All,
I'm trying to use mysql database at IDP for authentication.
Here is my data connector element from attribute-resolver.xml
<resolver:DataConnector id="mySIS" xsi:type="RelationalDatabase"
xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver"
jdbcURL="jdbc:mysql://localhost:3306/userDB" jdbcUserName="root"
jdbcPassword="root" />
<QueryTemplate>
<![CDATA[
SELECT * FROM user WHERE usr_login =
'$requestContext.principalName'
]]>
</QueryTemplate>
<Column columnName="usr_login" attributeID="uid" />
<Column columnName="first_name" attributeID="displayname" />
</resolver:DataConnector>
I'm getting following error by using above configuration
----------------- Errot logs-------------
javax.security.auth.login.LoginException: No LoginModules configured for
ShibUserPassAuth
at
javax.security.auth.login.LoginContext.init(LoginContext.java:256)
[na:1.6.0_16]
at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
[na:1.6.0_16]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:163)
[shibboleth-identityprovider-2.1.5.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
[shibboleth-identityprovider-2.1.5.jar:na]
--------------------------------------------------
I read on docs that shibboleth use JAAS for authentication and above error
says 'ShibUserPassAuth' login module not found. I tried to configure it in
$IDP_HOME/conf/login.config file, but it does not seem that login.config
file is picked by jvm for JAAS authentication.
Just to add some more information: I tried LDAP authentication with same IDP
and was getting same error when defining 'ShibUserPassAuth' with LDAP
configuration in login.config file. But I got it working by defining an
application policy element with name 'ShibUserPassAuth' in my
$JBOSS_HOME/server/default/conf/login-config.xml file.
Somehow it's picking up the 'ShibUserPassAuth' configuration from
login-config.xml of jboss but not from login.config file of IDP.
Can someone point me to any document regrading database configuration or any
example to get database authentication running ?
Thanks in advance
ap1285
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/IDP-authentication-from-database-tp4950984p4950984.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
--
Subscription settings: http://groups.google.com/group/shibboleth-users/subscribe?hl=en
Peter Schober
Apr 23, 2010, 12:56:09 PM4/23/10
to shibbole...@internet2.edu
* ap1285 <ami...@imfinity.com> [2010-04-23 17:07]:
You'll need to configure JAAS (via login.conf) for authentiaction.
-peter
> I'm trying to use mysql database at IDP for authentication.
>
> Here is my data connector element from attribute-resolver.xml
The data connector has nothing to do with authentication.
>
> Here is my data connector element from attribute-resolver.xml
You'll need to configure JAAS (via login.conf) for authentiaction.
-peter
Peter Schober
Apr 23, 2010, 1:15:33 PM4/23/10
to shibbole...@internet2.edu
* ap1285 <ami...@imfinity.com> [2010-04-23 17:07]:
> I'm getting following error by using above configuration
> ----------------- Errot logs-------------
> javax.security.auth.login.LoginException: No LoginModules configured for
> ShibUserPassAuth
[...]
> ----------------- Errot logs-------------
> javax.security.auth.login.LoginException: No LoginModules configured for
> ShibUserPassAuth
> I read on docs that shibboleth use JAAS for authentication and above error
> says 'ShibUserPassAuth' login module not found. I tried to configure it in
> $IDP_HOME/conf/login.config file, but it does not seem that login.config
> file is picked by jvm for JAAS authentication.
I know nothing about JBoss but recall faintly that people had to
> says 'ShibUserPassAuth' login module not found. I tried to configure it in
> $IDP_HOME/conf/login.config file, but it does not seem that login.config
> file is picked by jvm for JAAS authentication.
configure the location of the JAAS config for JBoss seperately.
The docs in https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
are pretty terse (see "Setting up JAAS").
As for JAAS auth via JDBC this is what I usually write (and never
heard back if this worked):
https://mail.internet2.edu/wws/arc/shibboleth-users/2010-02/msg00147.html
-peter
Brent Putman
Apr 23, 2010, 2:31:59 PM4/23/10
to shibbole...@internet2.edu
On 4/23/2010 1:15 PM, Peter Schober wrote:
>
> I know nothing about JBoss but recall faintly that people had to
> configure the location of the JAAS config for JBoss seperately.
>
https://mail.internet2.edu/wws/arc/shibboleth-users/2008-10/msg00858.html
The way people have gotten this to work in JBoss is to configure JAAS
using JBoss's XML-based JAAS configuration. I also recall someone did
report later that they had done this, but using the VT LDAP module that
we ship, as mentioned in the link above, and it worked fine.
HTH,
Brent
ap1285
May 5, 2010, 5:57:54 AM5/5/10
to shibbole...@internet2.edu
Thanks Peter and Brent and sorry for my late reply, I was away form work for
a few days.
Yes Jboss does not read $IDP_HOME/conf/login.config for Jaas authentication.
I got it working by configuring
$JBOSS_HOME/server/<server-type>/conf/login-config.xml
If you are running IDP on jboss then Jaas config sould be specified in
$JBOSS_HOME/server/<server-type>/conf/login-config.xml to get it working, If
you do not override the default jaas config file of jboss, which is
specified in jboss-service.xml
Snippet from jboss-service.xml
<mbean code="org.jboss.security.auth.login.XMLLoginConfig"
name="jboss.security:service=XMLLoginConfig">
<attribute name="ConfigResource">login-config.xml</attribute>
</mbean>
But I don't know how to change the above settings to read IDP's login.config
file, because its reading a xml format file right now.
Anyways I tried following configuration in jboss's login-config.xml.and it
worked. May be it can help someone else.
<application-policy name = "ShibUserPassAuth">
<authentication>
<login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name =
"dsJndiName">java:/applicationDB</module-option>
<module-option name = "principalsQuery">SELECT
password FROM user where username=?</module-option>
<module-option name = "rolesQuery">SELECT
firstname,'Roles' FROM user WHERE username=?</module-option>
</login-module>
</authentication>
</application-policy>
NOTE: I didn't had any roles table soe 'rolesQuery' is fake.
@Peter - I tried to run IDP on apache tomcat. Jaas reading IDP's
login.config in tomcat, and I used tagish login module for authntication.
Thanks for your help again :)
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/IDP-authentication-from-database-tp4950984p5008051.html
Reply all
Reply to author
Forward
0 new messages