[OpenAM] OpenAM using AD to access Salesforce.com
Peter Major
peter.major at forgerock.com
Wed Jan 4 12:10:18 EST 2012
From your other thread it seems you are using LDAP People Container
Name/Value settings, remove those values, and then you should be able to
see more users. ;)
Regards,
Peter
2012-01-04 17:50 keltezéssel, Rob Collins írta:
> Good news, I can now get SSO to work for some users!
>
> After experimenting with setting different settings for the "Active Directory" data store, I have established the following:
>
> I set the LDAP Bind DN to an account in the root Users folder (cn=Users,dc=domain,dc=com).
> When I check Subjects in OpenSSO, I can only see the users (there are 98) in this root Users folder (cn=Users,dc=domain,dc=com).
> SSO works correctly now, but only if the user that I log in with is also in the root Users folder (cn=Users,dc=domain,dc=com).
>
> Why can OpenSSO not see the rest of my AD domain? It is definitely not an AD permissions issue because I have other services doing LDAP lookups with the same permissions.
>
> Here are some of the settings for the "Active Directory" user data store
> LDAP Organization DN = root of domain, e.g. dc=domain, dc=com
> LDAPv3 Plug-in Seach Scope = SCOPE_SUB (this was the default, and it should be correct?!)
> Persistent Search Base DN: OU=Users,OU=xxxx,OU=Locations,dc=domain,dc=com
>
> Regards
>
> Rob
>
> -----Original Message-----
> From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of openam-request at forgerock.org
> Sent: 04 January 2012 16:37
> To: openam at forgerock.org
> Subject: OpenAM Digest, Vol 15, Issue 7
>
> Send OpenAM mailing list submissions to
> openam at forgerock.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.forgerock.org/mailman/listinfo/openam
> or, via email, send a message with subject or body 'help' to
> openam-request at forgerock.org
>
> You can reach the person managing the list at
> openam-owner at forgerock.org
>
> When replying, please edit your Subject line so it is more specific than "Re: Contents of OpenAM digest..."
>
>
> Today's Topics:
>
> 1. Re: OpenAM using AD to access Salesforce.com (LOW Chee Chong)
> 2. Re: Firewall between OpenAM and OpenLDAP (Pierluigi Conti)
> 3. Re: Cache configuration (luk.morbee at thomsonreuters.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 04 Jan 2012 22:45:55 +0800
> From: LOW Chee Chong<cheechong at azlabs.sg>
> Subject: Re: [OpenAM] OpenAM using AD to access Salesforce.com
> To: Users<openam at forgerock.org>
> Message-ID:<4F046623.5030602 at azlabs.sg>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Rob,
>
> Read
> https://wikis.forgerock.org/confluence/display/openam/Add+Active+Directory+as+an+External+Directory.
>
> See last step. Are you able to see your subjects displaying on OpenAM?
>
> --
> Chee Chong
>
>
>
> On 1/4/12 10:35 PM, Rob Collins wrote:
>>
>> We want to use OpenSSO for single sign on into Salesforce.com. We
>> followed the instructions here:
>> http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.
>> com
>>
>> We were able to successfully get SSO working with the demo (embedded)
>> User Store. It worked beautifully.
>>
>> Now we are trying to configure OpenSSO to authenticate against our AD,
>> but it is not yet working.
>>
>> *Has anyone here got OpenSSO working with AD?*
>>
>> I see failed login attempts in the Security event log of the DC from
>> my IP with username of root. This seems very odd. There are no errors
>> being logged in the Salesforce.com login history, so we think the AD
>> authentication is failing somewhere.
>>
>> We used the following settings during the OpenSSO config:
>> *User Data Store Type*: Active Directory with Host and Port *SSL/TLS
>> Enabled:*false
>> *Directory Name:*/FQDN of a local AD domain controller
>> server.domain.com/
>> *Port*: 389
>> *Root suffix:***dc=/subdomain/, dc=/domain/,dc=/com/ (Details changed
>> for security reasons, but trust me, I used the correct ones!) *Login
>> ID:***cn=svc-opensso,ou=Users,ou=/Location/,ou=Locations,dc=/subdomain
>> /,dc=/domain/,dc=com (again, some details changed for security
>> reasons)
>> *Password:******* (come on, you didn't think I'd put it here did you?!)
>>
>> I have created an AD user with both cn (Full name) and SamAccountName
>> (User logon name) of svc-opensso. This user has read/write access to AD.
>>
>> Any help much appreciated!
>>
>>
>> *Rob Collins*
>>
>>
>>
>> This body part will be downloaded on demand.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.forgerock.org/pipermail/openam/attachments/20120104/309543d9/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 04 Jan 2012 16:37:55 +0100
> From: Pierluigi Conti<p.conti at lineacomune.it>
> Subject: Re: [OpenAM] Firewall between OpenAM and OpenLDAP
> To: Users<openam at forgerock.org>
> Message-ID:<4F047253.6020703 at lineacomune.it>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> really good!!
>
> it worked, thank you
>
> On 04/01/2012 10:48, Mark de Reeper wrote:
>> I don't think that OpenLDAP supports persistent search so this is unlikely to work. I would recommend having OpenLDAP close idle connections before the firewall cuts them, this means that OpenAM is given proper notice that the connection is closed rather than finding out next time it goes to use a connection that has been killed by the firewall.
>>
>>
>> Thanks
>>
>> Mark
>>
>> On 4/01/2012, at 10:02 PM, Pierluigi Conti wrote:
>>
>>> Hello,
>>> I already asked this but I didn't found a solution.
>>> I'm using OpenAM with OpenLDAP as external User Store.
>>> A firewall is between the two servers and it has the TCP connection
>>> timeout at 1 hour.
>>>
>>> Using this configuration, OpenAM's connections broke down after 1
>>> hour and the authentication procedure stops for about 10 minutes.
>>> I've tried to set up the Persistent Search Maximum Idle Time Befor
>>> Restart at 20 minutes, but it still doesn't work.
>>> Also OpenLDAP has the TCP idle timeout disabled and the syncrepl
>>> options enabled.
>>>
>>> In the IdRepo debug file I get this error:
>>>
>>> LDAPv3EventService:01/04/2012 08:46:02:651 AM GMT:
>>> Thread[main,5,main]
>>> ERROR: LDAPv3EventService.addListener: unable to determine if psearch
>>> or notification is supported. randomID=279583849
>>> LDAPv3Repo:01/04/2012 08:46:02:654 AM GMT: Thread[main,5,main]
>>> **********************************************
>>> LDAPv3Repo:01/04/2012 08:46:02:654 AM GMT: Thread[main,5,main]
>>> ERROR: LDAPv3Repo: addListener failed. persistant search not
>>> supported
>>>
>>>
>>>
>>> What can I do?
>>>
>>> Thank you,
>>>
>>>
>>> Bye
>>> _______________________________________________
>>> OpenAM mailing list
>>> OpenAM at forgerock.org
>>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> OpenAM mailing list
>> OpenAM at forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>>
>
> --
> Pierluigi Conti
> Linea Comune Spa
> Via R. Giuliani, 250 - 50141 Firenze (FI) tel. +39 055 45587227 fax +39 055 4554312
> e-mail: p.conti at lineacomune.it
> http://www.lineacomune.it/
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 4 Jan 2012 17:39:05 +0100
> From:<luk.morbee at thomsonreuters.com>
> Subject: Re: [OpenAM] Cache configuration
> To:<openam at forgerock.org>
> Message-ID:
> <0604AD3C4DD2BA418177551C983C094404C47391 at TLRBEANTMBX05.ERF.THOMSON.COM>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> We had also issues with cached LDAP entries and finally disabled caching all together. This is my thread: http://lists.forgerock.org/pipermail/openam/2011-November/004075.html
>
>
>
>
>
> From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of Philip Peake
> Sent: Tuesday, January 03, 2012 7:18 PM
> To: Users
> Subject: Re: [OpenAM] Cache configuration
>
>
>
> Look at documentation on persistent connections to the LDAP server - these are there specifically to deal with the situation of data on LDAP changing and OpenAM being aware of the changes.
>
> On 1/3/2012 9:31 AM, Ra?l Montes wrote:
>
> Hello everybody,
>
>
>
> I have a Custom IdRepo plugin that connects to a Database to authenticate using SAML2. The problem I have is that if I make changes to the user information on that database, OpenAM doesn't see it because (i suppose) of its cache. Is it possible to disable this user data caching? I want OpenAM to ask this IdRepo plugin for the user attributes every time it want to use them, because they can change at any time from external sources.
>
>
>
> Thanks for your help.
>
>
>
> Regards,
>
> Raul.
>
>
>
>
>
>
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.forgerock.org/pipermail/openam/attachments/20120104/353aad5b/attachment.html
>
> ------------------------------
>
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> End of OpenAM Digest, Vol 15, Issue 7
> *************************************
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
More information about the OpenAM
mailing list