mjuricek1 Absent Member.
Absent Member.
553 views

User Application and SAML issue


Hi,

again the SAML issue. Now, i have a customer who has pretty
heterogeneous environment (means IDM 3.6, 4.0.2 and 4.5 all together).
This customer had installed the IDM 4.5 itself and he asked me to
install the User application. I installed it but I cannot log in.
Everything looks fine. No errors in the catalina.out. No errors in the
osp logs (also i set the DEBUG log level for OSP...). Also the SAML
objects are in the eDir...
But I found something interesting in the eDIR traces.


13:04:25 63C NMAS: 17825854: Create NMAS Session
13:04:25 63C NMAS: 17825854: SASL SAML started
13:04:25 63C Agent: Calling DS Ping conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DS Ping conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C NMAS: SASL Mechanism [SAML] not available:
13:04:25 63C NMAS: Available SASL Mechanisms:
13:04:25 63C NMAS: [NMAS_LOGIN]
13:04:25 63C NMAS: [EXTERNAL]
13:04:25 63C NMAS: [DIGEST-MD5]
13:04:25 63C NMAS: 17825854: NMAS Audit with Audit PA not installed
13:04:25 63C NMAS: 17825854: NMAS Audit with XDAS not installed
13:04:25 63C NMAS: 17825854: ERROR: -1693 SASL_DoMechanism:
NMAS_InvokeMechanism
13:04:25 63C NMAS: 17825854: Client Session Destroy Request
13:04:25 63C NMAS: 17825854: Destroy NMAS Session
13:04:25 63C NMAS: 17825854: Aborted Session Destroyed (with MAF)
13:04:25 63C LDAP: Failed to authenticate full context on connection
0x13369b20, err = -1693 (0xfffff963)
13:04:25 848 LDAP: Connection 0x13369b20 read failure, setting err =
-5875
13:04:25 848 LDAP: Monitor 0x848 found connection 0x13369b20 socket
failure, err = -5875, 0 of 0 bytes read

Seems the problem is with the SAML NMAS login method. Maybe the SAML
NAMS is not installed on the eDIR replica what I am using. Or some
binaries are missing. I am not sure. Do you have any idea what`s can be
wrong?
Do you know how can I resintall and reconfigure the SAML NMAS login
method? Where can I find the SAML NMAS installation files for Windows?

Thanks
Milan


--
mjuricek
------------------------------------------------------------------------
mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
View this thread: https://forums.netiq.com/showthread.php?t=54001

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: User Application and SAML issue

On 8/10/2015 4:44 AM, mjuricek wrote:
>
> Hi,
>
> again the SAML issue. Now, i have a customer who has pretty
> heterogeneous environment (means IDM 3.6, 4.0.2 and 4.5 all together).
> This customer had installed the IDM 4.5 itself and he asked me to
> install the User application. I installed it but I cannot log in.
> Everything looks fine. No errors in the catalina.out. No errors in the
> osp logs (also i set the DEBUG log level for OSP...). Also the SAML
> objects are in the eDir...
> But I found something interesting in the eDIR traces.
>
>
> 13:04:25 63C NMAS: 17825854: Create NMAS Session
> 13:04:25 63C NMAS: 17825854: SASL SAML started
> 13:04:25 63C Agent: Calling DS Ping conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DS Ping conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C NMAS: SASL Mechanism [SAML] not available:
> 13:04:25 63C NMAS: Available SASL Mechanisms:
> 13:04:25 63C NMAS: [NMAS_LOGIN]
> 13:04:25 63C NMAS: [EXTERNAL]
> 13:04:25 63C NMAS: [DIGEST-MD5]
> 13:04:25 63C NMAS: 17825854: NMAS Audit with Audit PA not installed
> 13:04:25 63C NMAS: 17825854: NMAS Audit with XDAS not installed
> 13:04:25 63C NMAS: 17825854: ERROR: -1693 SASL_DoMechanism:
> NMAS_InvokeMechanism
> 13:04:25 63C NMAS: 17825854: Client Session Destroy Request
> 13:04:25 63C NMAS: 17825854: Destroy NMAS Session
> 13:04:25 63C NMAS: 17825854: Aborted Session Destroyed (with MAF)
> 13:04:25 63C LDAP: Failed to authenticate full context on connection
> 0x13369b20, err = -1693 (0xfffff963)
> 13:04:25 848 LDAP: Connection 0x13369b20 read failure, setting err =
> -5875
> 13:04:25 848 LDAP: Monitor 0x848 found connection 0x13369b20 socket
> failure, err = -5875, 0 of 0 bytes read
>
> Seems the problem is with the SAML NMAS login method. Maybe the SAML
> NAMS is not installed on the eDIR replica what I am using. Or some
> binaries are missing. I am not sure. Do you have any idea what`s can be
> wrong?
> Do you know how can I resintall and reconfigure the SAML NMAS login
> method? Where can I find the SAML NMAS installation files for Windows?


NMAS methods are a bit 'strange'. The binaries they execute, are stored
in attributes in the directory. In the Security contianer there are
objects that if you look at the attributes are huge.

Anyway, the 'install' is thus a schema update via .sch or .ldif files.

Try with configupdate 4.5, third tab, Advanced Options, RBPM section,
there is a drop down that defaults to No Action. That is how you auto
configure the NMAS certs in Security for this.

If however, you have Ua 3.x or 4.02 doing header auth for SSO on the
same UA driver object, do not, as this will break it.


0 Likes
Knowledge Partner
Knowledge Partner

Re: User Application and SAML issue

>> Do you know how can I resintall and reconfigure the SAML NMAS login
>> method? Where can I find the SAML NMAS installation files for Windows?

>
> NMAS methods are a bit 'strange'. The binaries they execute, are stored
> in attributes in the directory. In the Security contianer there are
> objects that if you look at the attributes are huge.
>
> Anyway, the 'install' is thus a schema update via .sch or .ldif files.


It has been pointed out that not as schema update, but as object import
via LDIF.



0 Likes
mjuricek1 Absent Member.
Absent Member.

Re: User Application and SAML issue


Hi, i already tried this and nothing 😞
Maybe there is any problem with the replication... or something else. As
you can see in the traces:

13:04:25 638 Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: DSARead failed, no such attribute (-603).
13:04:25 638 Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: DSARead failed, no such attribute (-603).
13:04:25 638 Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: DSARead failed, no such attribute (-603).
13:04:25 638 NMAS: 17825853: sasUpdateLoginTimeInterval is not set (or)
invalid. Setting to global value = 0 mins
13:04:25 638 NMAS: 17825853: UpdateLoginTimeInterval for object = 0 mins
13:04:25 638 Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: Calling DSAModifyEntry conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: Calling DS Ping conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: Calling DSAResolveName conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: Calling DSAReadObjectInfo conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: Calling DS Ping conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 Agent: Calling DSAResolveName conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 638 NMAS: 17825853: NMAS Audit with Audit PA not installed
13:04:25 638 NMAS: 17825853: NMAS Audit with XDAS not installed
13:04:25 638 NMAS: 17825853: Local password login shortcut successful
13:04:25 638 NMAS: 17825853: Client Session Destroy Request
13:04:25 638 NMAS: 17825853: Destroy NMAS Session
13:04:25 638 NMAS: 17825853: Aborted Session Destroyed (with MAF)
13:04:25 988 LDAP: nds_back_search: Search Control OID
2.16.840.1.113730.3.4.2
13:04:25 988 Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 988 Agent: DSARead failed, no such attribute (-603).
13:04:25 9C4 Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 9C4 Agent: DSARead failed, no such attribute (-603).
13:04:25 988 Agent: Calling DSAResolveName conn:74 for client
..Admin.users.system.SC-META.
13:04:25 988 Agent: Calling DSAReadObjectInfo conn:74 for client
..Admin.users.system.SC-META.
13:04:25 988 Agent: Calling DSARead conn:74 for client
..Admin.users.system.SC-META.
13:04:25 898 LDAP: BIO ctrl called with unknown cmd 7
13:04:25 63C NMAS: 17825854: Create NMAS Session
13:04:25 63C NMAS: 17825854: SASL SAML started
13:04:25 63C Agent: Calling DS Ping conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DS Ping conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C Agent: Calling DSARead conn:0 for client
..PRDS0054_524-NDS.servers.system.SC-META.
13:04:25 63C NMAS: SASL Mechanism [SAML] not available:
13:04:25 63C NMAS: Available SASL Mechanisms:
13:04:25 63C NMAS: [NMAS_LOGIN]
13:04:25 63C NMAS: [EXTERNAL]
13:04:25 63C NMAS: [DIGEST-MD5]
13:04:25 63C NMAS: 17825854: NMAS Audit with Audit PA not installed
13:04:25 63C NMAS: 17825854: NMAS Audit with XDAS not installed
13:04:25 63C NMAS: 17825854: ERROR: -1693 SASL_DoMechanism:
NMAS_InvokeMechanism
13:04:25 63C NMAS: 17825854: Client Session Destroy Request
13:04:25 63C NMAS: 17825854: Destroy NMAS Session
13:04:25 63C NMAS: 17825854: Aborted Session Destroyed (with MAF)
13:04:25 63C LDAP: Failed to authenticate full context on connection
0x13369b20, err = -1693 (0xfffff963)
13:04:25 848 LDAP: Connection 0x13369b20 read failure, setting err =
-5875
13:04:25 848 LDAP: Monitor 0x848 found connection 0x13369b20 socket
failure, err = -5875, 0 of 0 bytes read


Any idea what can I try next?


--
mjuricek
------------------------------------------------------------------------
mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
View this thread: https://forums.netiq.com/showthread.php?t=54001

0 Likes
Knowledge Partner
Knowledge Partner

Re: User Application and SAML issue

On 8/10/2015 9:14 AM, mjuricek wrote:
>
> Hi, i already tried this and nothing 😞
> Maybe there is any problem with the replication... or something else. As
> you can see in the traces:
>
> 13:04:25 638 Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: DSARead failed, no such attribute (-603).
> 13:04:25 638 Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: DSARead failed, no such attribute (-603).
> 13:04:25 638 Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: DSARead failed, no such attribute (-603).
> 13:04:25 638 NMAS: 17825853: sasUpdateLoginTimeInterval is not set (or)
> invalid. Setting to global value = 0 mins
> 13:04:25 638 NMAS: 17825853: UpdateLoginTimeInterval for object = 0 mins
> 13:04:25 638 Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: Calling DSAModifyEntry conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: Calling DS Ping conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: Calling DSAResolveName conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: Calling DSAReadObjectInfo conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: Calling DS Ping conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 Agent: Calling DSAResolveName conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 638 NMAS: 17825853: NMAS Audit with Audit PA not installed
> 13:04:25 638 NMAS: 17825853: NMAS Audit with XDAS not installed
> 13:04:25 638 NMAS: 17825853: Local password login shortcut successful
> 13:04:25 638 NMAS: 17825853: Client Session Destroy Request
> 13:04:25 638 NMAS: 17825853: Destroy NMAS Session
> 13:04:25 638 NMAS: 17825853: Aborted Session Destroyed (with MAF)
> 13:04:25 988 LDAP: nds_back_search: Search Control OID
> 2.16.840.1.113730.3.4.2
> 13:04:25 988 Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 988 Agent: DSARead failed, no such attribute (-603).
> 13:04:25 9C4 Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 9C4 Agent: DSARead failed, no such attribute (-603).
> 13:04:25 988 Agent: Calling DSAResolveName conn:74 for client
> .Admin.users.system.SC-META.
> 13:04:25 988 Agent: Calling DSAReadObjectInfo conn:74 for client
> .Admin.users.system.SC-META.
> 13:04:25 988 Agent: Calling DSARead conn:74 for client
> .Admin.users.system.SC-META.
> 13:04:25 898 LDAP: BIO ctrl called with unknown cmd 7
> 13:04:25 63C NMAS: 17825854: Create NMAS Session
> 13:04:25 63C NMAS: 17825854: SASL SAML started
> 13:04:25 63C Agent: Calling DS Ping conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DS Ping conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAResolveName conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSAReadObjectInfo conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C Agent: Calling DSARead conn:0 for client
> .PRDS0054_524-NDS.servers.system.SC-META.
> 13:04:25 63C NMAS: SASL Mechanism [SAML] not available:
> 13:04:25 63C NMAS: Available SASL Mechanisms:
> 13:04:25 63C NMAS: [NMAS_LOGIN]
> 13:04:25 63C NMAS: [EXTERNAL]
> 13:04:25 63C NMAS: [DIGEST-MD5]
> 13:04:25 63C NMAS: 17825854: NMAS Audit with Audit PA not installed
> 13:04:25 63C NMAS: 17825854: NMAS Audit with XDAS not installed
> 13:04:25 63C NMAS: 17825854: ERROR: -1693 SASL_DoMechanism:
> NMAS_InvokeMechanism
> 13:04:25 63C NMAS: 17825854: Client Session Destroy Request
> 13:04:25 63C NMAS: 17825854: Destroy NMAS Session
> 13:04:25 63C NMAS: 17825854: Aborted Session Destroyed (with MAF)
> 13:04:25 63C LDAP: Failed to authenticate full context on connection
> 0x13369b20, err = -1693 (0xfffff963)
> 13:04:25 848 LDAP: Connection 0x13369b20 read failure, setting err =
> -5875
> 13:04:25 848 LDAP: Monitor 0x848 found connection 0x13369b20 socket
> failure, err = -5875, 0 of 0 bytes read


LDAP export your Security\Authorized Login Methods container to LDIF.

Look at SAML Assertion method, and see what attributes it has. If you
look at the IDM installer, there is an LDIF that contains the objects
needed, and in theory the content should be the same. I.e. Binary data,
base 64 encoded into attributes. Large attributes, but attributes.

There is one per operatiing system/bit depth.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.