liamr Absent Member.
Absent Member.
334 views

SAML NMAS authentication for LDAP (one year later!)

So, we're looking at this again.
Short version, we need a way to authenticate the user to LDAP w/o having their password. Previously, we used kerberos TGTs.
We'd like to use the SAML SASL mechanism used by the MF products.

We have sample java code from 2008 that still works. I think that the issue that I'm having is regarding the XML signature.
I have a pretty manual process that involves signing the assertion with a java-based command line tool (xmlsectool), and it works..


11:59:55 72927700 NMAS: 22544550: Successfully imported trusted certificate and public key.
11:59:55 72927700 NMAS: 22544550: Signature is valid
11:59:55 72927700 NMAS: 22544550: Signature verified
11:59:55 72927700 NMAS: 22544550: Signing certificate is valid.


But our preferred language is python, and when I try signing it with signxml (from pypi), it doesn't work..


08:50:57 7C853700 NMAS: 23068926: Successfully imported trusted certificate and public key.
08:50:57 7C853700 NMAS: 23068926: Could not validate assertion signature with this certificate.
08:50:57 7C853700 NMAS: 23068926: ...Failed. Trying next certificate.
08:50:57 7C853700 NMAS: 23068926: Error validating assertion signature. Likely causes are 1) the signature is invalid or 2) the signing certificate is not trusted.


Same certificate, so, that suggests that it doesn't like the signature. The difference between the signature it likes (generated by xmlsectool) and the signature that it doesn't (signxml) is that the "good" signature spans multiple lines (with line feeds), and the "bad" signature is one long line (save the line feeds in present in the included x509 certificate). Both are valid XML.

My suspicion is that the NMAS method doesn't like the signature being one giant line. My question is whether that seems like the likely cause? Would it surprise anyone if this were the issue?

I don't suppose anyone knows whether MF plans to implement the XOAUTH SASL mechanism in NMAS? 🙂

Liam
Labels (1)
Tags (3)
0 Likes
3 Replies
AutomaticReply Absent Member.
Absent Member.

Re: SAML NMAS authentication for LDAP (one year later!)

liamr,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Knowledge Partner
Knowledge Partner

Re: SAML NMAS authentication for LDAP (one year later!)

On 2019-04-04 16:14, liamr wrote:
>
> So, we're looking at 'this'
> (https://forums.novell.com/showthread.php/502465-SAML-NMAS-authentication-for-LDAP)
> again.
> Short version, we need a way to authenticate the user to LDAP w/o having
> their password. Previously, we used kerberos TGTs.
> We'd like to use the SAML SASL mechanism used by the MF products.
>
> We have sample java code from 2008 that still works. I think that the
> issue that I'm having is regarding the XML signature.
> I have a pretty manual process that involves signing the assertion with
> a java-based command line tool (xmlsectool), and it works..
>
>
> Code:
> --------------------
>
> 11:59:55 72927700 NMAS: 22544550: Successfully imported trusted certificate and public key.
> 11:59:55 72927700 NMAS: 22544550: Signature is valid
> 11:59:55 72927700 NMAS: 22544550: Signature verified
> 11:59:55 72927700 NMAS: 22544550: Signing certificate is valid.
>
> --------------------
>
>
> But our preferred language is python, and when I try signing it with
> signxml (from pypi), it doesn't work..
>
>
> Code:
> --------------------
>
> 08:50:57 7C853700 NMAS: 23068926: Successfully imported trusted certificate and public key.
> 08:50:57 7C853700 NMAS: 23068926: Could not validate assertion signature with this certificate.
> 08:50:57 7C853700 NMAS: 23068926: ...Failed. Trying next certificate.
> 08:50:57 7C853700 NMAS: 23068926: Error validating assertion signature. Likely causes are 1) the signature is invalid or 2) the signing certificate is not trusted.
>
> --------------------
>
>
> Same certificate, so, that suggests that it doesn't like the signature.
> The difference between the signature it likes (generated by xmlsectool)
> and the signature that it doesn't (signxml) is that the "good" signature
> spans multiple lines (with line feeds), and the "bad" signature is one
> long line (save the line feeds in present in the included x509
> certificate). Both are valid XML.
>
> My suspicion is that the NMAS method doesn't like the signature being
> one giant line. My question is whether that seems like the likely
> cause? Would it surprise anyone if this were the issue?
>
> I don't suppose anyone knows whether MF plans to implement the XOAUTH
> SASL mechanism in NMAS? 🙂
>
> Liam
>
>

It wouldn't surprise me if it was because of the line breaks.
The product I know uses the SAML method (User Application) is Java based
so maybe it also produces the same signature as the xmlsectool?

If they wanted more people to use it I would assume it would be much
better documented, I wouldn't bother since it's been unstable for us, it
regularly stops working after large number of logins and then you need
to restart eDir...

Anyway it seems that they are moving away from the SAML method. In
eDirectory 9.x they are using the Proxied Authorization Control instead:

https://www.netiq.com/documentation/edirectory-9/edirectory90_releasenotes/data/edirectory90_releasenotes.html#b1h9wczj



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SAML NMAS authentication for LDAP (one year later!)

On 2019-04-04 16:14, liamr wrote:
> I don't suppose anyone knows whether MF plans to implement the XOAUTH
> SASL mechanism in NMAS?:)

Don't know that but if they want to stay relevant as a product used for
authentication and authorization I can only hope they add support for
modern methods.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.