jlrodriguez Super Contributor.
Super Contributor.
1496 views

SASL Mechanism [SAML] not available

Hi,

I've configured the SAML Login Method in eDirectory. Everything seems correct (Login method, login sequence, SAML assertion, ....), all is "Authorized" and "Enabled", but when I try to authenticate, ndstrace with the NMAS flag enabled reports the following:

SASL Mechanism [SAML] not available
Available SASL Mechanisms:
[NMAS_LOGIN]
[EXTERNAL]
[DIGEST-MD5]

Any idea what can be missing to have SAML as available?

Regards
Jose Luis
Labels (1)
0 Likes
13 Replies
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

On 2018-10-24 18:26, jlrodriguez wrote:
>
> Hi,
>
> I've configured the SAML Login Method in eDirectory. Everything seems
> correct (Login method, login sequence, SAML assertion, ....), all is
> "Authorized" and "Enabled", but when I try to authenticate, ndstrace
> with the NMAS flag enabled reports the following:
>
> SASL Mechanism [SAML] not available
> Available SASL Mechanisms:
> [NMAS_LOGIN]
> [EXTERNAL]
> [DIGEST-MD5]
>
> Any idea what can be missing to have SAML as available?
>
> Regards
> Jose Luis
>
>

What does ndsd.log say?
Did you restart eDirectory after installing the SAML method?

Check that you can see SAML in the root DSE under supportedSASLMechanisms.

Check that you have a cn=SAML Assertion,cn=Authorized Login
Methods,cn=Security object.

It should have all these attributes:
cn
description
sASAdvisoryMethodGrade
sasLoginClientMethodLinux
sasLoginClientMethodLinuxX64
sASLoginClientMethodNetWare
sASLoginClientMethodWINNT
sasLoginClientMethodWinX64
sasLoginServerMethodLinux
sasLoginServerMethodLinuxX64
sASLoginServerMethodNetWare
sASLoginServerMethodWINNT
sasLoginServerMethodWinX64
sASMethodIdentifier
sASMethodVendor
sasMethodVersion
sASVendorSupport

It should have a subordiante with the objectClass authsamlAffiliate that
should have these attributes:

cn
authsamlCertContainerDN
authsamlProviderID
authsamlTrustedCertDN
authsamlValidAfter
authsamlValidBefore


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SASL Mechanism [SAML] not available

What does ndsd.log say?

oct 25 17:59:43 Path of NetIQ eDirectory configuration file /etc/opt/novell/eDirectory/conf/nds.conf
oct 25 17:59:43 Host process for NetIQ eDirectory 9.0.2 v40004.44 successfully started
Failed to initialize log file 1
oct 25 17:59:43 Successfully enabled FIPS mode for SSL communication.
oct 25 17:59:43 DHLog: file size 1048576
[ -- DHost Logging STARTED Thu Oct 25 17:59:43 2018 -- ]
oct 25 17:59:43 MASV Init called
oct 25 17:59:43 Mandatory Access Control Service Version: 9.0.2.0 started
oct 25 17:59:43 NMAS Server Version:test Build:20161117 started
oct 25 17:59:43 SPM DClient Version:9.0.2.0 Build:20161117 started
oct 25 17:59:43 MASV Init called
oct 25 17:59:43 MASV already initialized.
oct 25 17:59:43 Simple Password Method LSM Version:2830 Build:20100630 loaded
oct 25 17:59:43 loaded
oct 25 17:59:43 loaded
oct 25 17:59:43 loaded
oct 25 17:59:43 loaded
oct 25 17:59:43 NetIQ Enhanced Smartcard Method loaded LSM Version: 3.1.0.0
NetIQ JClient 4.00.0445-4.0.445. (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
oct 25 17:59:44 NICIext_Health.log in directory: /var/opt/novell/eDirectory/log/
oct 25 17:59:44 GAMS Init called
oct 25 17:59:44 Graded Authentication Management Service Version: 9.0.2.0 started
oct 25 17:59:44 Information: SNMP Trap Server for NetIQ eDirectory 9.0.2 v40004.23 started.
oct 25 17:59:44 NDS iMonitor for NetIQ eDirectory 9.0.2 v40004.45 started successfully.
oct 25 17:59:44 Loading SecretStore Server...
oct 25 17:59:44 NetIQ SecretStore Service Version 9.0.0.0 Loaded Successfully
oct 25 17:59:44 Loading SecretStore LDAP Transport Plugin...
oct 25 17:59:44 NetIQ SecretStore LDAP Plugin Version 9.0.0.0 Loaded Successfully.
oct 25 17:59:44 SecretStore LDAP Extension Handler Loaded Successfully
oct 25 17:59:44 NMAS Server Version:test Build:20161117 started
oct 25 17:59:44 SPM DClient already started (2)
oct 25 17:59:44 LDAP Agent for NetIQ eDirectory 9.0.2 (40004.54) started
oct 25 17:59:44 NetIQ PKI Services Started Successfully
oct 25 17:59:44 PKIHealth.log in directory: /var/opt/novell/eDirectory/log/
oct 25 17:59:44 SASL Version:test Build:20161117 started
oct 25 17:59:44 Loading SecretStore NCP Transport Plugin...
oct 25 17:59:44 NetIQ SecretStore NCP Plugin Version 9.0.0.0 Loaded Successfully.


Did you restart eDirectory after installing the SAML method?

Yes, I restarted it.

Check that you can see SAML in the root DSE under supportedSASLMechanisms.

SAML doensn't appear under supportedSASLMechanism in the rootDSE

Check that you have a cn=SAML Assertion,cn=Authorized Login
Methods,cn=Security object.

It should have all these attributes:
cn
description
sASAdvisoryMethodGrade
sasLoginClientMethodLinux
sasLoginClientMethodLinuxX64
sASLoginClientMethodNetWare
sASLoginClientMethodWINNT
sasLoginClientMethodWinX64
sasLoginServerMethodLinux
sasLoginServerMethodLinuxX64
sASLoginServerMethodNetWare
sASLoginServerMethodWINNT
sasLoginServerMethodWinX64
sASMethodIdentifier
sASMethodVendor
sasMethodVersion
sASVendorSupport

Yes. It exists and seems to be correct.

It should have a subordiante with the objectClass authsamlAffiliate that
should have these attributes:

cn
authsamlCertContainerDN
authsamlProviderID
authsamlTrustedCertDN
authsamlValidAfter
authsamlValidBefore

Yes. It exists and seems to be correct.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

On 2018-10-25 18:24, jlrodriguez wrote:
>
> What does ndsd.log say?
>
> oct 25 17:59:43 Path of NetIQ eDirectory configuration file
> /etc/opt/novell/eDirectory/conf/nds.conf
> oct 25 17:59:43 Host process for NetIQ eDirectory 9.0.2 v40004.44
> successfully started
> Failed to initialize log file 1
> oct 25 17:59:43 Successfully enabled FIPS mode for SSL communication.
> oct 25 17:59:43 DHLog: file size 1048576
> [ -- DHost Logging STARTED Thu Oct 25 17:59:43 2018 -- ]
> oct 25 17:59:43 MASV Init called
> oct 25 17:59:43 Mandatory Access Control Service Version: 9.0.2.0
> started
> oct 25 17:59:43 NMAS Server Version:test Build:20161117 started
> oct 25 17:59:43 SPM DClient Version:9.0.2.0 Build:20161117 started
> oct 25 17:59:43 MASV Init called
> oct 25 17:59:43 MASV already initialized.
> oct 25 17:59:43 Simple Password Method LSM Version:2830 Build:20100630
> loaded
> oct 25 17:59:43 loaded
> oct 25 17:59:43 loaded
> oct 25 17:59:43 loaded
> oct 25 17:59:43 loaded
> oct 25 17:59:43 NetIQ Enhanced Smartcard Method loaded LSM Version:
> 3.1.0.0
> NetIQ JClient 4.00.0445-4.0.445. (c) 2013 NetIQ Corporation and its
> affiliates. All Rights Reserved.
> oct 25 17:59:44 NICIext_Health.log in directory:
> /var/opt/novell/eDirectory/log/
> oct 25 17:59:44 GAMS Init called
> oct 25 17:59:44 Graded Authentication Management Service Version:
> 9.0.2.0 started
> oct 25 17:59:44 Information: SNMP Trap Server for NetIQ eDirectory
> 9.0.2 v40004.23 started.
> oct 25 17:59:44 NDS iMonitor for NetIQ eDirectory 9.0.2 v40004.45
> started successfully.
> oct 25 17:59:44 Loading SecretStore Server...
> oct 25 17:59:44 NetIQ SecretStore Service Version 9.0.0.0 Loaded
> Successfully
> oct 25 17:59:44 Loading SecretStore LDAP Transport Plugin...
> oct 25 17:59:44 NetIQ SecretStore LDAP Plugin Version 9.0.0.0 Loaded
> Successfully.
> oct 25 17:59:44 SecretStore LDAP Extension Handler Loaded Successfully
> oct 25 17:59:44 NMAS Server Version:test Build:20161117 started
> oct 25 17:59:44 SPM DClient already started (2)
> oct 25 17:59:44 LDAP Agent for NetIQ eDirectory 9.0.2 (40004.54)
> started
> oct 25 17:59:44 NetIQ PKI Services Started Successfully
> oct 25 17:59:44 PKIHealth.log in directory:
> /var/opt/novell/eDirectory/log/
> oct 25 17:59:44 SASL Version:test Build:20161117 started
> oct 25 17:59:44 Loading SecretStore NCP Transport Plugin...
> oct 25 17:59:44 NetIQ SecretStore NCP Plugin Version 9.0.0.0 Loaded
> Successfully.
>
> Did you restart eDirectory after installing the SAML method?
>
> Yes, I restarted it.
>
> Check that you can see SAML in the root DSE under
> supportedSASLMechanisms.
>
> SAML doensn't appear under supportedSASLMechanism in the rootDSE
>
> Check that you have a cn=SAML Assertion,cn=Authorized Login
> Methods,cn=Security object.
>
> It should have all these attributes:
> cn
> description
> sASAdvisoryMethodGrade
> sasLoginClientMethodLinux
> sasLoginClientMethodLinuxX64
> sASLoginClientMethodNetWare
> sASLoginClientMethodWINNT
> sasLoginClientMethodWinX64
> sasLoginServerMethodLinux
> sasLoginServerMethodLinuxX64
> sASLoginServerMethodNetWare
> sASLoginServerMethodWINNT
> sasLoginServerMethodWinX64
> sASMethodIdentifier
> sASMethodVendor
> sasMethodVersion
> sASVendorSupport
>
> Yes. It exists and seems to be correct.
>
> It should have a subordiante with the objectClass authsamlAffiliate
> that
> should have these attributes:
>
> cn
> authsamlCertContainerDN
> authsamlProviderID
> authsamlTrustedCertDN
> authsamlValidAfter
> authsamlValidBefore
>
> Yes. It exists and seems to be correct.
>
>

Do you have two SAML* files under
/var/opt/novell/eDirectory/data/nmas-methods ?

If you do a:
lsof -p <pid of ndsd process> | grep SAML

you should see something like this:

ndsd 1943 root mem REG 8,2 24531 1040394
/var/opt/novell/eDirectory/data/nmas-methods/SAMLLCMLIN_X64.SO
ndsd 1943 root mem REG 8,2 3723580 1040393
/var/opt/novell/eDirectory/data/nmas-methods/SAMLLSMLIN_X64.SO



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SASL Mechanism [SAML] not available

Hi,

I can see the two SAML* files under /var/opt/novell/eDirectory/data/nmas-methods:
SAMLLCMLIN_X64.SO
SAMLLSMLIN_X64.SO

The complete list of files is:

-r-xr-xr-x. 1 root root 164295 Oct 26 11:40 CERTLCMLIN_X64.SO
-r-xr-xr-x. 1 root root 176554 Oct 26 11:40 CERTLSMLIN_X64.SO
-r-xr-xr-x. 1 root root 380761 Oct 26 11:40 CRLSMLIN_X64.SO
-r-xr-xr-x. 1 root root 164692 May 21 06:04 LCMMD5LIN_X64.SO
-r-xr-xr-x. 1 root root 213879 Oct 26 11:40 LIBESCLSMLIN_X64.SO
-r-xr-xr-x. 1 root root 185473 Oct 26 11:40 LSMMD5LIN_X64.SO
-r-xr-xr-x. 1 root root 167708 Oct 26 11:40 PWDLCMLIN_X64.SO
-r-xr-xr-x. 1 root root 189228 Oct 26 11:40 PWDLSMLIN_X64.SO
-r-xr-xr-x. 1 root root 24531 May 21 06:04 SAMLLCMLIN_X64.SO
-r-xr-xr-x. 1 root root 3723580 May 21 06:04 SAMLLSMLIN_X64.SO



but "lsof -p <pid of ndsd process> | grep SAML" doesn't return anything.

if I execute "lsof -p <pid of ndsd process> | grep nmas, it returns:

ndsd 19782 root mem REG 253,3 213879 4364086 /var/opt/novell/eDirectory/data/nmas-methods/LIBESCLSMLIN_X64.SO
ndsd 19782 root mem REG 253,3 380761 4364085 /var/opt/novell/eDirectory/data/nmas-methods/CRLSMLIN_X64.SO
ndsd 19782 root mem REG 253,3 185473 4364082 /var/opt/novell/eDirectory/data/nmas-methods/LSMMD5LIN_X64.SO
ndsd 19782 root mem REG 253,3 164295 4364081 /var/opt/novell/eDirectory/data/nmas-methods/CERTLCMLIN_X64.SO
ndsd 19782 root mem REG 253,3 176554 4364080 /var/opt/novell/eDirectory/data/nmas-methods/CERTLSMLIN_X64.SO
ndsd 19782 root mem REG 253,3 167708 4364079 /var/opt/novell/eDirectory/data/nmas-methods/PWDLCMLIN_X64.SO
ndsd 19782 root mem REG 253,3 189228 4364062 /var/opt/novell/eDirectory/data/nmas-methods/PWDLSMLIN_X64.SO

All the modules are loaded. Only the SAML are missing.

Regards
Jose Luis
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

On 2018-10-26 12:04, jlrodriguez wrote:
> -r-xr-xr-x. 1 root root 24531 May 21 06:04 SAMLLCMLIN_X64.SO
> -r-xr-xr-x. 1 root root 3723580 May 21 06:04 SAMLLSMLIN_X64.SO

Run ldd on those two files and see if anything is missing.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SASL Mechanism [SAML] not available

Hi,

ldd on SAMLLSMLIN_X64.SO reports that libnpkit.so.3 is missing.

# ldd SAMLLSMLIN_X64.SO
linux-vdso.so.1 => (0x00007ffcbfd3f000)
libnpkit.so.3 => not found
libccs2.so => /lib64/libccs2.so (0x00007f5c4048c000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f5c40185000)
libm.so.6 => /lib64/libm.so.6 (0x00007f5c3fe83000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f5c3fc6c000)
libc.so.6 => /lib64/libc.so.6 (0x00007f5c3f89f000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5c3f683000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f5c3f47e000)
/lib64/ld-linux-x86-64.so.2 (0x00007f5c40c08000)


But it exists under /opt/novell/lib64

lrwxrwxrwx. 1 root root 16 Mar 28 2018 libccs2.so -> libccs2.so.3.0.1
-rw-r--r--. 1 root root 2928400 May 9 2016 libccs2.so.3.0.1
-rwxr-xr-x. 1 root root 2556264 Nov 17 2016 libcrypto.so.1.0.0
-rwxr-xr-x. 1 root root 568864 Nov 17 2016 libnpkiapi.so
-rwxr-xr-x. 1 root root 440448 Nov 17 2016 libnpkit.so
lrwxrwxrwx. 1 root root 11 Mar 28 2018 libnpkit.so.3 -> libnpkit.so
lrwxrwxrwx. 1 root root 11 Mar 28 2018 libnpkit.so.8 -> libnpkit.so
-rwxr-xr-x. 1 root root 160536 Nov 17 2016 libntls.so
-rwxr-xr-x. 1 root root 441648 Nov 17 2016 libssl.so.1.0.0
-rw-r--r--. 1 root root 37593 Nov 17 2016 npki.jar
-rw-r--r--. 1 root root 357 Nov 17 2016 openssl_checksum.txt
-rw-r--r--. 1 root root 240 Nov 17 2016 openssl_checksum.txt.asc

I also checked the file /etc/opt/novell/eDirectory/conf/env and the LD_LIBRARY_PATH seems correct:

LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64://opt/novell/eDirectory/lib64/nds-modules://opt/novell/eDirectory/lib64/apr://opt/novell/lib64:$LD_LIBRARY_PATH
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

Assuming you've already run ldconfig, what do you see on running ldd against libnpkit.so.3 ?
9.0.2 is a little bit old, btw.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

On 2018-10-26 17:54, jlrodriguez wrote:
>
> Hi,
>
> ldd on SAMLLSMLIN_X64.SO reports that libnpkit.so.3 is missing.
>
> # ldd SAMLLSMLIN_X64.SO
> linux-vdso.so.1 => (0x00007ffcbfd3f000)
> libnpkit.so.3 => not found
> libccs2.so => /lib64/libccs2.so (0x00007f5c4048c000)
> libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f5c40185000)
> libm.so.6 => /lib64/libm.so.6 (0x00007f5c3fe83000)
> libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f5c3fc6c000)
> libc.so.6 => /lib64/libc.so.6 (0x00007f5c3f89f000)
> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5c3f683000)
> libdl.so.2 => /lib64/libdl.so.2 (0x00007f5c3f47e000)
> /lib64/ld-linux-x86-64.so.2 (0x00007f5c40c08000)
>
>
> But it exists under /opt/novell/lib64
>
> lrwxrwxrwx. 1 root root 16 Mar 28 2018 libccs2.so ->
> libccs2.so.3.0.1
> -rw-r--r--. 1 root root 2928400 May 9 2016 libccs2.so.3.0.1
> -rwxr-xr-x. 1 root root 2556264 Nov 17 2016 libcrypto.so.1.0.0
> -rwxr-xr-x. 1 root root 568864 Nov 17 2016 libnpkiapi.so
> -rwxr-xr-x. 1 root root 440448 Nov 17 2016 libnpkit.so
> lrwxrwxrwx. 1 root root 11 Mar 28 2018 libnpkit.so.3 ->
> libnpkit.so
> lrwxrwxrwx. 1 root root 11 Mar 28 2018 libnpkit.so.8 ->
> libnpkit.so
> -rwxr-xr-x. 1 root root 160536 Nov 17 2016 libntls.so
> -rwxr-xr-x. 1 root root 441648 Nov 17 2016 libssl.so.1.0.0
> -rw-r--r--. 1 root root 37593 Nov 17 2016 npki.jar
> -rw-r--r--. 1 root root 357 Nov 17 2016 openssl_checksum.txt
> -rw-r--r--. 1 root root 240 Nov 17 2016 openssl_checksum.txt.asc
>
> I also checked the file /etc/opt/novell/eDirectory/conf/env and the
> LD_LIBRARY_PATH seems correct:
>
> LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64://opt/novell/eDirectory/lib64/nds-modules://opt/novell/eDirectory/lib64/apr://opt/novell/lib64:$LD_LIBRARY_PATH
>
>

Change the env file so that /opt/novell/lib64 is first after
LD_LIBRARY_PATH=

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SASL Mechanism [SAML] not available

Hi,
Chaging the env file to LD_LIBRARY_PATH=//opt/novell/lib64://opt/novell/eDirectory/lib64://opt/novell/eDirectory/lib64/nds-modules://opt/novell/eDirectory/lib64/apr:$LD_LIBRARY_PATH doesn't change anything.

Executing ldd on libnpkit.so.3 returns the following:

# ldd libnpkit.so.3
linux-vdso.so.1 => (0x00007ffc5779a000)
libccs2.so => /opt/novell/lib64/libccs2.so (0x00007fd7bf857000)
libldap_r-2.4.so.2 => /opt/novell/eDirectory/lib64/libldap_r-2.4.so.2 (0x00007fd7bf716000)
libsal.so.1 => /opt/novell/eDirectory/lib64/libsal.so.1 (0x00007fd7bf5fa000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fd7bf2e9000)
libm.so.6 => /lib64/libm.so.6 (0x00007fd7befe6000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fd7bedd0000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd7bea03000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd7be7e6000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fd7be5e2000)
liblber-2.4.so.2 => /opt/novell/eDirectory/lib64/liblber-2.4.so.2 (0x00007fd7be4d7000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fd7be2bd000)
libssl.so.1.0.0 => not found
libcrypto.so.1.0.0 => not found
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fd7be0a2000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd7bfd9d000)

Regards
Jose Luis
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

On a plain SLES12SP3 these should come with libopenssl1_0_0 and libopenssl1_0_0-32bit, respectively. Finally residing in /lib64 and /lib. As /lib64 seems to be in the path: is libopenssl installed?
0 Likes
Highlighted
jlrodriguez Super Contributor.
Super Contributor.

Re: SASL Mechanism [SAML] not available

Finally, one of the Linux technicians solved the problem with the libraries. He has not given me the detail so I can not put the final solution as I would have liked.
Thanks a lot for your help!
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

The logical assumption would be that the libopenssl package wasn't installed. Anyway, good to hear it's working now and thanks for reporting.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SASL Mechanism [SAML] not available

On 2018-11-06 18:34, jlrodriguez wrote:
>
> Finally, one of the Linux technicians solved the problem with the
> libraries. He has not given me the detail so I can not put the final
> solution as I would have liked.
> Thanks a lot for your help!
>
>

Good to hear that it's working 🙂

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.