LDAP Authentication using FAST BIND

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

LDAP Authentication using FAST BIND

vmlkmr28
Hi,

I have been working on creating a simple login page. I should be able to connect to the LDAP server for authenticating a user and I am new to LDAP. When I researched a bit about this, I found that FAST BIND mechanism is used to authenticate a user.

In the example provided here, http://wiki.orbeon.com/forms/doc/developer-guide/processors-ldap , it explains how to connect to the ldap server and store the retrieved information in XML format.

Does the same example can also be referenced to authenticate a user? If not, how can I use LDAP processors to authenticate a user?


Thanks,
Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

Not at all :). In general, you don't want to use the LDAP processor to authenticate users. You want to setup your servlet container, e.g. Tomcat, to do that. In Tomcat, this is done by setting up a "realm". I'll let you google "LDAP tomcat", with the version of Tomcat you're using to find the relevant doc.

In some cases you could have a use for the LDAP processor, e.g. cases where you want to retrieve more information about users from LDAP *after* they have been authenticated, but this situation is pretty rare.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Wednesday, September 16, 2015 at 1:17:38 PM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> Not at all :). In general, you don't want to use the LDAP processor to
> authenticate users. You want to setup your servlet container, e.g. Tomcat,
> to do that. In Tomcat, this is done by setting up a "realm". I'll let you
> google "LDAP tomcat", with the version of Tomcat you're using to find the
> relevant doc.
>
> In some cases you could have a use for the LDAP processor, e.g. cases where
> you want to retrieve more information about users from LDAP *after* they
> have been authenticated, but this situation is pretty rare.
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660463.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Thanks, ALex. I am able to create a LDAP authentication with tomcat itself.

After creating an login authentication for orbeon, it enables us to login with our credentials successfully.

When I try to access my xml file where the data will be stored, it pops up one more authentication window and prompts for a username and password. When I use the same credentials as before, it's allowing me to access it.
URL for my xml file: http://localhost/orbeon/exist/rest/db/orbeon/orbeonforms/userinfo.xml

Please, help me on how to remove that authentication pop-up while accessing the xml file. Or Is there any other way to get through this?

Vimalkumar

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
In reply to this post by Alessandro Vernet
On Wednesday, September 16, 2015 at 1:17:38 PM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> Not at all :). In general, you don't want to use the LDAP processor to
> authenticate users. You want to setup your servlet container, e.g. Tomcat,
> to do that. In Tomcat, this is done by setting up a "realm". I'll let you
> google "LDAP tomcat", with the version of Tomcat you're using to find the
> relevant doc.
>
> In some cases you could have a use for the LDAP processor, e.g. cases where
> you want to retrieve more information about users from LDAP *after* they
> have been authenticated, but this situation is pretty rare.
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660463.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Thanks, ALex. I am able to create a LDAP authentication with tomcat itself.

After creating a login authentication for orbeon, it enables us to login with our credentials successfully.

When I try to access my xml file where the data will be stored, it pops up one more authentication window and prompts for a username and password. When I use the same credentials as before, it's not allowing me to access it.
URL for my xml file: http://localhost/orbeon/exist/rest/db/orbeon/orbeonforms/userinfo.xml 

Please, help me on how to remove that authentication pop-up while accessing the xml file. Or Is there any other way to get through this?

Vimalkumar

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

I'm not sure if this is what you're hitting, but by default there is a security filter protecting access to eXist, as you wouldn't want your eXist database to open. If you want to be able to access it through the REST API, and don't care about security, you can comment out the <filter> and <filter-mapping> for orbeon-exist-filter in your Orbeon Forms web.xml. You'll let us know if this helps,

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Wednesday, September 23, 2015 at 10:09:34 PM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> I'm not sure if this is what you're hitting, but by default there is a
> security filter protecting access to eXist, as you wouldn't want your eXist
> database to open. If you want to be able to access it through the REST API,
> and don't care about security, you can comment out the <filter> and
> <filter-mapping> for orbeon-exist-filter in your Orbeon Forms web.xml.
> You'll let us know if this helps,
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660514.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Hello Alex,

Thanks for your reply.

<filter-mapping> is already commented out. <filter> is left uncommented. So, I commented the <filter> element too.

But, it's not helping me. It still shows the authentication pop up when I try to access my xml file. I also found out when I click on the save button of my forms, it's showing a error message.

If remove the security constraints for my forms, everything works fine.

What would be the solution for this?

Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Thursday, September 24, 2015 at 11:06:23 AM UTC-4, [hidden email] wrote:

> On Wednesday, September 23, 2015 at 10:09:34 PM UTC-4, Alessandro Vernet wrote:
> > Hi Vimalkumar,
> >
> > I'm not sure if this is what you're hitting, but by default there is a
> > security filter protecting access to eXist, as you wouldn't want your eXist
> > database to open. If you want to be able to access it through the REST API,
> > and don't care about security, you can comment out the <filter> and
> > <filter-mapping> for orbeon-exist-filter in your Orbeon Forms web.xml.
> > You'll let us know if this helps,
> >
> > Alex
> >
> > -----
> > --
> > Follow Orbeon on Twitter: @orbeon
> > Follow me on Twitter: @avernet
> > --
> > View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660514.html
> > Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
>
> Hello Alex,
>
> Thanks for your reply.
>
> <filter-mapping> is already commented out. <filter> is left uncommented. So, I commented the <filter> element too.
>
> But, it's not helping me. It still shows the authentication pop up when I try to access my xml file. I also found out when I click on the save button of my forms, it's showing a error message.
>
> If remove the security constraints for my forms, everything works fine.
>
> What would be the solution for this?
>
> Vimalkumar Chellam
Hi Alex,

For your information, today I tried with the username and password which are provided in the <cluster> element of exist-conf.xml file. It actually worked intially. But, after sometime, the same username and password stopped working and does not let me to access the xml file. It looks so weird to me.

If I remove the LDAP authentication for Orbeon forms, everything works fine.

Let me know of any solutions for this.

Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

I suspect that this is because the user is authenticated to the web app, and that authentication information gets to the eXist servet, which say "Is John Smith allowed to access this resource? No." This might seem counterintuitive, but eXist can deny access to a given user, but allow access to the same resource to a non-authenticated user.

So I'd recommend you edit the web.xml, look for the <security-constraint> without child <auth-constraint>; search for "Form Runner services and public pages and resources", and add there a <url-pattern>/exist/*</url-pattern>. You'll let us know if this works for you.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Sunday, September 27, 2015 at 2:12:27 AM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> I suspect that this is because the user is authenticated to the web app, and
> that authentication information gets to the eXist servet, which say "Is John
> Smith allowed to access this resource? No." This might seem
> counterintuitive, but eXist can deny access to a given user, but allow
> access to the same resource to a non-authenticated user.
>
> So I'd recommend you edit the web.xml, look for the <security-constraint>
> without child <auth-constraint>; search for "Form Runner services and public
> pages and resources", and add there a <url-pattern>/exist/*</url-pattern>.
> You'll let us know if this works for you.
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660550.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Thanks Alex, I uncommented the <security-constraint> with <url-pattern> /exist/*</url-pattern> and it worked.

Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Excellent Vimalkumar, I am glad it worked, and thank you for the update.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Wednesday, September 30, 2015 at 8:12:25 PM UTC-4, Alessandro Vernet wrote:

> Excellent Vimalkumar, I am glad it worked, and thank you for the update.
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660582.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Hello Alex,

I have two questions

I have created a BASIC LDAP authentication for Orbeon forms. Next, I have to create a FORM based authentication. When I researched a bit about this, all the sites I have referred creates an html form for login page. In that html form, they set the action element of form tag to j_security_check to access the security feature of the servlet container. Now my first questions: Is it possible to create a login page using Orbeon forms which calls the security feature of a servlet container?

My second question: Is it possible to create a logout like button in orbeon forms which invalidates/kills the session created using LDAP authentication?

Any suggestions on this would be appreciated.

Vimalkumar

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

Yes, it is possible to "host" such a login page within Orbeon Forms; in fact Form Runner already comes with such page, which you can access on /fr/login:

https://github.com/orbeon/orbeon-forms/blob/master/src/resources/apps/fr/login.xhtml

If you're using form-based auth, yes, you can create a logout link, and that page can invalidate the session. There is no such page built-in, but you create one. The simplest would probably be to do it as a JSP, e.g. http://stackoverflow.com/a/5188772/5295.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Thursday, October 1, 2015 at 10:14:41 PM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> Yes, it is possible to "host" such a login page within Orbeon Forms; in fact
> Form Runner already comes with such page, which you can access on /fr/login:
>
> https://github.com/orbeon/orbeon-forms/blob/master/src/resources/apps/fr/login.xhtml
>
> If you're using form-based auth, yes, you can create a logout link, and that
> page can invalidate the session. There is no such page built-in, but you
> create one. The simplest would probably be to do it as a JSP, e.g.
> http://stackoverflow.com/a/5188772/5295.
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660592.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Thanks Alex, I'm able to create a login page with /fr/login. I also created a logout button using JSP.

I have one issue now. I mentioned my login page in web.xml under the tag <form-login-page>. Whenever someone tries to access the Orbeon forms for the first time, it redirects to the login page. But, when someone gives wrong credentials it is not redirecting to the error page which I mentioned under the tag <form-error-page> in web.xml. Instead it shows 403

I have been looking for an explanation on all possible site and forums. I don't find anything useful. Any idea on why it is happening and how can I solve it?

Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Wednesday, October 7, 2015 at 1:27:53 PM UTC-4, [hidden email] wrote:

> On Thursday, October 1, 2015 at 10:14:41 PM UTC-4, Alessandro Vernet wrote:
> > Hi Vimalkumar,
> >
> > Yes, it is possible to "host" such a login page within Orbeon Forms; in fact
> > Form Runner already comes with such page, which you can access on /fr/login:
> >
> > https://github.com/orbeon/orbeon-forms/blob/master/src/resources/apps/fr/login.xhtml
> >
> > If you're using form-based auth, yes, you can create a logout link, and that
> > page can invalidate the session. There is no such page built-in, but you
> > create one. The simplest would probably be to do it as a JSP, e.g.
> > http://stackoverflow.com/a/5188772/5295.
> >
> > Alex
> >
> > -----
> > --
> > Follow Orbeon on Twitter: @orbeon
> > Follow me on Twitter: @avernet
> > --
> > View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660592.html
> > Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
>
> Thanks Alex, I'm able to create a login page with /fr/login. I also created a logout button using JSP.
>
> I have one issue now. I mentioned my login page in web.xml under the tag <form-login-page>. Whenever someone tries to access the Orbeon forms for the first time, it redirects to the login page. But, when someone gives wrong credentials it is not redirecting to the error page which I mentioned under the tag <form-error-page> in web.xml. Instead it shows 403
>
> I have been looking for an explanation on all possible site and forums. I don't find anything useful. Any idea on why it is happening and how can I solve it?
>
> Vimalkumar Chellam
Hi Alex,

I found some workaround for that issue. When I set my <form-error-page> to some customized error pages, it sends 403 error for wrong credentials. But, when I set something like this <form-error-page>/<form-error-page>, it redirects me to the conf/unauthorized.xhtml for wrong credentials. So, I customized my unauthorized.xhtml to behave in the way I want. I don't know whether is a good solution or not. For the time being, I implemented this.

Vimalkumar Chellam



--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

Regarding your earlier message, I am wondering if you're not getting a 403 when accessing the error page because you haven't setup that page (the path in <form-error-page>) to not require authentication, e.g. as done in the web.xml that ships with Orbeon Forms:

https://github.com/orbeon/orbeon-forms/blob/c35e0a9feb75f8dbf88a8176f9693c7d21607ec8/descriptors/orbeon-war-web.xsl#L460

Regarding your second message, I'm not sure to follow you, but I'm glad to read you've found some kind of workaround.  

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Friday, October 9, 2015 at 8:33:08 PM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> Regarding your earlier message, I am wondering if you're not getting a 403
> when accessing the error page because you haven't setup that page (the path
> in <form-error-page>) to not require authentication, e.g. as done in the
> web.xml that ships with Orbeon Forms:
>
> https://github.com/orbeon/orbeon-forms/blob/c35e0a9feb75f8dbf88a8176f9693c7d21607ec8/descriptors/orbeon-war-web.xsl#L460
>
> Regarding your second message, I'm not sure to follow you, but I'm glad to
> read you've found some kind of workaround.  
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660659.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Hello Alex,

I am having one issue now. So far I have been using HTTP put method during submission. As put method replaces the previous data on each submission, I want to use post method.

To use the post method, I need to have a server side script to handle it. Can I use servlet to handle the submissions with post method?

Also, I find no examples on how to handle the xforms submissions using post method. Will you direct me to some good examples available online?

Thanks,
Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

Which submission are you referring to? Is this an implementation of the persistence API you did, and which is called by Orbeon Forms when a document is saved? I missing some context here :).

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
In reply to this post by vmlkmr28
I didn't implement any persistence API yet. I just want to use the post method while  submitting in the in-built eXist database.



Thanks,
Vimalkumar Chellam

Alessandro Vernet <[hidden email]> wrote:

>Hi Vimalkumar,
>
>Which submission are you referring to? Is this an implementation of the
>persistence API you did, and which is called by Orbeon Forms when a document
>is saved? I missing some context here :).
>
>Alex
>
>-----
>--
>Follow Orbeon on Twitter: @orbeon
>Follow me on Twitter: @avernet
>--
>View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660729.html
>Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
>
>--
>You received this message because you are subscribed to a topic in the Google Groups "Orbeon Forms" group.
>To unsubscribe from this topic, visit https://groups.google.com/d/topic/orbeon/mlVNSl7PJtE/unsubscribe.
>To unsubscribe from this group and all its topics, send an email to [hidden email].
>To post to this group, send email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

Alessandro  Vernet
Administrator
Hi Vimalkumar,

The provided implementation of the persistence API for eXist-db will do a PUT to update the data in the database when saving. In that context, a POST won't work: I think that it you POST something to eXist-db, it expects XQuery. Or am I misunderstanding your comment?

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication using FAST BIND

vmlkmr28
On Monday, October 26, 2015 at 1:24:51 PM UTC-4, Alessandro Vernet wrote:

> Hi Vimalkumar,
>
> The provided implementation of the persistence API for eXist-db will do a
> PUT to update the data in the database when saving. In that context, a POST
> won't work: I think that it you POST something to eXist-db, it expects
> XQuery. Or am I misunderstanding your comment?
>
> Alex
>
> -----
> --
> Follow Orbeon on Twitter: @orbeon
> Follow me on Twitter: @avernet
> --
> View this message in context: http://discuss.orbeon.com/LDAP-Authentication-using-FAST-BIND-tp4660459p4660740.html
> Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.
Hi Alex,

If I use PUT method to save the data in the in-built exist database, it rewrites over the previous data. I just want new data to be appended to the xml file every time when I hit the save button. How can I do this?

Thanks,
Vimalkumar Chellam

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
12