[prev in list] [next in list] [prev in thread] [next in thread]
List: esb-java-dev
Subject: Re: [Dev] Custom Active Directory User Store
From: Godwin Shrimal <godwin () wso2 ! com>
Date: 2016-10-28 14:58:06
Message-ID: CAATS0_B=AacuWtXDereAoYEU6KTEQo6KKcK9N0LDA5VJrHVgbQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
Hi Ken,
Yes. You can SSO carbon products as described in [1]. If you need to SSO
API manager and IS, those will be SPs in identity server and you need to
set the local and outbound authenticator of those SPs as newly creating
custom authenticator.
[1] https://docs.wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers
Thanks
Godwin
On Fri, Oct 28, 2016 at 8:03 PM, Ken McDonald <kmcdonald@symcor.com> wrote:
> Thanks Godwin. I didn't think of doing it this way. Then I would be able
> to set our API Manager management console and IS management console to both
> be an SP within IS, so it could authenticate through this new connector.
> Unless I am mistaken – but I believe I set this up previously.
>
>
>
>
>
> Ken McDonald | Security Consultant| Symcor Inc.
>
> 400-1 Robert Speck Parkway, Mississauga, Ontario, L4Z 4E7
>
> Office: 905.273.1306 | Cell: 647.888.6548
>
>
>
> *From:* Godwin Shrimal [mailto:godwin@wso2.com]
> *Sent:* Friday, October 28, 2016 10:10 AM
> *To:* Ken McDonald <kmcdonald@symcor.com>
> *Cc:* WSO2 Developers' List <dev@wso2.org>
> *Subject:* Re: [Dev] Custom Active Directory User Store
>
>
>
> Hi Ken,
>
> User store manager doesn't have any control to do redirection such as
> password change page. User store manager take care of user operations such
> as create/update/authenticate etc. in your scenario its authenticate. Yes.
> doAuthenticate is the correct function to override.
>
> For overcome your use-case, you can write a custom authenticator which has
> full control in the authentication flow and you can do required redirection
> there. Pleas follow post [1] how to create custom user store and configure.
>
>
> [1] http://xacmlinfo.org/2015/10/15/custom-authenticator-for-
> wso2-identity-server-wso2is-sso-login/
>
>
>
> Thanks
>
> Godwin
>
>
>
> On Fri, Oct 28, 2016 at 7:15 PM, Ken McDonald <kmcdonald@symcor.com>
> wrote:
>
> Hi everyone.
>
>
>
> I am looking to create a custom user store for Active Directory that uses
> the User Account Control field to reflect whether a user is requiring a
> password change based on an expired password. I was also looking to
> implement the "force change password on first login" here as well.
>
>
>
> I had initially looked into implementing this by changing/extending the
> following:
>
> https://docs.wso2.com/display/ISCONNECTORS/Configuring+
> Password+Policy+Authenticator
>
>
>
> but due to the fact that in order to even get passed the initial step to
> even invoke this code, the user must bind from the initial active directory
> user store from the main plugin, this will not work with proper Active
> Directory controls. When a user tries to bind when their
> UserAccountControl states their password is expired, it will throw an
> exception.
>
>
>
> My main question here is:
>
> Is there a way to throw a custom exception from my new user store
> implementation and catch it and direct the user to a different page (jsp or
> context view) that I could then present the change password view to them.
> Or is there ability to direct within the code to a different page somehow
> driven from the User Store code?
>
>
>
> Essentially my User Store code will override the doAuthenticate (I believe
> this is the function) and if the user bind fails due to (but not with a bad
> credentials exception), I will query the ldap entry and check the User
> Account Control field, and if it has the flag set for expired password, I
> would like to direct the user to a page asking for current password, and
> new password (twice), much like the ISCONNECTOR code referenced above.
>
>
>
> Any assistance pointing me in the right direction as to how this might be
> possible would be appreciated (or simply telling me it's not possible).
>
>
>
> Thanks
>
>
>
> Ken McDonald | Security Consultant| Symcor Inc.
>
> 400-1 Robert Speck Parkway, Mississauga, Ontario, L4Z 4E7
>
> Office: 905.273.1306 | Cell: 647.888.6548
>
>
>
>
>
> CONFIDENTIALITY WARNING
> This communication, including any attachments, is for the exclusive use of
> addressee and may contain proprietary and/or confidential information. If
> you are not the intended recipient, any use, copying, disclosure,
> dissemination or distribution is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return e-mail,
> delete this communication and destroy all copies.
>
> * Symcor 1 Robert Speck Parkway, Suite 400, Mississauga, Ontario, Canada
> L4Z 4E7 **www.symcor.com* <http://www.symcor.com/>* To unsubscribe from
> receiving promotional messages from Symcor, email "unsubscribe" to *
> *privacy@symcor.com* <privacy@symcor.com>* You will continue to receive
> regular business communications from Symcor.*
>
> AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ
> Ce message, ainsi que les pièces qui y sont jointes, est destiné à l'usage
> exclusif de la personne à laquelle il s'adresse et peut contenir de
> l'information personnelle ou confidentielle. Si le lecteur de ce message
> n'en est pas le destinataire, nous l'avisons par la présente que toute
> diffusion, distribution, reproduction ou utilisation de son contenu est
> strictement interdite. Veuillez avertir sur-le-champ l'expéditeur par
> retour de courrier électronique et supprimez ce message ainsi que toutes
> les pièces jointes.
>
> * Symcor, 1 Robert Speck Parkway, bureau 400, Mississauga, Ontario, Canada
> L4Z 4E7 **www.symcor.com* <http://www.symcor.com/>* – Pour cesser de
> recevoir les messages promotionnels de Symcor, veuillez envoyer un courriel
> portant la mention « Désinscription » à **privacy@symcor.com*
> <privacy@symcor.com>*. Vous continuerez de recevoir les messages
> d'affaires courants de Symcor.*
>
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
>
>
> --
>
> *Godwin Amila Shrimal*
> Senior Software Engineer
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94772264165 <%2B94772264165>*
>
> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>*
>
> twitter: https://twitter.com/godwinamila
> [image: Image removed by sender.] <http://wso2.com/signature>
>
--
*Godwin Amila Shrimal*
Senior Software Engineer
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
mobile: *+94772264165*
linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>*
twitter: https://twitter.com/godwinamila
<http://wso2.com/signature>
[Attachment #7 (text/html)]
<div dir="ltr"><div><div><div>Hi Ken,<br><br></div>Yes. You can SSO carbon products \
as described in [1]. If you need to SSO API manager and IS, those will be SPs in \
identity server and you need to set the local and outbound authenticator of those SPs \
as newly creating custom authenticator.<br><br><br>[1] <a \
href="https://docs.wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers">https://docs. \
wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers</a><br><br></div>Thanks<br></div>Godwin<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 28, 2016 at 8:03 PM, Ken \
McDonald <span dir="ltr"><<a href="mailto:kmcdonald@symcor.com" \
target="_blank">kmcdonald@symcor.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div class="m_6792061439606623068WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thanks Godwin. \
I didn't think of doing it this way. Then I would be able to set our API Manager \
management console and IS management console to both be an SP within IS, so it could \
authenticate through this new connector. Unless I am mistaken – but I believe I \
set this up previously.<u></u><u></u></span></p><span class=""> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Ken \
McDonald | Security Consultant| Symcor Inc.<u></u><u></u></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">400-1 \
Robert Speck Parkway, Mississauga, Ontario, L4Z 4E7<u></u><u></u></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Office: \
<a href="tel:905.273.1306" value="+19052731306" target="_blank">905.273.1306</a> | \
Cell: <a href="tel:647.888.6548" value="+16478886548" \
target="_blank">647.888.6548</a><u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> \
<u></u></span></p> </span><p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Godwin Shrimal \
[mailto:<a href="mailto:godwin@wso2.com" target="_blank">godwin@wso2.com</a>] <br>
<b>Sent:</b> Friday, October 28, 2016 10:10 AM<br>
<b>To:</b> Ken McDonald <<a href="mailto:kmcdonald@symcor.com" \
target="_blank">kmcdonald@symcor.com</a>><br> <b>Cc:</b> WSO2 Developers' List \
<<a href="mailto:dev@wso2.org" target="_blank">dev@wso2.org</a>><br> \
<b>Subject:</b> Re: [Dev] Custom Active Directory User \
Store<u></u><u></u></span></p><div><div class="h5"> <p class="MsoNormal"><u></u> \
<u></u></p> <div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Ken,<u></u><u></u></p>
</div>
<p class="MsoNormal">User store manager doesn't have any control to do \
redirection such as password change page. User store manager take care of user \
operations such as create/update/authenticate etc. in your scenario its authenticate. \
Yes. doAuthenticate is the correct function to override.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">For overcome your use-case, you can \
write a custom authenticator which has full control in the authentication flow and \
you can do required redirection there. Pleas follow post [1] how to create custom \
user store and configure.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><br>
[1] <a href="http://xacmlinfo.org/2015/10/15/custom-authenticator-for-wso2-identity-server-wso2is-sso-login/" \
target="_blank"> http://xacmlinfo.org/2015/10/<wbr>15/custom-authenticator-for-<wbr>wso2-identity-server-wso2is-<wbr>sso-login/</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">Thanks<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Godwin<br>
<br>
<u></u><u></u></p>
</div>
</div></div><div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Fri, Oct 28, 2016 at 7:15 PM, Ken McDonald <<a \
href="mailto:kmcdonald@symcor.com" target="_blank">kmcdonald@symcor.com</a>> \
wrote:<u></u><u></u></p> <blockquote style="border:none;border-left:solid #cccccc \
1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"> <div>
<div>
<p class="MsoNormal">Hi everyone.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I am looking to create a custom user store for Active Directory \
that uses the User Account Control field to reflect whether a user is requiring a \
password change based on an expired password. I was also looking to implement the \
"force change password on first login" here as well.<u></u><u></u></p> <p \
class="MsoNormal"> <u></u><u></u></p> <p class="MsoNormal">I had initially looked \
into implementing this by changing/extending the following:<u></u><u></u></p> <p \
class="MsoNormal"><a \
href="https://docs.wso2.com/display/ISCONNECTORS/Configuring+Password+Policy+Authenticator" \
target="_blank">https://docs.wso2.com/display/<wbr>ISCONNECTORS/Configuring+<wbr>Password+Policy+Authenticator</a><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">but due to the fact that in order to even get passed the initial \
step to even invoke this code, the user must bind from the initial active directory \
user store from the main plugin, this will not work with proper Active Directory \
controls. When a user tries to bind when their UserAccountControl states their \
password is expired, it will throw an exception.<u></u><u></u></p> <p \
class="MsoNormal"> <u></u><u></u></p> <p class="MsoNormal">My main question here \
is:<u></u><u></u></p> <p class="MsoNormal">Is there a way to throw a custom exception \
from my new user store implementation and catch it and direct the user to a different \
page (jsp or context view) that I could then present the change password view to \
them. Or is there ability to direct within the code to a different page somehow \
driven from the User Store code?<u></u><u></u></p> <p class="MsoNormal"> \
<u></u><u></u></p> <p class="MsoNormal">Essentially my User Store code will override \
the doAuthenticate (I believe this is the function) and if the user bind fails due to \
(but not with a bad credentials exception), I will query the ldap entry and check \
the User Account Control field, and if it has the flag set for expired password, I \
would like to direct the user to a page asking for current password, and new password \
(twice), much like the ISCONNECTOR code referenced above.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Any assistance pointing me in the right direction as to how this \
might be possible would be appreciated (or simply telling me it's not \
possible).<u></u><u></u></p> <p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="color:black">Thanks</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:black">Ken McDonald | Security Consultant| \
Symcor Inc.</span><u></u><u></u></p> <p class="MsoNormal"><span \
style="color:black">400-1 Robert Speck Parkway, Mississauga, Ontario, L4Z \
4E7</span><u></u><u></u></p> <p class="MsoNormal"><span style="color:black">Office:
<a href="tel:905.273.1306" target="_blank">905.273.1306</a> | Cell: <a \
href="tel:647.888.6548" target="_blank"> 647.888.6548</a></span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p style="background-image:initial;background-size:initial;background-origin:initial;background-clip:initial;background-position:initial;background-repeat:initial">
<span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222">CONFIDENTIALITY \
WARNING<span class="m_6792061439606623068m-5188200526143495663apple-converted-space"> \
</span><br> This communication, including any attachments, is for the exclusive use \
of addressee and may contain proprietary and/or confidential information. If you are \
not the intended recipient, any use, copying, disclosure, dissemination or \
distribution is strictly prohibited. If you are not the intended recipient, please \
notify the sender immediately by return e-mail, delete this communication and destroy \
all copies.<br> <i><br>
<em><span style="font-family:"Arial",sans-serif">Symcor 1 Robert Speck \
Parkway, Suite 400, Mississauga, Ontario, Canada L4Z 4E7 </span></em></i></span><a \
href="http://www.symcor.com/" target="_blank"><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif">www.symcor.com</span></em></a><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222"> To \
unsubscribe from receiving promotional messages from Symcor, email "unsubscribe" to \
</span></em><a href="mailto:privacy@symcor.com" target="_blank"><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif">privacy@symcor.com</span></em></a><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222"> You \
will continue to receive regular business communications from \
Symcor.</span></em><u></u><u></u></p> <p \
style="background-image:initial;background-size:initial;background-origin:initial;background-clip:initial;background-position:initial;background-repeat:initial">
<span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222">AVERTISSEMENT \
RELATIF À LA CONFIDENTIALITÉ<span \
class="m_6792061439606623068m-5188200526143495663apple-converted-space"> </span><br> \
Ce message, ainsi que les pièces qui y sont jointes, est destiné à l'usage \
exclusif de la personne à laquelle il s'adresse et peut contenir de l'information \
personnelle ou confidentielle. Si le lecteur de ce message n'en est pas le \
destinataire, nous l'avisons par la présente que toute diffusion, distribution, \
reproduction ou utilisation de son contenu est strictement interdite. Veuillez \
avertir sur-le-champ l'expéditeur par retour de courrier électronique et supprimez \
ce message ainsi que toutes les pièces jointes.<br> <i><br>
<em><span style="font-family:"Arial",sans-serif">Symcor, 1 Robert Speck \
Parkway, bureau 400, Mississauga, Ontario, Canada L4Z 4E7 </span></em></i></span><a \
href="http://www.symcor.com/" target="_blank"><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222">www.symcor.com</span></em></a><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222"> – \
Pour cesser de recevoir les messages promotionnels de Symcor, veuillez envoyer un \
courriel portant la mention « Désinscription » à </span></em><a \
href="mailto:privacy@symcor.com" target="_blank"><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222">privacy@symcor.com</span></em></a><em><span \
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222">. \
Vous continuerez de recevoir les messages d'affaires courants de \
Symcor.</span></em><u></u><u></u></p> <p class="MsoNormal" \
style="margin-bottom:12.0pt"><br> \
______________________________<wbr>_________________<br> Dev mailing list<br>
<a href="mailto:Dev@wso2.org" target="_blank">Dev@wso2.org</a><br>
<a href="http://wso2.org/cgi-bin/mailman/listinfo/dev" \
target="_blank">http://wso2.org/cgi-bin/<wbr>mailman/listinfo/dev</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <u></u><u></u></p>
</div></div><div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><div><div class="h5">
<p class="MsoNormal"><b><span style="color:#888888">Godwin Amila \
Shrimal</span></b><br> <span style="color:#888888">Senior Software \
Engineer</span><br> <span style="color:#888888">WSO2 Inc.; </span><a \
href="http://wso2.com/" target="_blank"><span \
style="color:#1155cc">http://wso2.com</span></a><br> <span \
style="color:#888888">lean.enterprise.middleware</span><br> <br>
<span style="color:#888888">mobile: <u><a href="tel:%2B94772264165" \
value="+94772264165" target="_blank">+94772264165</a></u></span><u></u><u></u></p> \
<div> <p class="MsoNormal"><span style="color:#888888">linkedin: </span><u><span \
style="font-family:"Arial",sans-serif;color:#3d85c6"><a \
href="http://lnkd.in/KUum6D" \
target="_blank">http://lnkd.in/<wbr>KUum6D</a></span></u><span \
style="color:#888888"><u></u><u></u></span></p> </div>
</div></div><div>
<p class="MsoNormal"><span style="color:#888888">twitter: </span><span \
style="color:#3d85c6"><a href="https://twitter.com/godwinamila" \
target="_blank">https://twitter.com/<wbr>godwinamila</a><br> <a \
href="http://wso2.com/signature" target="_blank"><span style="border:solid windowtext \
1.0pt;padding:0in;text-decoration:none"><img style="width:2.0833in;height:.4687in" \
id="m_6792061439606623068_x0000_i1025" src="cid:image001.jpg@01D23106.B13103F0" \
alt="Image removed by sender." width="200" height="45" \
border="0"></span></a></span><u></u><u></u></p> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><font \
style="color:rgb(136,136,136)" color="#888888"><b>Godwin Amila \
Shrimal</b></font><br><font color="#888888"> Senior Software Engineer</font><br><font \
color="#888888">WSO2 Inc.; </font><a href="http://wso2.com/" \
style="color:rgb(17,85,204)" target="_blank">http://wso2.com</a><br><font \
color="#888888"> lean.enterprise.middleware</font><br><br><font \
style="color:rgb(136,136,136)" color="#888888">mobile:</font><font \
style="color:rgb(136,136,136)" color="#3d85c6"> <u><a \
value="+94711336956">+94772264165</a></u></font><div \
style="color:rgb(136,136,136)"><font color="#888888">linkedin: </font><font \
face="arial, sans-serif" color="#3d85c6"><span style="line-height:15px"><u><a \
href="http://lnkd.in/KUum6D" \
target="_blank">http://lnkd.in/KUum6D</a></u></span></font></div></span><span><div><span \
style="color:rgb(136,136,136)">twitter: </span><font color="#3d85c6"><span \
style="line-height:15px"><a href="https://twitter.com/godwinamila" \
target="_blank">https://twitter.com/godwinamila</a><br><a \
href="http://wso2.com/signature" target="_blank"><img alt="" \
src="http://c.content.wso2.com/signatures/wso2-signature-general.png" width="200" \
height="45"></a><br></span></font></div></span></div></div></div></div></div></div></div></div></div></div>
</div>
--94eb2c05ff0a17bc5a053fedebaf--
["image001.jpg" (image/jpeg)]
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic