Date   

Re: Committers Please Vote

Ryan Goulding <ryandgoulding@...>
 

+1.

Regards,

Ryan Goulding

On Thu, May 24, 2018 at 8:29 AM, Ryan Goulding <ryandgoulding@...> wrote:
Hi Folks,

I would like to nominate Tom Pantelis as a committer to AAA.  Tom has been instrumental in the adoption of the web-api, as well as many other accomplishments.  He has 25+ commits in AAA as shown here [0].  I believe his merits are clearly displayed in AAA as well as the other various projects he maintains.  Please vote +1, 0, -1.



Committers Please Vote

Ryan Goulding <ryandgoulding@...>
 

Hi Folks,

I would like to nominate Tom Pantelis as a committer to AAA.  Tom has been instrumental in the adoption of the web-api, as well as many other accomplishments.  He has 25+ commits in AAA as shown here [0].  I believe his merits are clearly displayed in AAA as well as the other various projects he maintains.  Please vote +1, 0, -1.


AAA using LDAP - Facing issues with authorization

Thiriloshini.ThoppeKrishnakumar@us.fujitsu.com <Thiriloshini.ThoppeKrishnakumar@...>
 

Hi all,

 

I’m using carbon-sr3 branch. I am trying to authenticate and authorize LDAP user.

 

Authentication works fine. But I’m facing issues with authorization. I have been struggling to get it working. Any help/pointer is much appreciated.

 

Please find the snapshot of LDAP below. All the users under ou=users belong to the group odlGroup

 

 

Below is the snapshot of odlUser

 

 

 

 

Please find my configuration below in the shiro.ini with respect to LDAP Realm.

Please note the highlighted one. I’m trying to assign admin role to the LDAP group. Please let me know if this is the right way doing it.

I also tried the below with no luck.

ldapRealm.groupRolesMap = "odlGroup":"admin"

 

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = cn={0},ou=users,dc=sdn,dc=org

ldapRealm.contextFactory.url = ldap://10.6.6.6:389

ldapRealm.searchBase = dc=sdn,dc=org

# Abstraction to map LDAP extracted groups to ODL roles

ldapRealm.groupRolesMap = "cn={0},ou=groups,dc=sdn,dc=org":"admin"   

ldapRealm.ldapAttributeForComparison = objectClass

 

securityManager.realms = $ldapRealm, $tokenAuthRealm

 

 

 

With the above information I am able to login to apidoc with odlUser.

 

But when I try to access the urls under aaa-cert-mdsal for which it has been assigned admin roles I see exception in karaf.log. (snapshot of exception has been provided below)

 

/config/aaa-cert-mdsal** = authcBasic, roles[admin]

 

I added print where I see exception in aaa/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/impl/shiro/realm/TokenAuthRealm.java (function doGetAuthorizationInfo),

 

            System.out.println("primaryPrincipal: "+primaryPrincipal.toString());

            odlPrincipal = (ODLPrincipal) primaryPrincipal;  à this is where I see exception

 

For the user that exists in ODL, below is what it returns

odlPrincipal: org.opendaylight.aaa.impl.shiro.principal.ODLPrincipalImpl@2e8d82e0

For the user that exists in LDAP, below is what it returns

primaryPrincipal: odlUser

 

Basically, ODL doesn’t understand the LDAP user.

 

Do you think we need to sync the LDAP user/group with ODL ?

Is there anything else that I am missing ?

 

Please find the exception below.

 

2018-05-17 10:53:30,874 | ERROR | tp2134027892-356 | TokenAuthRealm                   | 257 - org.opendaylight.aaa.shiro - 0.5.3.Carbon | Couldn't decode authorization request

java.lang.ClassCastException: java.lang.String cannot be cast to org.opendaylight.aaa.api.shiro.principal.ODLPrincipal

        at org.opendaylight.aaa.shiro.realm.TokenAuthRealm.doGetAuthorizationInfo(TokenAuthRealm.java:98)[257:org.opendaylight.aaa.shiro:0.5.3.Carbon]

        at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224)[258:org.apache.shiro.core:1.3.2]

        at org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter.isAccessAllowed(MDSALDynamicAuthorizationFilter.java:131)[257:org.opendaylight.aaa.shiro:0.5.3.Carbon]

        at org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter.isAccessAllowed(MDSALDynamicAuthorizationFilter.java:63)[257:org.opendaylight.aaa.shiro:0.5.3.Carbon]

        at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)[258:org.apache.shiro.core:1.3.2]

        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)[259:org.apache.shiro.web:1.3.2]

        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)[259:org.apache.shiro.web:1.3.2]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1478)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]                                                            

        at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[225:org.ops4j.pax.web.pax-web-jetty:3.2.9]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:240)[225:org.ops4j.pax.web.pax-web-jetty:3.2.9]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:75)[225:org.ops4j.pax.web.pax-web-jetty:3.2.9]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.Server.handle(Server.java:370)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:973)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1035)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:641)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)[216:org.eclipse.jetty.aggregate.jetty-all-server:8.1.19.v20160209]

        at java.lang.Thread.run(Thread.java:748)[:1.8.0_162]

                                                            

Thanks in advance for your time.

 

Regards,

Thiriloshini


Re: Fw: Announcing that Apache Oltu has been moved to the Attic

Ryan Goulding <ryandgoulding@...>
 

One possible stop-gap measure is to temporarily fork a minimal set of oltu code into the AAA repository since we use very little anyway [0].  I do believe we will want to eventually get rid of the AAA OAuth2 Provider anyway in favor of federation with existing OAuth2 system(s), since AAA team has attempted to avoid becoming an IdP.  If we combined [0] with deprecating the HTTP API(s) in Fluorine, followed by an investigation of OAuth2 Provider federation, I think we will be in much better shape.  Thoughts?  [0] will get us away from org.json as well, since the upstream migration was never released but is in the code!

Owning an OAuth2 Provider is costly, and I believe many solutions suggest using OpenID instead.  The fact is, ODL is a Network Controller, not a tokening system.  Right now, our OAuth2 system does not really reflect an accurate OAuth2 deployment model, and is really closer to an OAuth1 authentication tokening system anyway. Open to entertain conversation on this.

On Wed, Apr 11, 2018 at 1:39 PM, Ryan Goulding <ryandgoulding@...> wrote:
Thanks for forwarding on this announcement, Stephen.  We will need to start investigating proper replacements soon.

Best Regards,

Ryan Goulding

On Mon, Apr 9, 2018 at 3:54 AM, Stephen Kitt <skitt@...> wrote:
Hello AAA devs,

This is relevant to AAA... (I know Ryan intended to move away from
Oltu, this just adds another nail to the coffin.)

Regards,

Stephen


Begin forwarded message:

Date: Sun, 8 Apr 2018 13:49:00 +0200
From: jani@...
To: announce@...
Subject: Announcing that Apache Oltu has been moved to the Attic


Announcing that the Apache Oltu committers have voted to retire the
project due to inactivity. Oltu was an OAuth protocol implementation in
Java. It also covers others "OAuth family" related implementations such
as JWT, JWS and OpenID Connect.

Retiring a project is not as simple as turning everything off, as
existing users need to both know that the project is retiring and
retain access to the necessary information for their own development
efforts. You can read more about Oltu's retirement at:
http://attic.apache.org/projects/Oltu.html The user mailing list
remains open, while the rest of the project's resources will continue
to be available in a read-only state - website, wikis, svn, downloads
and bug tracker with no change in url. Providing process and solutions
to make it clear when an Apache project has reached its end of life is
the role of the Apache Attic, and you can read more about that at:
http://attic.apache.org/

Thanks, Jan Iversen on behalf of the Apache Attic and the now retired
Apache Oltu project



--
Stephen Kitt
Principal Software Engineer, Office of the CTO
Red Hat

_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev




Re: [release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Thanh Ha <thanh.ha@...>
 

On Sun, Apr 29, 2018 at 5:39 PM, Robert Varga <nite@...> wrote:
On 29/04/18 02:23, Jenkins wrote:
> Attention aaa-devs,
>
> Autorelease nitrogen failed to build odl-aaa-api from aaa in build
> 446. Attached is a snippet of the error message related to the
> failure that we were able to automatically parse as well as console logs.
>
>
> Console Logs:
> https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/446

Weird... can we merge up the odlparent-2.0.7 patch and see where it gets us?

All of
https://git.opendaylight.org/gerrit/#/q/topic:odlparent-2.0.7+(status:open+OR+status:merged)
is verified, can we get the merged?

Thanks,
Robert

All patches have been merged and stable/nitrogen branch has been locked.

I queued a new autorelease here:


Let's see where this get's us (if we're lucky a release candidate for Nitrogen-SR3).

Regards,
Thanh


Re: [release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Robert Varga
 

On 29/04/18 23:58, Sam Hague wrote:

On Sun, Apr 29, 2018 at 5:39 PM, Robert Varga <nite@hq.sk
<mailto:nite@hq.sk>> wrote:

On 29/04/18 02:23, Jenkins wrote:
> Attention aaa-devs,
>
> Autorelease nitrogen failed to build odl-aaa-api from aaa in build
> 446. Attached is a snippet of the error message related to the
> failure that we were able to automatically parse as well as console logs.
>
>
> Console Logs:
> https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/446
<https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/446>

Weird... can we merge up the odlparent-2.0.7 patch and see where it
gets us?

All of
https://git.opendaylight.org/gerrit/#/q/topic:odlparent-2.0.7+(status:open+OR+status:merged)
<https://git.opendaylight.org/gerrit/#/q/topic:odlparent-2.0.7+%28status:open+OR+status:merged%29>
is verified, can we get the merged?

Does the ordering matter or can we just start merging project patches?
It should not, which is supported by the fact each of those patches
fully verified on its own.

Regards,
Robert


Re: [release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Sam Hague <shague@...>
 



On Sun, Apr 29, 2018 at 5:39 PM, Robert Varga <nite@...> wrote:
On 29/04/18 02:23, Jenkins wrote:
> Attention aaa-devs,
>
> Autorelease nitrogen failed to build odl-aaa-api from aaa in build
> 446. Attached is a snippet of the error message related to the
> failure that we were able to automatically parse as well as console logs.
>
>
> Console Logs:
> https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/446

Weird... can we merge up the odlparent-2.0.7 patch and see where it gets us?

All of
https://git.opendaylight.org/gerrit/#/q/topic:odlparent-2.0.7+(status:open+OR+status:merged)
is verified, can we get the merged?
Does the ordering matter or can we just start merging project patches?

Thanks,
Robert


_______________________________________________
release mailing list
release@...
https://lists.opendaylight.org/mailman/listinfo/release



Re: [release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Robert Varga
 

On 29/04/18 02:23, Jenkins wrote:
Attention aaa-devs,

Autorelease nitrogen failed to build odl-aaa-api from aaa in build
446. Attached is a snippet of the error message related to the
failure that we were able to automatically parse as well as console logs.


Console Logs:
https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/446
Weird... can we merge up the odlparent-2.0.7 patch and see where it gets us?

All of
https://git.opendaylight.org/gerrit/#/q/topic:odlparent-2.0.7+(status:open+OR+status:merged)
is verified, can we get the merged?

Thanks,
Robert


[release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Jenkins <jenkins-dontreply@...>
 

Attention aaa-devs,

Autorelease nitrogen failed to build odl-aaa-api from aaa in build
446. Attached is a snippet of the error message related to the
failure that we were able to automatically parse as well as console logs.


Console Logs:
https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/446

Jenkins Build:
https://jenkins.opendaylight.org/releng/job/autorelease-release-nitrogen/446/

Please review and provide an ETA on when a fix will be available.

Thanks,
ODL releng/autorelease team


[release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Jenkins <jenkins-dontreply@...>
 

Attention aaa-devs,

Autorelease nitrogen failed to build odl-aaa-api from aaa in build
445. Attached is a snippet of the error message related to the
failure that we were able to automatically parse as well as console logs.


Console Logs:
https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/445

Jenkins Build:
https://jenkins.opendaylight.org/releng/job/autorelease-release-nitrogen/445/

Please review and provide an ETA on when a fix will be available.

Thanks,
ODL releng/autorelease team


[release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Jenkins <jenkins-dontreply@...>
 

Attention aaa-devs,

Autorelease nitrogen failed to build odl-aaa-api from aaa in build
444. Attached is a snippet of the error message related to the
failure that we were able to automatically parse as well as console logs.


Console Logs:
https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/444

Jenkins Build:
https://jenkins.opendaylight.org/releng/job/autorelease-release-nitrogen/444/

Please review and provide an ETA on when a fix will be available.

Thanks,
ODL releng/autorelease team


[release] Autorelease nitrogen failed to build odl-aaa-api from aaa

Jenkins <jenkins-dontreply@...>
 

Attention aaa-devs,

Autorelease nitrogen failed to build odl-aaa-api from aaa in build
443. Attached is a snippet of the error message related to the
failure that we were able to automatically parse as well as console logs.


Console Logs:
https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/autorelease-release-nitrogen/443

Jenkins Build:
https://jenkins.opendaylight.org/releng/job/autorelease-release-nitrogen/443/

Please review and provide an ETA on when a fix will be available.

Thanks,
ODL releng/autorelease team


Re: Configuring OpenLdap with ODL

Ryan Goulding <ryandgoulding@...>
 

No, ODL must be restarted.


On Apr 19, 2018, at 5:22 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

Thanks for the help. I have successfully integrated openldap with odl.

 

I have one concern, is it necessary to restart karaf after updating shiro.ini file. Because in my case odl is not allowing me to login through openldap after updating shiro.ini until and unless we restart karaf.

Is there any procedure or way through which can skip the restarting of karaf.

 

Regards,

Harshit Kaushik

 

From: Kaushik, Harshit (EXT - IN/Noida)
Sent: Tuesday, April 17, 2018 11:45 AM
To: 'Mohamed El-Serngawy' <m.elserngawy@...>
Cc: Ryan Goulding <ryandgoulding@...>; Hrudaykumar H <hrudaykumar.h@...>; wdec@...; aaa-dev@...; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>
Subject: RE: [Aaa-dev] Configuring OpenLdap with ODL

 

Hi Mohamed/ Ryan,

 

Thanks for the help 😊.

Currently we are facing some issues with OpenLdap. After fixing this problem I will try the solutions provided by you.

 

Regards,

Harshit Kaushik

 

 

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, April 12, 2018 6:33 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: Ryan Goulding <ryandgoulding@...>; Hrudaykumar H <hrudaykumar.h@...>; wdec@...; aaa-dev@...; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>
Subject: Re: [Aaa-dev] Configuring OpenLdap with ODL

 

Hi Kaushik,

 

You may need to specify the common name "cn" instead of "uid", so your shiro.ini could be looks like as below. 

 

ldapRealm.userDnTemplate = cn={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

 

BR

 

 

On Thu, Apr 12, 2018 at 2:25 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan,

Thanks for the reply.

Our exact inputs in shiro.ini is


ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = uid={0},ou=people,dc=matrix-intra,dc=net

ldapRealm.contextFactory.url = ldap://10.112.192.134:389

ldapRealm.searchBase = dc=matrix-intra,dc=net

 

and also added this line

securityManager.realms = $tokenAuthRealm, $ldapRealm

 

We know ODL Beryllium is very old, but any how we have to use this. Please help.

 

Regards,

Harshit Kaushik

 

From: Ryan Goulding [mailto:ryandgoulding@...]
Sent: Wednesday, April 11, 2018 11:09 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: saichler@...; wdec@...; aaa-dev@...; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Hrudaykumar H <hrudaykumar.h@...>
Subject: Re: Configuring OpenLdap with ODL

 

Hi Harshit,

 

Did you replace the values in shiro.ini between square brackets <> with the appropriate values for your LDAP server?  By the way, ODL Beryllium is very old and has not been supported for quite some time.


Regards,

Ryan Goulding

 

On Tue, Apr 10, 2018 at 7:05 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

I am trying to onfigure OpenLdap with ODL (Beryllium version).

 

I have done below changes in shiro.ini file

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly

ldapRealm.userDnTemplate = uid={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

ldapRealm.contextFactory.url = ldap://<url>:389

 

But I am not able to login to ODL. I am getting below logs in karaf.

 

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | TokenAuthRealm                   | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | get domain

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table DOMAINS already exists

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | DomainStore                      | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep15: SELECT * FROM DOMAINS WHERE domainid = ?  {1: 'sdn'}

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | check user / pwd

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | getUsers for: matrix in domain sdn

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table USERS already exists

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep17: SELECT * FROM USERS WHERE userid = ?  {1: 'matrix@sdn'}

2018-04-10 13:44:26,373 | INFO  | qtp501175937-730 | ODLJndiLdapRealm                 | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,373 | DEBUG | qtp501175937-730 | Accounter                        | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,376 | DEBUG | qtp501175937-730 | AuthenticationListener           | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Unsuccessful authentication attempt by matrix from <URL>

 

 

Please help me out in this.

Regards,

Harshit Kaushik

 


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev



 

--

Mohamed ElSerngawy

 

+1 438 993 2462


Re: Configuring OpenLdap with ODL

Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
 

Hi Ryan/Team,

 

Thanks for the help. I have successfully integrated openldap with odl.

 

I have one concern, is it necessary to restart karaf after updating shiro.ini file. Because in my case odl is not allowing me to login through openldap after updating shiro.ini until and unless we restart karaf.

Is there any procedure or way through which can skip the restarting of karaf.

 

Regards,

Harshit Kaushik

 

From: Kaushik, Harshit (EXT - IN/Noida)
Sent: Tuesday, April 17, 2018 11:45 AM
To: 'Mohamed El-Serngawy' <m.elserngawy@...>
Cc: Ryan Goulding <ryandgoulding@...>; Hrudaykumar H <hrudaykumar.h@...>; wdec@...; aaa-dev@...; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>
Subject: RE: [Aaa-dev] Configuring OpenLdap with ODL

 

Hi Mohamed/ Ryan,

 

Thanks for the help 😊.

Currently we are facing some issues with OpenLdap. After fixing this problem I will try the solutions provided by you.

 

Regards,

Harshit Kaushik

 

 

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, April 12, 2018 6:33 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: Ryan Goulding <ryandgoulding@...>; Hrudaykumar H <hrudaykumar.h@...>; wdec@...; aaa-dev@...; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>
Subject: Re: [Aaa-dev] Configuring OpenLdap with ODL

 

Hi Kaushik,

 

You may need to specify the common name "cn" instead of "uid", so your shiro.ini could be looks like as below. 

 

ldapRealm.userDnTemplate = cn={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

 

BR

 

 

On Thu, Apr 12, 2018 at 2:25 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan,

Thanks for the reply.

Our exact inputs in shiro.ini is


ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = uid={0},ou=people,dc=matrix-intra,dc=net

ldapRealm.contextFactory.url = ldap://10.112.192.134:389

ldapRealm.searchBase = dc=matrix-intra,dc=net

 

and also added this line

securityManager.realms = $tokenAuthRealm, $ldapRealm

 

We know ODL Beryllium is very old, but any how we have to use this. Please help.

 

Regards,

Harshit Kaushik

 

From: Ryan Goulding [mailto:ryandgoulding@...]
Sent: Wednesday, April 11, 2018 11:09 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: saichler@...; wdec@...; aaa-dev@...; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Hrudaykumar H <hrudaykumar.h@...>
Subject: Re: Configuring OpenLdap with ODL

 

Hi Harshit,

 

Did you replace the values in shiro.ini between square brackets <> with the appropriate values for your LDAP server?  By the way, ODL Beryllium is very old and has not been supported for quite some time.


Regards,

Ryan Goulding

 

On Tue, Apr 10, 2018 at 7:05 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

I am trying to onfigure OpenLdap with ODL (Beryllium version).

 

I have done below changes in shiro.ini file

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly

ldapRealm.userDnTemplate = uid={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

ldapRealm.contextFactory.url = ldap://<url>:389

 

But I am not able to login to ODL. I am getting below logs in karaf.

 

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | TokenAuthRealm                   | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | get domain

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table DOMAINS already exists

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | DomainStore                      | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep15: SELECT * FROM DOMAINS WHERE domainid = ?  {1: 'sdn'}

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | check user / pwd

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | getUsers for: matrix in domain sdn

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table USERS already exists

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep17: SELECT * FROM USERS WHERE userid = ?  {1: 'matrix@sdn'}

2018-04-10 13:44:26,373 | INFO  | qtp501175937-730 | ODLJndiLdapRealm                 | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,373 | DEBUG | qtp501175937-730 | Accounter                        | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,376 | DEBUG | qtp501175937-730 | AuthenticationListener           | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Unsuccessful authentication attempt by matrix from <URL>

 

 

Please help me out in this.

Regards,

Harshit Kaushik

 


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev



 

--

Mohamed ElSerngawy

 

+1 438 993 2462


Re: Configuring OpenLdap with ODL

Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
 

Hi Mohamed/ Ryan,

 

Thanks for the help 😊.

Currently we are facing some issues with OpenLdap. After fixing this problem I will try the solutions provided by you.

 

Regards,

Harshit Kaushik

 

 

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, April 12, 2018 6:33 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: Ryan Goulding <ryandgoulding@...>; Hrudaykumar H <hrudaykumar.h@...>; wdec@...; aaa-dev@...; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>
Subject: Re: [Aaa-dev] Configuring OpenLdap with ODL

 

Hi Kaushik,

 

You may need to specify the common name "cn" instead of "uid", so your shiro.ini could be looks like as below. 

 

ldapRealm.userDnTemplate = cn={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

 

BR

 

 

On Thu, Apr 12, 2018 at 2:25 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan,

Thanks for the reply.

Our exact inputs in shiro.ini is


ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = uid={0},ou=people,dc=matrix-intra,dc=net

ldapRealm.contextFactory.url = ldap://10.112.192.134:389

ldapRealm.searchBase = dc=matrix-intra,dc=net

 

and also added this line

securityManager.realms = $tokenAuthRealm, $ldapRealm

 

We know ODL Beryllium is very old, but any how we have to use this. Please help.

 

Regards,

Harshit Kaushik

 

From: Ryan Goulding [mailto:ryandgoulding@...]
Sent: Wednesday, April 11, 2018 11:09 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: saichler@...; wdec@...; aaa-dev@...; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Hrudaykumar H <hrudaykumar.h@...>
Subject: Re: Configuring OpenLdap with ODL

 

Hi Harshit,

 

Did you replace the values in shiro.ini between square brackets <> with the appropriate values for your LDAP server?  By the way, ODL Beryllium is very old and has not been supported for quite some time.


Regards,

Ryan Goulding

 

On Tue, Apr 10, 2018 at 7:05 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

I am trying to onfigure OpenLdap with ODL (Beryllium version).

 

I have done below changes in shiro.ini file

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly

ldapRealm.userDnTemplate = uid={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

ldapRealm.contextFactory.url = ldap://<url>:389

 

But I am not able to login to ODL. I am getting below logs in karaf.

 

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | TokenAuthRealm                   | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | get domain

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table DOMAINS already exists

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | DomainStore                      | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep15: SELECT * FROM DOMAINS WHERE domainid = ?  {1: 'sdn'}

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | check user / pwd

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | getUsers for: matrix in domain sdn

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table USERS already exists

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep17: SELECT * FROM USERS WHERE userid = ?  {1: 'matrix@sdn'}

2018-04-10 13:44:26,373 | INFO  | qtp501175937-730 | ODLJndiLdapRealm                 | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,373 | DEBUG | qtp501175937-730 | Accounter                        | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,376 | DEBUG | qtp501175937-730 | AuthenticationListener           | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Unsuccessful authentication attempt by matrix from <URL>

 

 

Please help me out in this.

Regards,

Harshit Kaushik

 


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev



 

--

Mohamed ElSerngawy

 

+1 438 993 2462


Re: [controller-dev] Web Framework Discussion (continued from Kernel Call)

Robert Varga
 

On 11/04/18 17:50, Ryan Goulding wrote:
Hi All,
Hello Ryan,

During the Kernel call this past Tuesday, we talked about attempting an
isolated transition of AAA restful web services from Jersey 1 to Jersey
2.  I attempted this change yesterday, and was able to partially convert
(I just temporarily removed non-essential code that would've required
overhaul).  However, when I compiled NETCONF next to test RESTCONF, I
quickly realized that:

1) jersey-2.26 won't behave well, since it relies on javax.ws.rs-api 2.1
and jersey 1.17 relies on javax.ws.rs-api 2.0.1.  This leads to a Uses
constraint violation since the dependency is provided via two chains
(and two different versions too!).
Well, that upgrade has to wait for Neon then -- we simply cannot take
much more churn this low in the project.

2) jersey-2.25 won't work for a similar reason.  Even though it relies
on the older javax.ws.rs-api 2.0.1 which is currently in place, jersey
1.17 repackages javax.ws.rs-api.  This means that utilizing the off the
shelf javax.ws.rs-api 2.0.1 causes another Uses constraint violation,
since the dependency is provided via upstream properly and jersey 1.17
in a repackaged form.

I am starting to really agree with the sentiment that we should just
stick to only one implementation across the board.  Additionally, I
believe that isolating this in an API (utility or not) will help the
transition since there will be a single point to toggle the
implementations.  We may want to also discuss the drawbacks of jersey
2.  Namely, it appears to require a ton of overhead dependencies and
starts a bit slower in newer versions.  Maybe that is fine, but we
should fully understand the tradeoffs before investing more time.  We
should also settle on what the intended version should be for jersey 2
if we go that route, since jersey-2.26 is a lot different than even
jersey-2.25.
Agreed, Tom's utility approach is probably the most sensible one. I took
a very simple stab at that with https://git.opendaylight.org/gerrit/70919.

I do belive using this you can eliminate any and all references to
jersey in shiro-impl.

Regards,
Robert


Re: Configuring OpenLdap with ODL

Mohamed ElSerngawy
 

Hi Kaushik,

You may need to specify the common name "cn" instead of "uid", so your shiro.ini could be looks like as below. 

ldapRealm.userDnTemplate = cn={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

BR


On Thu, Apr 12, 2018 at 2:25 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan,

Thanks for the reply.

Our exact inputs in shiro.ini is


ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = uid={0},ou=people,dc=matrix-intra,dc=net

ldapRealm.contextFactory.url = ldap://10.112.192.134:389

ldapRealm.searchBase = dc=matrix-intra,dc=net

 

and also added this line

securityManager.realms = $tokenAuthRealm, $ldapRealm

 

We know ODL Beryllium is very old, but any how we have to use this. Please help.

 

Regards,

Harshit Kaushik

 

From: Ryan Goulding [mailto:ryandgoulding@gmail.com]
Sent: Wednesday, April 11, 2018 11:09 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: saichler@...; wdec@...; aaa-dev@...; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@nokia.com>; Hrudaykumar H <hrudaykumar.h@...>
Subject: Re: Configuring OpenLdap with ODL

 

Hi Harshit,

 

Did you replace the values in shiro.ini between square brackets <> with the appropriate values for your LDAP server?  By the way, ODL Beryllium is very old and has not been supported for quite some time.


Regards,

Ryan Goulding

 

On Tue, Apr 10, 2018 at 7:05 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

I am trying to onfigure OpenLdap with ODL (Beryllium version).

 

I have done below changes in shiro.ini file

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly

ldapRealm.userDnTemplate = uid={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

ldapRealm.contextFactory.url = ldap://<url>:389

 

But I am not able to login to ODL. I am getting below logs in karaf.

 

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | TokenAuthRealm                   | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | get domain

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table DOMAINS already exists

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | DomainStore                      | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep15: SELECT * FROM DOMAINS WHERE domainid = ?  {1: 'sdn'}

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | check user / pwd

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | getUsers for: matrix in domain sdn

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table USERS already exists

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep17: SELECT * FROM USERS WHERE userid = ?  {1: 'matrix@sdn'}

2018-04-10 13:44:26,373 | INFO  | qtp501175937-730 | ODLJndiLdapRealm                 | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,373 | DEBUG | qtp501175937-730 | Accounter                        | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,376 | DEBUG | qtp501175937-730 | AuthenticationListener           | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Unsuccessful authentication attempt by matrix from <URL>

 

 

Please help me out in this.

Regards,

Harshit Kaushik

 


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev




--
Mohamed ElSerngawy

+1 438 993 2462


Re: Configuring OpenLdap with ODL

Ryan Goulding <ryandgoulding@...>
 

+aaa-dev;  please keep the list in the loop.

One issue is that you are using ODLJndiLdapRealm without the "ldapRealm.attributeForComparison" set.  I would start off with using the variant ODLJndiLdapRealmAuthNOnly to start, then as you figure out AuthN add in AuthZ later.  If you don't define the attributeForComparison, things won't work.

Regards,

Ryan Goulding

On Thu, Apr 12, 2018 at 2:25 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan,

Thanks for the reply.

Our exact inputs in shiro.ini is


ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = uid={0},ou=people,dc=matrix-intra,dc=net

ldapRealm.contextFactory.url = ldap://10.112.192.134:389

ldapRealm.searchBase = dc=matrix-intra,dc=net

 

and also added this line

securityManager.realms = $tokenAuthRealm, $ldapRealm

 

We know ODL Beryllium is very old, but any how we have to use this. Please help.

 

Regards,

Harshit Kaushik

 

From: Ryan Goulding [mailto:ryandgoulding@gmail.com]
Sent: Wednesday, April 11, 2018 11:09 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: saichler@...; wdec@...; aaa-dev@...; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@nokia.com>; Hrudaykumar H <hrudaykumar.h@...>
Subject: Re: Configuring OpenLdap with ODL

 

Hi Harshit,

 

Did you replace the values in shiro.ini between square brackets <> with the appropriate values for your LDAP server?  By the way, ODL Beryllium is very old and has not been supported for quite some time.


Regards,

Ryan Goulding

 

On Tue, Apr 10, 2018 at 7:05 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

I am trying to onfigure OpenLdap with ODL (Beryllium version).

 

I have done below changes in shiro.ini file

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly

ldapRealm.userDnTemplate = uid={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

ldapRealm.contextFactory.url = ldap://<url>:389

 

But I am not able to login to ODL. I am getting below logs in karaf.

 

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | TokenAuthRealm                   | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | get domain

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table DOMAINS already exists

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | DomainStore                      | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep15: SELECT * FROM DOMAINS WHERE domainid = ?  {1: 'sdn'}

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | check user / pwd

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | getUsers for: matrix in domain sdn

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table USERS already exists

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep17: SELECT * FROM USERS WHERE userid = ?  {1: 'matrix@sdn'}

2018-04-10 13:44:26,373 | INFO  | qtp501175937-730 | ODLJndiLdapRealm                 | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,373 | DEBUG | qtp501175937-730 | Accounter                        | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,376 | DEBUG | qtp501175937-730 | AuthenticationListener           | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Unsuccessful authentication attempt by matrix from <URL>

 

 

Please help me out in this.

Regards,

Harshit Kaushik

 



Re: Configuring OpenLdap with ODL

Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
 

Hi Ryan,

Thanks for the reply.

Our exact inputs in shiro.ini is


ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm

ldapRealm.userDnTemplate = uid={0},ou=people,dc=matrix-intra,dc=net

ldapRealm.contextFactory.url = ldap://10.112.192.134:389

ldapRealm.searchBase = dc=matrix-intra,dc=net

 

and also added this line

securityManager.realms = $tokenAuthRealm, $ldapRealm

 

We know ODL Beryllium is very old, but any how we have to use this. Please help.

 

Regards,

Harshit Kaushik

 

From: Ryan Goulding [mailto:ryandgoulding@...]
Sent: Wednesday, April 11, 2018 11:09 PM
To: Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...>
Cc: saichler@...; wdec@...; aaa-dev@...; Kapoor, Sumit 3. (EXT - IN/Noida) <sumit.3.kapoor.ext@...>; Mohammed, Mehboobkhan (EXT - IN) <mehboobkhan.mohammed.ext@...>; Hrudaykumar H <hrudaykumar.h@...>
Subject: Re: Configuring OpenLdap with ODL

 

Hi Harshit,

 

Did you replace the values in shiro.ini between square brackets <> with the appropriate values for your LDAP server?  By the way, ODL Beryllium is very old and has not been supported for quite some time.


Regards,

Ryan Goulding

 

On Tue, Apr 10, 2018 at 7:05 AM, Kaushik, Harshit (EXT - IN/Noida) <harshit.kaushik.ext@...> wrote:

Hi Ryan/Team,

 

I am trying to onfigure OpenLdap with ODL (Beryllium version).

 

I have done below changes in shiro.ini file

 

ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly

ldapRealm.userDnTemplate = uid={0},ou=people,dc=<my-Domain>,dc=<my-TLD>

ldapRealm.contextFactory.url = ldap://<url>:389

 

But I am not able to login to ODL. I am getting below logs in karaf.

 

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | TokenAuthRealm                   | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth

2018-04-10 13:44:26,360 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | get domain

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table DOMAINS already exists

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | DomainStore                      | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep15: SELECT * FROM DOMAINS WHERE domainid = ?  {1: 'sdn'}

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | IdmLightProxy                    | 222 - org.opendaylight.aaa.idmlight - 0.3.4.Beryllium-SR4 | check user / pwd

2018-04-10 13:44:26,367 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | getUsers for: matrix in domain sdn

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | AbstractStore                    | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | Table USERS already exists

2018-04-10 13:44:26,372 | DEBUG | qtp501175937-730 | UserStore                        | 221 - org.opendaylight.aaa.h2-store - 0.3.4.Beryllium-SR4 | query string: prep17: SELECT * FROM USERS WHERE userid = ?  {1: 'matrix@sdn'}

2018-04-10 13:44:26,373 | INFO  | qtp501175937-730 | ODLJndiLdapRealm                 | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,373 | DEBUG | qtp501175937-730 | Accounter                        | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | AAA LDAP connection from matrix

2018-04-10 13:44:26,376 | DEBUG | qtp501175937-730 | AuthenticationListener           | 211 - org.opendaylight.aaa.shiro - 0.3.4.Beryllium-SR4 | Unsuccessful authentication attempt by matrix from <URL>

 

 

Please help me out in this.

Regards,

Harshit Kaushik

 


Re: Fw: Announcing that Apache Oltu has been moved to the Attic

Ryan Goulding <ryandgoulding@...>
 

Thanks for forwarding on this announcement, Stephen.  We will need to start investigating proper replacements soon.

Best Regards,

Ryan Goulding

On Mon, Apr 9, 2018 at 3:54 AM, Stephen Kitt <skitt@...> wrote:
Hello AAA devs,

This is relevant to AAA... (I know Ryan intended to move away from
Oltu, this just adds another nail to the coffin.)

Regards,

Stephen


Begin forwarded message:

Date: Sun, 8 Apr 2018 13:49:00 +0200
From: jani@...
To: announce@...
Subject: Announcing that Apache Oltu has been moved to the Attic


Announcing that the Apache Oltu committers have voted to retire the
project due to inactivity. Oltu was an OAuth protocol implementation in
Java. It also covers others "OAuth family" related implementations such
as JWT, JWS and OpenID Connect.

Retiring a project is not as simple as turning everything off, as
existing users need to both know that the project is retiring and
retain access to the necessary information for their own development
efforts. You can read more about Oltu's retirement at:
http://attic.apache.org/projects/Oltu.html The user mailing list
remains open, while the rest of the project's resources will continue
to be available in a read-only state - website, wikis, svn, downloads
and bug tracker with no change in url. Providing process and solutions
to make it clear when an Apache project has reached its end of life is
the role of the Apache Attic, and you can read more about that at:
http://attic.apache.org/

Thanks, Jan Iversen on behalf of the Apache Attic and the now retired
Apache Oltu project



--
Stephen Kitt
Principal Software Engineer, Office of the CTO
Red Hat

_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev


141 - 160 of 1823