Thursday, May 31, 2012

AUTHENTICATION-268

I was playing with OpenAM 10.0.0 and was trying to connect my OpenAM to our Active Directory using the Active Directory Authentication Module.

But, I kept getting "An internal authentication error has occurred" message.


So I went ahead to check amAuthentication.error ...

"2012-05-31 22:11:30" "Login Failed|module_instance|AZ-AD" cheechong "Not Available" 192.168.5.6 INFO o=azlabs.sg "cn=dsameuser,ou=DSAME Users,o=azlabs.sg" AUTHENTICATION-268 AZ-AD "Not Available" 192.168.5.6

What's that? A google linked me to Oracle's website. It's a "Module based authentication failed" error. I have mis-configured the hostname of my AD! :)

This error message codes are precious. I have converted the HTML page to a PDF here for safe-keeping. Just in case, no harm. :)

.

OpenAM 10.0.0 new look and feel

OpenAM 10 now has a new look and feel.


It's cool!



Monday, May 21, 2012

Role of a Software Architecture

I came across the following diagram while working on a tender. Pretty illustrative of what is expected from a Software Architecure. 

.

Tuesday, May 1, 2012

OpenAM Policy Agent 3.0.5 - weird naming service validation error

I was trying to resolve an issue with OpenAM Policy Agent for one of our customers. There seems to be a bug with PA 3.0.4 such that it could not set cookie on server request.

Apparently, PA 3.0.5 seems to resolve this bug. So I went ahead to download and install PA 3.0.5.

Every time I tried starting Apache, it will crash, logging the following error:


[Tue May 01 14:01:42 2012] [crit] Failed to initialize policy web agent
Configuration Failed

The amAgent debug log showed:

2012-05-01 14:01:42.168   Error 13395:152d1a0 all: URL [https://idp.azlabs.sg:8080/am/namingservice] validation failed with error [-1]

On OpenAM Server side, there was error in Authentication debug log:


amAuth:05/01/2012 02:01:42:044 PM SGT: Thread[http-apr-8080-exec-9,5,main]
LOGINFAILED Error....
amAuth:05/01/2012 02:01:42:044 PM SGT: Thread[http-apr-8080-exec-9,5,main]
Exception : 
com.sun.identity.authentication.spi.AuthLoginException(1):null
com.sun.identity.authentication.spi.AuthLoginException(2):Unknown LDAP exception.
com.sun.identity.authentication.modules.ldap.LDAPUtilException(3):User not found.
com.sun.identity.authentication.modules.ldap.LDAPUtilException: User not found.
at com.sun.identity.authentication.modules.ldap.LDAP.processLoginScreen(LDAP.java:823)
at com.sun.identity.authentication.modules.ldap.LDAP.process(LDAP.java:554)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:998)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1168)
at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)


Very strange... With the same OpenAM setup, there was no problem starting PA 3.0.4.

After much investigation, I realized it's the Authentication Module Instance that is causing the issue. In our default "ldapService" authentication chaining, we have changed to LDAP, instead of the default DataStore.



When I switched back to DataStore, the PA 3.0.5 started working!



2012-05-01 14:16:44.571      -1 13913:232b1a0 all: URL [https://idp.azlabs.sg:8080/am/namingservice] validation succeeded


There must be some code change to how the PA authenticates with OpenAM in version 3.0.5.


Updated on 23rd June 2012

There was indeed a bug with PA 3.0.5 back then. I have since raised a ticket and the issue was resolved. The nightly build should have resolved this issue.

.