By: Tomas Larsson user 10 Jun 2021 at 8:19 a.m. CDT

3 Responses
Tomas Larsson gravatar
Hi all We have recently made a new installation of Gluu version 4.2.3 for test purpose. We included Shibboleth and Casa 4.2 (and oxd). We have replicated all config necessary from our production environment. Such as attributes, cache refresh and authentication settings. Everything works as expected so far, including MFA via SuperGluu/OTP Problem #1 Our goal is to use Casa and be able to set MFA on a personal basis. When we try this we run into the following trouble. When we access https://our_server/casa and tries to login it will always fail (Fail to authenticate). However, if we first login to gluus GUI (/identity) and then go to https://our_server/casa we are logged in (SSO). So, what is wrong? /opt/opendj/logs/access [10/Jun/2021:12:48:56 +0000] SEARCH REQ conn=545 op=242 msgID=243 base="ou=people,o=gluu" scope=sub filter="(&(&(objectClass=gluuPerson))(samAccountName=tlh))" attrs="ALL" [10/Jun/2021:12:48:56 +0000] SEARCH RES conn=545 op=242 msgID=243 result=0 nentries=0 unindexed etime=819 In this case it is quite obvious that this will fail. Identities in Gluu:s local LDAP is based on uid. Not samAccountName. How to change this? Problem #2 Logged in to casa through SSO. Trying to manage 2FA credentials / Super Gluu Devices / Add a Super Gluu device. Pressing the button 'Ready' presents the QR-Code. Then scanning the QR-Code gives the error message 'Failed to get Fido U2F metadata' and nothing else happends. So far we have observed that when we press the 'Ready' button we do get a strange error message in LDAP log. [10/Jun/2021:12:30:28 +0000] MODIFY RES conn=533 op=18 msgID=19 result=65 message="Entry inum=0000!8C4F.3CFC,ou=people,o=gluu cannot be modified because the resulting entry would have violated the server schema: Entry inum=0000!8C4F.3CFC,ou=people,o=gluu violates the Directory Server schema configuration because it includes attribute eduPersonAffiliation which is not allowed by any of the objectclasses defined in that entry" etime=0 Why would Casa try to tamper with 'eduPersonAffiliation' at all? We have of course checked that we dont have a broken schema for eduPerson. We have also checked that we can modify 'eduPersonAffiliation' through Gluu user administration or with a LDAP Browser. No problem. Also, cache refresh have imported 54 000 entries without complaining. Another reflection is that if we delete 'eduPersonAffiliation' and press the 'Ready' button we get the same error but now it complains about another attribute. For example eduPersonEntitlement and so on. Any ideas on this problem??? This message is also reflected in casa.log /opt/gluu/jetty/casa/logs/casa.log: 10-06 12:30:28.911 ERROR [qtp2051853139-20] gluu.casa.core.PersistenceService PersistenceService.java:166- Failed to update entry: inum=0000!8C4F.3CFC,ou=people,o=gluu org.gluu.persist.exception.EntryPersistenceException: Failed to update entry: inum=0000!8C4F.3CFC,ou=people,o=gluu at org.gluu.persist.ldap.impl.LdapEntryManager.merge(LdapEntryManager.java:293) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.impl.BaseEntryManager.merge(BaseEntryManager.java:248) ~[oxcore-persistence-core-4.2.3.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.merge(LdapEntryManager.java:120) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.casa.core.PersistenceService.modify(PersistenceService.java:163) ~[classes/:?] at org.gluu.casa.core.PersistenceService$Proxy$_$$_WeldClientProxy.modify(Unknown Source) ~[classes/:?] at org.gluu.casa.core.UserService.generateRandEnrollmentCode(UserService.java:251) ~[classes/:?] at org.gluu.casa.core.UserService$Proxy$_$$_WeldClientProxy.generateRandEnrollmentCode(Unknown Source) ~[classes/:?] at org.gluu.casa.ui.vm.user.SuperGluuViewModel.showQR(SuperGluuViewModel.java:88) ~[classes/:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.zkoss.bind.impl.ParamCall.call(ParamCall.java:172) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.handleNotifyChange(BinderImpl.java:1911) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.doExecute(BinderImpl.java:2080) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.doCommand(BinderImpl.java:1806) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.access$1300(BinderImpl.java:137) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl$CommandEventListener.onEvent0(BinderImpl.java:1647) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl$CommandEventListener.onEvent(BinderImpl.java:1600) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.AbstractComponent.onEvent(AbstractComponent.java:3184) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3154) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3096) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:138) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.UiEngineImpl.processEvent(UiEngineImpl.java:1890) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.UiEngineImpl.process(UiEngineImpl.java:1662) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.UiEngineImpl.execUpdate(UiEngineImpl.java:1329) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.au.http.DHtmlUpdateServlet.process(DHtmlUpdateServlet.java:570) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.au.http.DHtmlUpdateServlet.doGet(DHtmlUpdateServlet.java:450) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.au.http.DHtmlUpdateServlet.doPost(DHtmlUpdateServlet.java:458) ~[zk-9.5.0.2.jar:9.5.0.2] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[servlet-api-3.1.jar:3.1.0] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1443) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) ~[jetty-security-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.Server.handle(Server.java:516) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) [jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) [jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273) [jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) [jetty-io-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773) [jetty-util-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905) [jetty-util-9.4.35.v20201120.jar:9.4.35.v20201120] at java.lang.Thread.run(Thread.java:834) [?:?] Caused by: com.unboundid.ldap.sdk.LDAPException: Entry inum=0000!8C4F.3CFC,ou=people,o=gluu cannot be modified because the resulting entry would have violated the server schema: Entry inum=0000!8C4F.3CFC,ou=people,o=gluu violates the Directory Server schema configuration because it includes attribute eduPersonAffiliation which is not allowed by any of the objectclasses defined in that entry at com.unboundid.ldap.sdk.LDAPConnection.modify(LDAPConnection.java:2898) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.AbstractConnectionPool.modify(AbstractConnectionPool.java:1324) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.modifyEntry(LdapOperationServiceImpl.java:816) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.updateEntryImpl(LdapOperationServiceImpl.java:802) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.updateEntry(LdapOperationServiceImpl.java:788) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.merge(LdapEntryManager.java:287) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] ... 61 more

By Mobarak Hosen Shakil staff 14 Jun 2021 at 10:23 a.m. CDT

Mobarak Hosen Shakil gravatar
Hi Tomas Larsson, I will try to replicate the issue. Can you please share your cache configuration?

By Tomas Larsson user 15 Jun 2021 at 8:17 a.m. CDT

Tomas Larsson gravatar
Hi Mobarak You can find 4 pictures from our cache refresh config at the provided link. Click on the picture to enlarge. I also provide you with a PDF that explains our setup. We do learn all accounts from our central LDAP (OruCat) witch by the way also is an OpenDJ server. Authentication on the other hand is configured with a windows AD (OruNet) for employees and a windows AD (EduNet) for students. And also a small part of accounts (Special) authenticate back to the central LDAP (OruCat). Finally we also have 4 local accounts in Gluu internal LDAP that all belongs to the 'Gluu Manager Group'. Please download 77-custom... if you want to see the correct output. Regards /Tomas

By Mobarak Hosen Shakil staff 15 Jun 2021 at 9:19 a.m. CDT

Mobarak Hosen Shakil gravatar
Thanks, I will check them.