IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Kerberos authentication to eai using User Mapping Rule

  • 1.  Kerberos authentication to eai using User Mapping Rule

    Posted Wed February 19, 2020 09:29 AM

    Active Directory is having users with samaccountname = abcd, mail and other attributes.

    ISAM LDAP is having users with PrincipalName = abcd@mail.com (AD mail attribute and PrincipalName attribute on ISAM LDAP contains same value)

     

    ISAM has eai enabled and configured. Working fine. I would like to achieve Kerberos authentication to my eai application itself.

    Like: When user log into windows machine in Domain with samaccountname and pwd and then after try to access eai application URL then user should be logged into eai application without re-authentication.

     

    Completed all the required configurations but facing an issue. Post debugging, identified that there is an issue in User Mapping Rule to my understanding.

     

    Below are the data from ISAM trace logs (pd.cas)

     

     

    2020-02-19-10:34:48.023+03:00I----- thread(3) trace.pd.cas.usermap:5 /home/webseal/20151207-1913/src/pdwebrte/authn/modules/usermapauthn/AMWXMLDocument.cpp:343:     constructed document:

    <?xml version="1.0" encoding='UTF-8'?>

    <XMLUMI>

    <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser">

      <stsuuser:Principal>

        <stsuuser:Attribute name="name">

          <stsuuser:Value>abcd</stsuuser:Value>

        </stsuuser:Attribute>

      </stsuuser:Principal>

      <stsuuser:AttributeList>

        <stsuuser:Attribute name="method">

          <stsuuser:Value>GSS Authentication</stsuuser:Value>

        </stsuuser:Attribute>

        <stsuuser:Attribute name="address">

          <stsuuser:Value>10.33.21.174</stsuuser:Value>

        </stsuuser:Attribute>

        <stsuuser:Attribute name="qop">

          <stsuuser:Value>SSK: TLSV12: 2F</stsuuser:Value>

        </stsuuser:Attribute>

        <stsuuser:Attribute name="browser">

          <stsuuser:Value>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)</stsuuser:Value>

        </stsuuser:Attribute>

      </stsuuser:AttributeList>

    </stsuuser:STSUniversalUser>

    </XMLUMI>

     

    User Mapping Rule

     

    <?xml version="1.0" encoding='UTF-8'?>

    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" version="1.0">

        <!-- Required to constrain output of rule evaluation -->

        <xsl:output method="xml" omit-xml-declaration="yes" encoding='UTF=8' indent="no"/>

        <!-- Need this to ensure default text node printing is off -->

        <xsl:template match="text()"></xsl:template>

        <!-- Let's make it easier by matching the constant part of our XML name -->

        <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:AttributeList">

                    !userreg base='DC=COM' attr='secDN' !(principalName=<xsl:value-of select="stsuuser:Attribute[@name='name']/stsuuser:Value"/>)!

        </xsl:template>

    </xsl:stylesheet>

     

    Note: secDN is ISAM account attribute would like to return once ldapsearch match is found.

     

    Following the error messages from logs

     

    2020-02-19-10:34:48.027+03:00I----- thread(3) trace.pd.cas.usermap:3 /home/webseal/20151207-1913/src/pdwebrte/authn/modules/usermapauthn/AMWUserMapRulesEngine.cpp:173:   result:

                   

    !userreg base='DC=COM' attr='secDN' !(principalName=)!

       

     

    2020-02-19-10:34:48.027+03:00I----- thread(3) trace.pd.cas.usermap:9 /home/webseal/20151207-1913/src/pdwebrte/authn/modules/usermapauthn/AMWUserMapRulesEngine.cpp:174: AMWUserMapRulesEngine::evaluate: exit

     

    2020-02-19-10:34:48.027+03:00I----- thread(3) trace.pd.cas.usermap:1 /home/webseal/20151207-1913/src/pdwebrte/authn/modules/usermapauthn/usermapauthn.cpp:440:   invalid data found in the response:

                   

    !userreg base='DC=COM' attr='secDN' !(principalName=)!

       

    2020-02-19-10:34:48.027+03:00I----- thread(3) trace.pd.cas.usermap:1 /home/webseal/20151207-1913/src/pdwebrte/authn/modules/usermapauthn/usermapauthn.cpp:238:   Failed to map the identity to a DN: 320938206(0x132120de)



    ------------------------------
    UsmanAli Shaik
    ------------------------------


  • 2.  RE: Kerberos authentication to eai using User Mapping Rule

    Posted Thu February 20, 2020 01:15 AM
    Hi Folks,

    I could fix the issue by further troubleshooting. The error thrown is invalidLDAPAtt the attribute 'name' is not available in /XMLUMI/stsuuser:STSUniversalUser/stsuuser:AttributeList but present in  Principal

    Remove  <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:AttributeList"> and used below 

    <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:Principal">

    it worked. 

    But one challenge is still present

    The kerberose token is returning abcd@domain , in kerberose setting on ISAM 9 , I did not select Use Domain Qualified Name check box. Therefore only abcd is coming to ISAM. where as in ISAM LDAP there is no attribute maintains this value (like samaccoutname attribute of AD). But, I have abcd@mail.com in ISAM LDAP Attribute principalName 

    Some users a employees and some are contractors. I have different email conventions for that. one ex below

    Employee email: abcd@mail.com Contractor email: abcd.c@mail.com

    Any way to manage this ?Like: can AD send email attribute in kerberose token and that ISAM can use while building XML data object so that we can retrieve using XSL rule?




    ------------------------------
    UsmanAli Shaik
    ------------------------------

    Original Message