Creating a Technical User for Reconfiguring Migrated Configuration
Upgraded configurations might suffer from the limitation that the new LDAPLoginModule requires a technical user for dealing with incomplete user DNs. A missing technical user is indicated by the following error messages in the SIN.log:
Sample A
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
Sample B
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment:
AcceptSecurityContext error, data 525, v1772]
The above error messages indicate that there was an authentication failure while attempting to login the user.
Important: | To create a SIN log, the following property lines need only be applied to the first occurring login module in the CentraSite login context: useLog="true" logFile="path-to-log-folder/SIN.log" logLevel="DEBUG" |
To configure a technical user, you must manually update the jaas.config file in the following way:
Set the
useaf property to
false. The default value is
true.
useaf="false"
Remove the properties
dnprefix and
dnsuffix.
dnprefix="cn="
dnsuffix=",ou=user,OU=Germany,DC=eur,DC=ad,DC=sag"
Specify the full User DN value of the technical user in the
prin property.
prin="CN=tech-user,OU=Generic,OU=Germany,DC=eur,DC=ad,DC=sag"
Specify the password of the technical user in the
cred property.
cred="password"
After making the above changes, the Jaas configuration would look like the following:
CentraSite {
com.softwareag.security.jaas.login.internal.InternalLoginModule sufficient
domain="INTERNAL"
alias="INTERNAL"
applyDomain="true"
create_group_principal="false"
internalRepository="C:/SoftwareAG/common/conf/users.txt";
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule required
domain="EUR"
url="ldap://ldap-server:389"
createGroupProperties="true"
creategroups="true"
noPrinIsAnonymous="false"
prin="CN=tech-user,ou=user,OU=Germany,DC=EUR,DC=example,DC=com"
cred="password"
usecaching="false"
alias="EUR"
personobjclass="inetOrgPerson"
useaf="false"
grouprootdn="DC=EUR,DC=example,DC=com"
userrootdn="DC=EUR,DC=example,DC=com"
memberinfoingroups="false"
applyDomain="true"
createUserProperties="true"
groupobjclass="group"
uidprop="sAMAccountName";
};