17 Jun, 2014

1 commit

  • Disabling MANAGED_USER auth module for several samples, in favor of PASSTHROUGH to system/ldap/account
    
    Just toggled a boolean config value; no review necessary. Rationale for change:
    
    Previously, we attempted to authenticate using MANAGED_USER first, followed by a few others and then 
    finally PASSTHROUGH. The reason it was first created it this way was so that if there was a fully-
    populated managed/user entry, it would not need to query the remote system. This works fine if you 
    are syncing passwords between managed/user and the remote backend, but as mentioned in OPENIDM-1953, 
    that isn't always the case. To compound this problem, there is also the new function around role 
    calculation; this is per-auth module, and so if you want to calculate roles for a given user you would 
    need to do it for both MANAGED_USER and PASSTHROUGH, if they were both enabled. This redundancy is 
    annoying and a likely source of confusion. So, this change is to just disable the MANAGED_USER auth 
    module, and always use the PASSTHROUGH config.
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3404 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    jake.feasel
     

02 Jun, 2014

1 commit


30 May, 2014

1 commit

  • Support reauth for any auth module configured in authentication.json.
     * AuthenticationService now handles requests on /authentication, replaciing
       AuthFilter which was not a filter, and did not fully handle reauth.
     * Authenticators are used from both JASPI auth modules and AuthenticationService
       to provide the authentication--either with Http headers in the case of the 
       auth modules, or from the authcid in the HttpContext and the reauth header 
       in the case of reauthentication.
     * AuthenticationService now satisfies the AuthenticationConfig service for 
       the purposes of OSGiAuthFilterBuilder's access to the config to build the 
       JASPI CAF.
     * The duplicative managed/user config at the top of the sample authentication.json 
       files are now removed, thus satisfying OPENIDM-1781.
    
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3282 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     

27 May, 2014

1 commit

  • Additional decoupling of auth module role calculation and security context 
    population from auth module validation code.  Notably:
    
     * factor out basic auth code to allow PassthroughModule to support both basic auth and X-OpenIDM- header auth.
     * remove IWAPassthroughModule in favor of using auth module configuration to control order of execution
     * separate client cert auth into its own module, supporting an list of "allowedAuthenticationIdPatterns" 
       to compare against the subject DN
     * remove static dependency on OSGIAuthnFilterBuilder for injection of OSGi artifacts - improves testability
    
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3261 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     

14 May, 2014

1 commit

  • Provide additional detail on sync failures from managed object CRUD operations.
    Provide example compensation script to compensate for sync failures.
    
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3207 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     

12 May, 2014

1 commit


23 Apr, 2014

1 commit


18 Apr, 2014

1 commit


03 Apr, 2014

1 commit


26 Mar, 2014

1 commit

  • Update other auth module of 'userId' to 'authenticationId' for consistency.
    
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3022 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     

19 Mar, 2014

2 commits


17 Mar, 2014

2 commits


30 Jan, 2014

1 commit


14 Nov, 2013

1 commit

  • RFC 4519 stipulates that a groupOfUniqueNames object must have at least one uniqueMember. 
    Our sample provides an LDIF file that breaks this requirement. 
    OpenDJ is more relaxed wrt to this specification, so DJ loads the Example.ldif without complaint, but the reporter of this issue notes that other Directory Servers won't load this LDIF file. 
    The solution is to create a dummy user in the Example.ldif file, and add it as a uniqueMember of the second group. 
    Unfortunately this addition necessitated a slight adjustment to the description of the sample (as readers might wonder why there is this second user that is not used in the sample.)
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@2632 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    Lana
     

02 Oct, 2013

1 commit


23 Jul, 2013

1 commit

  • Fix regression if syncFailureHandler is not defined in config; liveSync failures
      will result in infinite retries as before
    Fix bug where handler exception is never logged by provisioner.
    Use singleton pattern for handlers without state.
    Update all samples to have sane defaults of 5 retries and logged-ignore handler.
    Update README.
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@2321 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     

10 Jul, 2013

1 commit


27 Jun, 2013

1 commit


17 May, 2013

1 commit


02 May, 2013

1 commit


01 May, 2013

1 commit


30 Apr, 2013

1 commit


26 Apr, 2013

1 commit


04 Apr, 2013

1 commit


21 Mar, 2013

1 commit


17 Dec, 2012

1 commit


07 Dec, 2012

1 commit


01 Dec, 2012

1 commit


30 Nov, 2012

1 commit


28 Nov, 2012

1 commit


27 Nov, 2012

1 commit


21 Nov, 2012

1 commit


05 Nov, 2012

1 commit

  • Assign directories to different location:
    bin => install-location
    bundle => install-location
    conf => project-location
    connectors => install-location
    db => work-location
    logs => work-location
    script => project-location
    security => install-location
    workflow => install-location
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@1426 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    Laszlo