You are here

CPIP and sync password

Submitted by admin on Fri, 06/03/2005 - 08:31

I performed a new III.3 install earlier this week and am attempting to get everything set up to put into production.  EAS was a breeze, however the CPIP stuff was a bit of a problem.  Why?  Because I had the wrong document.

The Install.pdf doc that comes with the III.3 release has a section on setting up CPIP for Outlook Web Access and the Sun One email client as well.  I pulled up an old CPIP setup document I had and followed both in case there were changes for III.3.  DON'T DO THIS <G>  After going back and forth with support (very helpful btw) it ended up being the "servlet.cpipconnector.classpath" setting in the $CP_ROOT/products/ws/https-cpipconnector/config/servlets.properties file.  The one in the Install.pdf is incorrect.

In the last of the emails from support he (Jared, again very helpful ... an patient) mentioned the Version E, May 31,2005 Edition of the Admin Guide, yea that was just a few days ago (today's June 3rd). So before you do anything, make sure you have the latest documents (Answer ID 1186)  The only thing I don't like about this, is that I had no idea this document was updated.  Its in the Luminis docs.zip file. The latest one expands differently, the Admin, Install and Index.pdf files all expand to the root so if you had already downloaded a previous version of this .zip file, the admin guide in the LP33Docs directory will still be the old one. One enhancement I'd like to see on the support site would be a better presentation of downloads, but I'll recommend that later :)

Also don't use the CPIP.pdf that comes with the Luminis SDK, 'cause there's nothing in the on setting it up from scratch, just development API information.

So now that I have the correct Admin guide, and my personal tech at support, I was able to get CPIP working just fine.

I also learned the mysteries of the cptool sync password command.  This had continued to elude me for some time until I stumbled upon the correct sequence of events to actually make this work.  I don't know if I was just thinking it out too much, or had higher expectations for this command but this is what you have to do to get it working.

Create your cpip connector .properties and .xml files. 

We'll use as an example, the one I was working on named 'mcbb6' / Blackboard version 6 connector.

Create a link in a channel to access it - something like this :

http://www.yourportal.edu/cp/ip/login?sys=mcbb6&url=http%3A%2F%2Fblackboard%2Edomain%2Eedu%2Fwebapps%2Fmcsquare%2Fframeset%2Ejsp

Run this from the command line -

cptool sync password -add cpip mcbb6

This adds a cpip filter as explained on page 264 of the Admin.pdf.

Here's where I was screwing up, or hoping it was more than it is (I'll explain my hopes and dreams in a minute).  To get it to work correctly, you still need to run this for each user that needs access to this system -

cptool set user jwheat ExternalAccount='mcbb6|jwheat|'

Now, you'll notice that on the end of that is a pipe and a tick (single quote).  The full / correct usage is

ExternalAccount='<ESCODE>|<USERNAME>|<PASSWORD>'

Without the sync password command above, if you leave out the password, the user is prompted for it the first time they connect to that system.  Since the sync password filter is set up, any call to the system mcbb6, Luminis fetches the luminis password and passes that to the system.  Nice.

Now the onle caveat is that the external system must be able to use the luminis id/pw for authentication.  We here have all the apps we can use one central LDAP for authentication, and if it can't, we've written scripts to sync passwords to these systems so this solution works great.

<Jon's Hopes and Dreams / Delusions>
Here's the part where I assumed I knew what was happening and it gets quite messy because I was wrong.  I had run the sync password command and then thinking it would give everyone access to the external system, I went forth and tried to log in.  Well that doesn't work too well, and actually (whether its a bug or not) screws up your cpip info in your account.

I created the mcbb6 connector
I ran the cptool sync password -add cpip mcbb6 command
THEN I logged into the portal and tried to access the blackboard system.  It prompted me for my password.  It didn't tell me I didn't have access (because I don't yet, I never added it to my ExternalAccounts).  Just asked me for my password.  I entered it and it bounced back, asking me for my password again.

Here's the part that may be a bug.  I do a cptool get user jwheat -a before I log into the portal and test the link and my ExternalAccount entry is empty.  Then I log in and click the link and get the password box.  I do another cptool get user jwheat -a  and this is what is listed -

ExternalAccount:           { mcbb6 : CINmVA8QavUvdJqqRv+kZQ== }

What is supposed to be the userid is encrypted / hashed / obfuscated whatever you want to call it.  Basically garbage, so Luminis was passing that garble to the mcbb6 system and that's why it wanted my password, or the password to the "CINmVA8QavUvdJqqRv+kZQ==" account

So whether its a bug or not I'm not sure, but I could see a potential problem with this happening if I just added a cpip connector, ran the sync command and hadn't gotten to the script that adds the ExternalAccount setting to the user yet.  Granted it will reset when you run the cptool set user ExternalAccount='mcbb6|jwheat|' command, but I think you should get a 'access denied' message or something.

So don't forget the ExternalAccount command.

Anyway, unless someone knows a quick way to add a cpip connector to the entire population of users, or everyone in a selected role, you'll have to script the ExternalAcount stuff with sync password.

 -Jon

Channels:

Comments

I am certainly no CPIP guru... so please forgive me if I have misunderstood your situation... but are you looking for a way for the Luminis LDAP attribute of "pdsExternalSystemID" to automatically add a value of "username::mcbb6" for each user--ideally during their first attempt to access the "mcbb6" system?

Rather than issuing a "cptool set user <username> ExternalAccount" command for each existing user (as well as each new user that will be created from that point forward), you should be able to utilize one of these two techniques:

1. Use the "createonlogin=1" flag in the "HTTP Body Return Value" of the "Request/Response Detail" in your CPIP connector

-OR-

2. Use "configman" to set the following parameter's value to "1": "es.<externalSystemName>.createonlogin" (where "<externalSystemName>" should be replaced with the name of your external system (i.e. sis, webct, messengerexpress))

When any user attempts to access the external system, Luminis will create the appropriate "pdsExternalSystemID" entry within the Luminis LDAP.

(The information about "createonlogin" came from page 19 of "Luminis-SecuritySDK-CPIP.pdf" Document number: CP-SDK001 Early Access 12/19/02)

As far as the password associated with that external system, the following command:

cptool sync password -add cpip <system_name>
(where <system_name> is replaced by the actual name of the external system)

instructs Luminis to use the user's Luminis password as the password for the external system.  This means that Luminis does not have to keep track of or remember a password for a user who accesses that external system.  Luminis only needs to keep track of usernames for that external system.  This command only needs to be issued once for each different CPIP connector or external system that will utilize this method.

It is also my understanding that if you use the "useSISCredentials=true" in your CPIP connector implementation then the CPIP will pass the user's SIS credentials (as opposed to the Luminis portal credentials).  If your external system will happily accept those credentials then you're home free.  If not, then you'll probably have to go with the "createonlogin" route.

As an example let me describe how we have integrated the iPlanet webmail interface as a substitute for Luminis' built-in email interface.  As you know, the iPlanet email server bundled with Luminis is configured to use the Luminis LDAP as its user store.  We have configured the iPlanet webmail to utilize the "Generic CPIP Connector" to accomplish SSO.  The configuration described by the Campus Pipeline folks specifies the setting of "createonlogin=1" which seems to be working fine for us.

Here is an example of how this works on our systems:

1.  A student (let's call her Sally Mae Jones) applies for admission for the first time on our campus and is accepted.  Within a couple of minutes after a PIN has been assigned to Sally within SIS, an account for Sally (where uid="jonessm") is automatically created in Luminis via the integration we have between Luminis and SIS-Plus.

2.  Sally logs into the Luminis portal for the first time from her house.  When Sally clicks on the email icon within Luminis, the Generic CPIP Connector checks for the LDAP entry of "pdsExternalSystemID=jonessm::messengerexpress" but does not find that entry... so it creates one on the fly.

3.  Now a new browser window opens on Sally's computer showing her the iPlanet webmail client.

David,

I tried this -

created a new user (jwheat)
logged into the portal
added the CPIP channel
(console) checked the ExternalAccount for jwheat and it was empty
clicked the blackboard cpip link in the portal
it prompts me for a password over and over again
(console) look at the ExternalAccount for jwheat and it now lists -

ExternalAccount:           { mcbb6 : CINmVA8QavUvdJqqRv+kZQ== }

:( 

When I check the sync pasword filters I have one for mcbb6 so it should work.

I have -

mcbb6.cpipconnector.getconfig.createonlogin = 1 in my mcbb6.properties file (but I think that is for the external system if you want it to create an account on itself)

and

es.mcbb6.createlogin = 1
es.mcbb6.autosync=true

with configman

Wierd eh ? Sounds like it should work.

The only way I can get it to work is by actually having the correct ExternalAccount entry (using the set user statement).

I tried this on III.2 and III.3 with the same results.

I just went in and turned autosync to false, bounced and tried the scenario again, and I get a 'You do not have access to this service'

So apparently I'm gettig closer or at least I can see the changes I'm making have an effect :)

Jon,

I suspect your problem lies within your CPIP connector and how it responds to Luminis during the authentication steps.  The value you say appears as the user's "ExternalAccount" appears to be a hash value rather than the clear-text username that is expected.

When I wrote my insanely simple CPIP connector I only used the GetConfigVersion, Identify, and Pickup URLs--I did NOT use either of the Authenticate URLs (nor did I use the Create User, Last Activity, or Deauthenticate User URLs).  But I'm looking through the CPIP connector documentation right now and it looks like maybe the value that is getting placed into the user's "ExternalAccount" attribute is that of the "sid" parameter sent by Luminis during the first exchange of the Authenticate process.  Is it possible that your CPIP connector is somehow using the value of the "sid" for the "uid" parameter?

The only other thought I have has to do with the other "configman" settings for this CPIP connector as well as those that might exist within its ".properties" file.  From what the documentation says, a few of those settings might conflict or cancel one or another out.

In short, without knowing more "intimate" details of how you have configured and chosen to implement your CPIP connector, it's gonna be a bit tough to help troubleshoot.  I was hoping it was something simple like one of those little "configman" settings, but it looks like that's not the case.

C'est la vie, oui?

We use the sendlogin parameter in the GetConfig, which allows Luminis to pass the users login id as login paramter. This along with the appropriate cptool sync password command should be enough. No need to set the external ID for each user / cpip combination. This is only useful if your userid/password pair is the same as Luminis, or in our case our EAS. It could also be useful if only your userids are shared and you are using the Identify OID

David,

Is there a way you can post your CPIP setup?  We at CCSU are utilizing EAS and would like to use CPIP to connect to external apps.  (all of which use the same un/passwd as Luminis)

Thanks,

Mike

There is a little more that needs to be done to get this to work with the SunOneME. I tried your suggestion of using configman to set es.messengerexpress.createonlogin to 1, bounced the web server and cpip web server and it was still failing.

But your comments put me on the right track to find Answer 1208 on the Pipeline support site. It mentions setting the value of messengerexpress.cpipconnector.getconfig.createonlogin to 1 in your messengerexpress.properties file and also changing the value it is passing for username from _USERNAME to _CPUSERNAME. ($CP_ROOT/products/sso/config for the file location)

Thanks for initial push and tip David. We are now having the ExternalSystemID created on the fly and it will make our going live soon much more bearable.