As of V8.0.1.0 of ISAM for Mobile, there is a helper class in the Javascript mapping rule for Resource Owner Password Validation against the configured LDAP server. There are a few steps required to configure it though. If you haven’t configured it, you will receive the following error on attempting an ROPC flow:
{"error":"mapping_error",
"error_description":"com.tivoli.am.rba.exception.RBARuntimeException:
FBTRBA318E The username password authentication mechanism configuration is
invalid."}
And if you configuration isn’t quite right, you’ll probably get one of the following errors:
{"error":"mapping_error",
"error_description":"com.tivoli.pd.rgy.exception.ConfigurationErrorRgyException:
HPDAA0333E Unable to determine the registry server type.
Error message HPDAA0329E The credentials provided can not be authenticated
by the registry.."}
or:
{"error":"mapping_error",
"error_description":"com.tivoli.pd.rgy.exception.ServerDownRgyException:
HPDAA0278E None of the configured LDAP servers of the appropriate type
for the operation can be contacted."}
The Username and Password validation logic is found in the <API PolicyName>PreToken mapping rule.
Javadoc for the available JavaScript libraries are available under the File Downloads section of the appliance. (Under “Manage System Settings”).
The isValidUsernamePassword module gets its configuration from the Authentication Services “Username Password” mechanism. In order to utilise this in the mapping rule, we need to configure it and tell it how to contact the relevant LDAP server.
In the Authentication Mechanisms section, edit the properties for the Username Password module.
A properties page will be displayed.
Here are two sample configurations:
Onboard Appliance LDAP Server – NO SSL:
LDAP Bind DN cn=root,secAuthority=Default LDAP Bind Password passw0rd LDAP Host Name localhost LDAP Port 389 Login Failures Persistent false Management Domain Default Maximum Server Connections 16 SSL Enabled false SSL Trust Store User Search Filter (|(objectclass=ePerson)(objectclass=Person))
Onboard LDAP Server or External LDAP Server
(including on another appliance) – with SSL:
LDAP Bind DN cn=root,secAuthority=Default LDAP Bind Password passw0rd LDAP Host Name <LDAP Server IP/FQDN> LDAP Port 636 Login Failures Persistent false Management Domain Default Maximum Server Connections 16 SSL Enabled true SSL Trust Store embedded_ldap_keys
Save and deploy the changes, and your ROPC requests should now complete (assuming they have a valid username and password). Here is a sample CURL request to help you along:
curl -k -d "client_id=android_client_id&grant_type=password& username=emily&password=Passw0rd" https://192.168.42.11/mga/sps/oauth/oauth20/token
The wrong password will return the error:
{“error”:”mapping_error”,”error_description”:”com.tivoli.pd.rgy.exception.InvalidCredentialsRgyException: HPDAA0329E The credentials provided can not be authenticated by the registry.”}
For example:
Philip Nye 