5 Replies Latest reply on Jul 3, 2007 8:38 AM by egandt

JBOSS Portal 2.6 and OpenLDAP (looking for an example ldap_i

egandt Jul 2, 2007 4:19 PM

I am trying to move from portal 2.4 to portal 2.6, and I can not get OpenLDAP to authenticate the logins, while it connects to the LDAP Server, it seems to be unable to locate the user admin which exists as:
cn=admin,ou=People,dc=example,dc=com
Saddly all the examples for 2.6 are for LDAP's other than openLDAP, so I am winging it. Also teh error messages are not helpful at this time.

Thanks,
ERIC

RELATED DATA:
I get the following message from JBOSS:
14:17:02,817 ERROR [IdentityLoginModule] Error when validating password
org.jboss.portal.common.transaction.NestedException: javax.security.auth.login.LoginException: org.jboss.portal.identity.IdentityException: User search failed.
at org.jboss.portal.common.transaction.Transactions.apply(Transactions.java:253)

OpenLDAP shows:
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
ber_get_next
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com>
<<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, <cn=manager,dc=fatwire,dc=com>
do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128
do_bind: v3 bind: "cn=Manager,dc=example,dc=com" to "cn=Manager,dc=example,dc=com"
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 15
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 90 contents:
ber_get_next
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=People,dc=example.com>
<<< dnPrettyNormal: <ou=People,dc=example.com>, <ou=people,dc=fatwire.com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
send_ldap_result: conn=2 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=32
ber_flush: 14 bytes to sd 15

My ldap_identity-config.xml coptions section looks like:

<option-group>
<group-name>common</group-name>

userCtxDN
ou=People,dc=fatwire.com

uidAttributeID
cn

passwordAttributeID
userPassword

roleCtxDN
ou=Groups,dc=fatwire,dc=com

ridAttributeId
cn

roleDisplayNameAttributeID
cn

membershipAttributeID
uniqueMember

membershipAttributeIsDN
true

</option-group>
<option-group>
<group-name>userCreateAttibutes</group-name>

objectClass

top
person
organizationalPerson



cn
none

sn
none

</option-group>

<option-group>
<group-name>roleCreateAttibutes</group-name>

objectClass
top
groupOfUniqueNames



cn
none

member
cn=admin,ou=People,dc=example,dc=com

</option-group>

Current OpenLDAP LDIF:
dn: ou=People,dc=example,dc=com
ou: People
objectclass: organizationalUnit
objectclass: top

dn: cn=admin,ou=People,dc=example,dc=com
userPassword: {SSHA}XXXXXXX
objectclass: top
objectclass: organizationalPerson
objectclass: person
cn: admin
sn: admin

dn: cn=ldapuser,ou=People, dc=example,dc=com
userPassword: {SSHA}XXXXXX
description: JBoss Portal ldapuser User for test LDAP integration password=username
objectClass: top
objectClass: organizationalPerson
objectClass: person
sn: ldapuser
cn: ldapuser

dn: ou=Groups,dc=example,dc=com
ou: Groups
objectclass: organizationalUnit
objectclass: top

dn: cn=User,ou=Groups,dc=example,dc=com
description: the JBoss Portal user group
objectClass: top
objectClass: groupOfUniqueNames
cn: User
uniqueMember: cn=ldapuser,ou=People,dc=example,dc=com

dn: cn=Admin,ou=Groups,dc=example,dc=com
description: the JBoss Portal admin group
objectClass: top
objectClass: groupOfUniqueNames
cn: Admin
uniqueMember: cn=admin,ou=People,dc=example,dc=com

1. Re: JBOSS Portal 2.6 and OpenLDAP (looking for an example ld

egandt Jul 2, 2007 4:21 PM (in response to egandt)

OpenLDAP connection from ldap_identity-config.xml:

 <options>
 <option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=People,dc=fatwire.com</value>
 </option>
 <option>
 <name>uidAttributeID</name>
 <value>cn</value>
 </option>
 <option>
 <name>passwordAttributeID</name>
 <value>userPassword</value>
 </option>

 <option>
 <name>roleCtxDN</name>
 <value>ou=Groups,dc=fatwire,dc=com</value>
 </option>
 <option>
 <name>ridAttributeId</name>
 <value>cn</value>
 </option>
 <option>
 <name>roleDisplayNameAttributeID</name>
 <value>cn</value>
 </option>
 <option>
 <name>membershipAttributeID</name>
 <value>uniqueMember</value>
 </option>
 <option>
 <name>membershipAttributeIsDN</name>
 <value>true</value>
 </option>
 </option-group>
 <option-group>
 <group-name>userCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <!--This objectclasses should work with Red Hat Directory-->
 <value>top</value>
 <value>person</value>
 <value>organizationalPerson</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <option>
 <name>sn</name>
 <value>none</value>
 </option>
 </option-group>
 <option-group>
 <group-name>roleCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <value>top</value>
 <value>groupOfUniqueNames</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <!--Some directory servers require this attribute to be valid DN-->
 <!--For safety reasons point to the admin user here-->
 <!-- ME
 <option>
 <name>member</name>
 <value>cn=admin,ou=People,dc=fatwire,dc=com</value>
 </option>
 -->
 </option-group>
 </options>

Sorry the first post removed the XML so here it is

2. Re: JBOSS Portal 2.6 and OpenLDAP (looking for an example ld

bdaw Jul 2, 2007 5:06 PM (in response to egandt)

Hi,

Could you post some bigger part of stack trace? Preferably with a cause containing org.jboss.portal.identity.* classes
Actions
3. Re: JBOSS Portal 2.6 and OpenLDAP (looking for an example ld

bvogt Jul 2, 2007 5:39 PM (in response to egandt)

May be it's based on the userCtxDN?

which is:
...,dc=fatwire.com
instead of:
...,dc=fatwire,dc=com
Actions
4. Re: JBOSS Portal 2.6 and OpenLDAP (looking for an example ld

bdaw Jul 2, 2007 5:46 PM (in response to egandt)

Actually... you have userCTX ,dc=fatwire,dc=com (good point bvogt!) and you are complaining that cn=admin,ou=People,dc=example,dc=com can't be retrieved? I think that primary issue here is that your configuration doesn't fit ldif you use.
Actions

5. Re: JBOSS Portal 2.6 and OpenLDAP (looking for an example ld

egandt Jul 3, 2007 8:38 AM (in response to egandt)

Sorry the fatwire, was lack of scrubbing the data. as for the other dc=fatwire.com I fixed that to be dc=example,dc=com

The typo of dc=fatwire.com was the problem authentication is now working for openLDAP. I'm including the working LDIF and ldap-identity-config.xml from my install as this may help others in the future. Before use fix the passwords from the users ldapuser and admin as well as the login for openLDAP. My setup assumes that openLDAP is installed on the same server as jboss portal 2.6.

LDIF from OpenLDAP:

dn: dc=example,dc=com
dc: example
description: OpenLDAP pre_cs_setup
objectClass: dcObject
objectClass: organization
o: Example Software

dn: cn=Manager, dc=example,dc=com
objectClass: organizationalRole
cn: Manager

dn: ou=People, dc=example,dc=com
ou: People
objectClass: organizationalUnit
objectClass: top

dn: ou=Groups, dc=example,dc=com
ou: Groups
objectClass: organizationalUnit
objectClass: top

dn: cn=admin,ou=People, dc=example,dc=com
userPassword: {SSHA}XXXXXX
objectClass: top
objectClass: organizationalPerson
objectClass: person
sn: admin
cn: admin

dn: cn=ldapuser,ou=People, dc=example,dc=com
userPassword: {SSHA}XXXXXX
description: JBoss Portal ldapuser User for test LDAP integration password=username
objectClass: top
objectClass: organizationalPerson
objectClass: person
sn: ldapuser
cn: ldapuser

dn: cn=User,ou=Groups, dc=example,dc=com
description: the JBoss Portal user group
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: cn=ldapuser,ou=People,dc=example,dc=com
cn: User

dn: cn=Admin,ou=Groups, dc=example,dc=com
description: the JBoss Portal admin group
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: cn=admin,ou=People,dc=example,dc=com
cn: Admin

ldap_identity-config.xml:

<?xml version="1.0" encoding="UTF-8"?>
 <!--<!DOCTYPE identity-configuration PUBLIC
 "-//JBoss Portal//DTD JBoss Identity Configuration 1.0//EN"
 "http://www.jboss.org/portal/dtd/identity-config_1_0.dtd">-->
<identity-configuration>
 <datasources>
 <datasource>
 <name>LDAP</name>
 <config>
 <option>
 <name>host</name>
 <value>127.0.0.1</value>
 </option>
 <option>
 <name>port</name>
 <value>389</value>
 </option>
 <option>
 <name>adminDN</name>
 <value>cn=Manager,dc=example,dc=com</value>
 </option>
 <option>
 <name>adminPassword</name>
 <value>XXXXXXX</value>
 </option>
 </config>
 </datasource>
 </datasources>
 <modules>
 <module>
 <!--type used to correctly map in IdentityContext registry-->
 <type>User</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>Role</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>Membership</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 <module>
 <type>UserProfile</type>
 <implementation>DELEGATING</implementation>
 <config>
 <option>
 <name>ldapModuleJNDIName</name>
 <value>java:/portal/LDAPUserProfileModule</value>
 </option>
 </config>
 </module>
 <module>
 <type>DBDelegateUserProfile</type>
 <implementation>DB</implementation>
 <config>
 <option>
 <name>randomSynchronizePassword</name>
 <value>true</value>
 </option>
 </config>
 </module>
 <module>
 <type>LDAPDelegateUserProfile</type>
 <implementation>LDAP</implementation>
 <config/>
 </module>
 </modules>

 <options>
 <option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=People,dc=example,dc=com</value>
 </option>
 <option>
 <name>uidAttributeID</name>
 <value>cn</value>
 </option>
 <option>
 <name>passwordAttributeID</name>
 <value>userPassword</value>
 </option>

 <option>
 <name>roleCtxDN</name>
 <value>ou=Groups,dc=example,dc=com</value>
 </option>
 <option>
 <name>ridAttributeId</name>
 <value>cn</value>
 </option>
 <option>
 <name>roleDisplayNameAttributeID</name>
 <value>cn</value>
 </option>
 <option>
 <name>membershipAttributeID</name>
 <value>uniqueMember</value>
 </option>
 <option>
 <name>membershipAttributeIsDN</name>
 <value>true</value>
 </option>
 </option-group>
 <option-group>
 <group-name>userCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <!--This objectclasses should work with Red Hat Directory-->
 <value>top</value>
 <value>person</value>
 <value>organizationalPerson</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <option>
 <name>sn</name>
 <value>none</value>
 </option>
 </option-group>

 <option-group>
 <group-name>roleCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <value>top</value>
 <value>groupOfUniqueNames</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <!--Some directory servers require this attribute to be valid DN-->
 <!--For safety reasons point to the admin user here-->
 <option>
 <name>member</name>
 <value>cn=admin,ou=People,dc=example,dc=com</value>
 </option>
 </option-group>
 </options>
</identity-configuration>

Go to original post