10 Replies Latest reply on Oct 25, 2007 2:01 AM by veroland

Portal and using openxchange ldap for users

veroland Oct 19, 2007 3:24 AM

Hi All

First off, I am using

Portal 2.6.2
JBoss AS 4.2.1 GA

I have changed portal to authenticate using my openldap directory. Users can authenticate no problem, but however I can not seem to pick up the admin user from the Admin role.

I have created a Role called Admin in my ldap server.
I am getting no errors and are stuck.

My ldap_identity_config.xml file looks like this at the moment:

<?xml version="1.0" encoding="UTF-8"?>
<!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~ JBoss, a division of Red Hat ~
 ~ Copyright 2006, Red Hat Middleware, LLC, and individual ~
 ~ contributors as indicated by the @authors tag. See the ~
 ~ copyright.txt in the distribution for a full listing of ~
 ~ individual contributors. ~
 ~ ~
 ~ This is free software; you can redistribute it and/or modify it ~
 ~ under the terms of the GNU Lesser General Public License as ~
 ~ published by the Free Software Foundation; either version 2.1 of ~
 ~ the License, or (at your option) any later version. ~
 ~ ~
 ~ This software is distributed in the hope that it will be useful, ~
 ~ but WITHOUT ANY WARRANTY; without even the implied warranty of ~
 ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ~
 ~ Lesser General Public License for more details. ~
 ~ ~
 ~ You should have received a copy of the GNU Lesser General Public ~
 ~ License along with this software; if not, write to the Free ~
 ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~
 ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. ~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-->

<!--<!DOCTYPE identity-configuration PUBLIC
 "-//JBoss Portal//DTD JBoss Identity Configuration 1.0//EN"
 "http://www.jboss.org/portal/dtd/identity-config_1_0.dtd">-->

<identity-configuration>
 <datasources>
 <datasource>
 <name>LDAP</name>
 <config>
 <option>
 <name>host</name>
 <value>192.168.0.2</value>
 </option>
 <option>
 <name>port</name>
 <value>389</value>
 </option>
 <option>
 <name>adminDN</name>
 <value>
 uid=xxxx,ou=people,dc=symbiotics,dc=co,dc=za
 </value>
 </option>
 <option>
 <name>adminPassword</name>
 <value>xxxx</value>
 </option>
 <!--<option>
 <name>protocol</name>
 <value>ssl</value>
 </option>-->
 </config>
 </datasource>
 </datasources>
 <modules>

 <module>
 <!--type used to correctly map in IdentityContext registry-->
 <type>User</type>
 <implementation>LDAP</implementation>
 <config />
 </module>
 <module>
 <type>Role</type>
 <implementation>LDAP</implementation>
 <config />
 </module>
 <module>
 <type>Membership</type>
 <implementation>LDAP</implementation>
 <config />
 </module>
 <module>
 <type>UserProfile</type>
 <implementation>DELEGATING</implementation>
 <config>
 <option>
 <name>ldapModuleJNDIName</name>
 <value>java:/portal/LDAPUserProfileModule</value>
 </option>
 </config>
 </module>
 <module>
 <type>DBDelegateUserProfile</type>
 <implementation>DB</implementation>
 <config>
 <option>
 <name>randomSynchronizePassword</name>
 <value>true</value>
 </option>
 </config>
 </module>
 <module>
 <type>LDAPDelegateUserProfile</type>
 <implementation>LDAP</implementation>
 <config />
 </module>
 </modules>

 <options>

 <option-group>
 <group-name>common</group-name>
 <option>
 <name>userCtxDN</name>
 <value>ou=people,dc=symbiotics,dc=co,dc=za</value>
 </option>
 <option>
 <name>roleCtxDN</name>
 <value>
 ou=Roles,o=Portal,dc=symbiotics,dc=co,dc=za
 </value>
 </option>
 </option-group>


 </options>


 <option-group>
 <group-name>userCreateAttibutes</group-name>
 <option>
 <name>objectClass</name>
 <!--This objectclasses should work with Red Hat Directory-->
 <value>top</value>
 <value>person</value>
 <value>inetOrgPerson</value>
 </option>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <option>
 <name>sn</name>
 <value>none</value>
 </option>
 </option-group>
 <option-group>
 <group-name>roleCreateAttibutes</group-name>
 <!--Schema requires those to have initial value-->
 <option>
 <name>cn</name>
 <value>none</value>
 </option>
 <!--Some directory servers require this attribute to be valid DN-->
 <!--For safety reasons point to the admin user here-->
 <option>
 <name>member</name>
 <value>uid=admin,ou=people,dc=symbiotics,dc=co,dc=za</value>
 </option>
 </option-group>


</identity-configuration>

A extract of my ldif looks like this

dn: ou=people, dc=symbiotics,dc=co,dc=za
ou: people
objectClass: top
objectClass: organizationalUnit


dn: uid=admin, ou=people, dc=symbiotics,dc=co,dc=za
preferredLanguage: EN
userCountry: US
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: OXUserObject
objectClass: organizationalPerson
lnetMailAccess: OK
imapServer: 127.0.0.1
userPassword:: e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9
OXAppointmentDays: 5
smtpServer: 127.0.0.1
uid: admin
mail: admin@symbiotics.co.za
uidNumber: 1008
cn: admin
colocRouteAddr: admin@localhost
loginShell: /bin/false
alias: admin@symbiotics.co.za
gidNumber: 1100
o: symbiotics
mailDomain: symbiotics.co.za
OXTaskDays: 5
homeDirectory: /home/admin
sn: admin
OXTimeZone: America/New_York
mailEnabled: OK

dn: ou=addr,uid=admin, ou=people, dc=symbiotics,dc=co,dc=za
ou: addr
objectClass: top
objectClass: organizationalUnit


dn: o=Portal, dc=symbiotics,dc=co,dc=za
objectClass: top
objectClass: organization
o: Portal

dn: ou=Roles, o=Portal, dc=symbiotics,dc=co,dc=za
ou: Roles
objectClass: top
objectClass: organizationalUnit

dn: cn=Admin,ou=Roles, o=Portal, dc=symbiotics,dc=co,dc=za
objectClass: top
objectClass: groupOfNames
description: Admin
member: uid=admin,ou=people,dc=symbiotics,dc=co,dc=za
cn: Admin

I have no idea what I have checked the default-object.xml and the viewrecursive still points to Admin.

Any help will be greatly appreciated.

Thanks
Marius

1. Re: Portal and using openxchange ldap for users

roth Oct 19, 2007 4:48 AM (in response to veroland)

Check out http://wiki.jboss.org/wiki/Wiki.jsp?page=GiveAdminPrivileges
Actions
2. Re: Portal and using openxchange ldap for users

veroland Oct 19, 2007 10:02 AM (in response to veroland)

"roth" wrote:
Check out http://wiki.jboss.org/wiki/Wiki.jsp?page=GiveAdminPrivileges

I did. The role name in my ldap server is called "Admin", so the name did not change. That is where I am getting confused.

Thanks for the reply
Actions
3. Re: Portal and using openxchange ldap for users

saigon_man Oct 19, 2007 9:03 PM (in response to veroland)

check out this link

http://jboss.com/index.html?module=bb&op=viewtopic&t=120031

hope this will answer your question

SGM
Actions

4. Re: Portal and using openxchange ldap for users

veroland Oct 22, 2007 4:28 AM (in response to veroland)

Hi

I have checked the link you posted and changed my login-confix.xml as per http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication

However, I now get a NullPointer when I try to log in:

10:21:40,514 ERROR [STDERR] java.lang.NullPointerException
10:21:40,515 ERROR [STDERR] at javax.naming.InitialContext.getURLScheme(InitialContext.java:228)
10:21:40,515 ERROR [STDERR] at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:277)
10:21:40,515 ERROR [STDERR] at javax.naming.InitialContext.lookup(InitialContext.java:351)
10:21:40,515 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginModule.getUserProfileModule(IdentityLoginModule.java:129)
10:21:40,515 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginModule$1.run(IdentityLoginModule.java:239)
10:21:40,515 ERROR [STDERR] at org.jboss.portal.common.transaction.Transactions.apply(Transactions.java:219)
10:21:40,515 ERROR [STDERR] at org.jboss.portal.common.transaction.Transactions.required(Transactions.java:289)
10:21:40,515 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginModule.getUserStatus(IdentityLoginModule.java:223)
10:21:40,515 ERROR [STDERR] at org.jboss.portal.identity.auth.IdentityLoginModule.validatePassword(IdentityLoginModule.java:177)
10:21:40,515 ERROR [STDERR] at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
10:21:40,515 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
10:21:40,515 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
10:21:40,515 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
10:21:40,515 ERROR [STDERR] at java.lang.reflect.Method.invoke(Method.java:585)
10:21:40,515 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
10:21:40,515 ERROR [STDERR] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
10:21:40,515 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
10:21:40,515 ERROR [STDERR] at java.security.AccessController.doPrivileged(Native Method)
10:21:40,516 ERROR [STDERR] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
10:21:40,516 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
10:21:40,516 ERROR [STDERR] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
10:21:40,516 ERROR [STDERR] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
10:21:40,516 ERROR [STDERR] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
10:21:40,516 ERROR [STDERR] at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
10:21:40,516 ERROR [STDERR] at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
10:21:40,516 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
10:21:40,516 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
10:21:40,516 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
10:21:40,516 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
10:21:40,516 ERROR [STDERR] at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
10:21:40,516 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
10:21:40,516 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
10:21:40,516 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
10:21:40,516 ERROR [STDERR] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
10:21:40,516 ERROR [STDERR] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
10:21:40,516 ERROR [STDERR] at java.lang.Thread.run(Thread.java:595)

5. Re: Portal and using openxchange ldap for users

saigon_man Oct 22, 2007 2:20 PM (in response to veroland)

follow the two links for tutorials of using ldap someone posted in that message first. In my case, I am using OpenDS as ldap sever

SGM
Actions
6. Re: Portal and using openxchange ldap for users

veroland Oct 23, 2007 2:29 AM (in response to veroland)

Nope, no luck yet.

Is there somewhere I can turn up the logging so I can hopefully see a better message for the reason for failure?
Actions
7. Re: Portal and using openxchange ldap for users

veroland Oct 23, 2007 2:51 AM (in response to veroland)

To add to my post, even if I use an invalid roleCtxDN I still don't get any error messages like I do with an invalid userCtxDN.
Actions
8. Re: Portal and using openxchange ldap for users

veroland Oct 23, 2007 3:56 AM (in response to veroland)

OK

By modifying my login-config.xml it looks like I can get portal to search for my roles, i.e. when I specify an invalid roleCtxDN I get a error message.

However, it is not finding any of my roles, so I assume my roleFilter is incorrect: (member={1})

The exception is: org.jboss.portal.identity.IdentityException: No role found with name: User

I have added a role with name User to my ldap.

Based on my ldif file in previous post can anybody maybe tell me what my filter should look like?

Thanks in advance
Marius
Actions
9. Re: Portal and using openxchange ldap for users

saigon_man Oct 23, 2007 2:40 PM (in response to veroland)

which ldap server are you using? Make sure you are using the supported ldap server as specified in the documentation. I assume you are using Jboss portal 2.6.1
I don't need to change anything in my login-config.xml. All you need to do is to change the connection using the ldap_identity-config.xml instead of using identity-config.xml
Then you need to modify this ldap_identity-config.xml to fit to your ldap server configuration. I think that's all you would need to do. Check the link that I posted for more info

SGM
Actions
10. Re: Portal and using openxchange ldap for users

veroland Oct 25, 2007 2:01 AM (in response to veroland)

I am using openldap 2.2.6 and portal 2.6.1

I have followed the links and are at wits end at the moment.
Actions

Go to original post