2 Replies Latest reply on Sep 1, 2010 10:50 AM by bullso

Picketlink Ldap; '&' in group names

bullso Aug 11, 2010 4:38 AM

Hi!

I am trying to connect a GateIn server to an ActiveDirectory. I'm using the picketlink-idm-msad-readonly-config.xml as a basis for my configuration.

It appears that the users and groups are correctly imported, but when I go to the "Users and Group management"-page and select the correct group, the list of members is not displayed. The pagination links, however, are.

Turning on tracing, I am also able to see that the server performs some sort of search for the correct users, so it appears that they have been imported to the local database.

The structure of the AD is something like this:

- DC=x, DC=y, DC=z

| -- OU=CompanyOI

| ---- OU=IT Department

| ------ OU=Users & Groups

| --------- CN= John Doe

| --------- CN= John Smith

When I tried importing users and groups not in the OU=Users & Groups, the users were correctly imported and displayed in "Users and Group management" under the appropriate group.

Base on my experiences, I belive the '&' in the Users & Groups are causing these problems.

Is anyone else experiencing this problem, have an explanation to it or a suggestion for solving it?

1. Re: Picketlink Ldap; '&' in group names

bdaw Aug 12, 2010 4:58 AM (in response to bullso)
Could you share your config and how do you plug the MSAD tree into gatein? I did a quick check with OpenDS (it shouldn't be MSAD specific) and was able to plug group containing "&" simply by putting the reference inside CDATA block in configuration. Sub entires should also be displayed properly. Please note that if you are trying to access groups nested more then one level below container DN that you specified in your identity type config then you should try adding this option:

<option> <name>entrySearchScope</name> <value>subtree</value> </option>
1 of 1 people found this helpful
Actions
2. Re: Picketlink Ldap; '&' in group names

bullso Sep 1, 2010 10:50 AM (in response to bdaw)

Hi!
Sorry for the late reply.
You CDATA comment got me on the right path, and I'm not sure the problem is the '&'-sign anymore.
However, I'm still having some troubles:

Here is a more correct overview of the LDAP configuration:
|-LDAPSERVER
    |--DC=tester,DC=ww-init,DC=com
         |--OU=Administration and Admin Groups
         |--CN=Builtin
         |--CN=Users
         |--OU=WW Group
              |--OU=IT HUB Happy
              |--OU=IT HUB Albie
                   |--OU=Users & Groups
                        |--CN=Person With Name             <--Person
                        |--CN=Fredrik Peterson                <--Person
                        |--CN=gruppe_user                      <--Group, the users of which I want to import.
                        |--CN=John Doe                           <--Person

Here is an example of the path for the user John Doe shown above:
distinguishedName = CN=John Doe,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com
memberOf = CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com
sAMAccountName = John.Doe

Here is the relevant part of my idm-configuration.xml(The rest is unmodified):
<entry>
                <key><string>/gruppeUsers/*</string></key>
                 <value><string>msad_roles_type</string></value>
</entry>

Here is the relevant part of my picketlink-idm-msad-readonly configuration.xml:
<identity-store>
        <id>PortalLDAPStore</id>
        <class>org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl</class>
        <external-config/>
        <supported-relationship-types>
          <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
        </supported-relationship-types>
        <supported-identity-object-types>
          <identity-object-type>
            <name>USER</name>
            <relationships/>
            <credentials>
              <credential-type>PASSWORD</credential-type>
            </credentials>
            <attributes>
              <attribute>
                <name>firstName</name>
                <mapping>givenName</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>false</isReadOnly>
              </attribute>
              <attribute>
                <name>lastName</name>
                <mapping>sn</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>false</isReadOnly>
              </attribute>
              <attribute>
                <name>email</name>
                <mapping>mail</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>false</isReadOnly>
                <isUnique>true</isUnique>
              </attribute>
            </attributes>
            <options>
              <option>
                <name>idAttributeName</name>
                <value>sAMAccountName</value>
              </option>
              <option>
                <name>entrySearchFilter</name>
               <value><![CDATA[(&(sAMAccountName={0})(objectClass=user) (memberOf=CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com))]]></value>
              </option>
              <option>
                <name>passwordAttributeName</name>
                <value>unicodePwd</value>
              </option>
              <option>
                <name>enclosePasswordWith</name>
                <value>"</value>
              </option>
              <option>
                <name>passwordEncoding</name>
                <value>UTF-16LE</value>
              </option>
              <option>
                <name>ctxDNs</name>
                <value><![CDATA[OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]]></value>
              </option>
              <option>
                <name>allowCreateEntry</name>
                <value>true</value>
              </option>
              <option>
                <name>createEntryAttributeValues</name>
                <value>objectClass=top</value>
                <value>objectClass=inetOrgPerson</value>
                <value>sn= </value>
                <value>userAccountControl=514</value>
                
              </option>
              <option>
                <name>passwordUpdateAttributeValues</name>
                <value>userAccountControl=512</value>
              </option>
            </options>
          </identity-object-type>
          <identity-object-type>
            <name>msad_roles_type</name>
            <relationships>
              <relationship>
                <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                <identity-object-type-ref>USER</identity-object-type-ref>
              </relationship>
              <relationship>
                <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                <identity-object-type-ref>msad_roles_type</identity-object-type-ref>
              </relationship>
            </relationships>
            <credentials/>
            <attributes>
              <attribute>
                <name>label</name>
                <mapping>cn</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>true</isReadOnly>
              </attribute>
              <attribute>
                <name>description</name>
                <mapping>description</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>false</isReadOnly>
              </attribute>
            </attributes>
            <options>
            <option>
                <name>idAttributeName</name>
                <value>cn</value>
              </option>
              <option>
                <name>ctxDNs</name>
                <value><![CDATA[OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]]></value>
              </option>
              <option>
                <name>entrySearchScope</name>
                <value>subtree</value>
                </option>
              <option>
                <name>entrySearchFilter</name>
               <value><![CDATA[(&(sAMAccountName={0})(objectClass=group)(CN=gruppe_users))]]></value>
              </option>
              <option>
                <name>allowCreateEntry</name>
                <value>true</value>
              </option>
              <option>
                <name>parentMembershipAttributeName</name>
                <value>member</value>
              </option>
              <option>
                <name>isParentMembershipAttributeDN</name>
                <value>true</value>
              </option>
              <option>
                <name>allowEmptyMemberships</name>
                <value>true</value>
              </option>
              <option>
                <name>createEntryAttributeValues</name>
                <value>objectClass=top</value>
                <value>objectClass=group</value>
                <value>groupType=8</value>
              </option>
            </options>
          </identity-object-type>
       </supported-identity-object-types>
        <options>
           .... Connection info etc....
        </options>
   </identity-store>
---------------------------------------------------
If I go into the User Management tab in GateIn:
All the useres are imported.
The user John Doe is registered with the following membership:

User Name Group Id Membership Type

John.Doe
/gruppeUsers/gruppe_users
member

On the Group Management tab, in the uniseveUsers/gruppe_users group, which si the correct one, it says "Empty Data"

In the console I get the following error message when expanding the group:
16:17:24,513 FINER [LDAPIdentityStoreImpl] Prepared LDAP Search ; contexts: [OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]; filter: (&(sAMAccountName={0})(objectClass=user) (memberOf=CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com)); filter args: [John Doe]; returning attributes: [sAMAccountName]
16:17:24,517 FINER [JBossCacheIdentityStoreCacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheIdentityStoreCacheProviderImpl@230c586eObject found in cache: hash1338618379;namespace=PortalLDAPStore
16:17:24,521 FINER [LDAPIdentityStoreImpl] LDAP search results found in cache. size=0
16:17:24,525 FINER [FallbackIdentityStoreRepository] Exception occurred:
org.picketlink.idm.common.exception.IdentityException: Cannot recognize identity object type by its DN: CN=John Doe,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com

Anny suggestion to what might be causing this error? Any help would be very much appreciated.
Actions

User Name	Group Id	Membership Type
John.Doe	/gruppeUsers/gruppe_users	member

Go to original post