Hello,

I am working with eXo Platform on JBoss and I have a problem about user synchronization with active directory (using picketlink-idm). When I launched the REST service to synchronize my users in eXo with :

/portal/rest/management/orgsync/syncAllUsers?eventType=ADDED

I get :

(See attachment for full log)

(http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Invoke member:a.cacilie:/platform/users Membership synchronization.
2013-02-06 11:41:00,804 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (DefaultQuartzScheduler_Worker-9) Going to start Hibernate transaction
2013-02-06 11:41:00,808 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (DefaultQuartzScheduler_Worker-9) Going to commit Hibernate transaction
2013-02-06 11:41:01,110 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Going to commit Hibernate transaction
2013-02-06 11:41:01,111 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Exception occurred: 
org.hibernate.HibernateException: createCriteria is not valid without active transaction
          at org.hibernate.context.ThreadLocalSessionContext$TransactionProtectionWrapper.invoke(ThreadLocalSessionContext.java:338)

..
2013-02-06 11:41:01,118 FINER [org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Exception occurred: 
org.picketlink.idm.common.exception.IdentityException: IdentityObjectType[USER] not present in the store.
..
Caused by: org.hibernate.HibernateException: createCriteria is not valid without active transaction


2013-02-06 11:41:01,119 FINER [org.picketlink.idm.impl.api.session.IdentitySessionImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Exception occurred: 
org.picketlink.idm.api.query.QueryException: Failed to execute query
..
Caused by: org.picketlink.idm.common.exception.IdentityException: IdentityObjectType[USER] not present in the store.
..
Caused by: org.hibernate.HibernateException: createCriteria is not valid without active transaction

But when I launch again, the synchronization continues where it stopped before. And when I check the a.cacilie role, he's member of the /platform/users group.

I made some tests, and it seems that the hibernate session / transaction closes after some time.

Here is my environment:

- JBoss 5.10

- eXo Platform 3.5.5 with SSO (Spnego)

- active directory (Windows Server 2008 R2)

My filter is :

<value><![CDATA[(&(|(sAMAccountName={0})(dn={0}))(objectClass=user))]]></value>

----------

Before I had a problem to retrieve a user because the filter was:

<value><![CDATA[(&(|(sAMAccountName={0})(cn={0}))(objectClass=user))]]></value>

However, it has two users with the same cn but not the same OU.

In the code I found:

org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.java

String name = Tools.stripDnToName(dn);
LDAPIdentityObjectImpl entry = (LDAPIdentityObjectImpl) this.findIdentityObject (ctx, name, match);

The DistinguishedName (DN) is split and the name is recovered to search.

So, I modified the picketlink-idm code for:

org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.java

String name = dn;
LDAPIdentityObjectImpl entry = (LDAPIdentityObjectImpl) this.findIdentityObject (ctx, name, match);

And changed the filter for:

<value><![CDATA[(&(|(sAMAccountName={0})(distinguishedName={0}))(objectClass=user)(!(objectClass=computer)))]]></value>

Then resynchronised, and I found this error:

org.exoplatform.platform.organization.integration.OrganizationIntegrationService syncAllUsers
..
Caused by: org.picketlink.idm.common.exception.IdentityException: IdentityObjectType[USER] not present in the store.
..
Caused by: org.hibernate.HibernateException: createCriteria is not valid without active transaction

And every time you start the sync, it continues where it stopped.

In addition, if you add a user in AD and start the sync, I also get the error (despite the fact that he is recovering well *member* role for *platform / users*.

In debugging, I found :

org.hibernate.context.ThreadLocalSession.java

else if ( !realSession.getTransaction().isActive() ) {
// limit the methods available if no transaction is active
if ( "beginTransaction".equals( method.getName() )
|| "getTransaction".equals( method.getName() )
|| "isTransactionInProgress".equals( method.getName() )
|| "setFlushMode".equals( method.getName() )
|| "getSessionFactory".equals( method.getName() ) ) {
log.trace( "allowing method [" + method.getName() + "] in non-transacted context" );
}
else if ( "reconnect".equals( method.getName() )
|| "disconnect".equals( method.getName() ) ) {
// allow these (deprecated) methods to pass through
}
else { throw new HibernateException( method.getName() + " is not valid without active transaction" );
}

I get an exception because !realSession.getTransaction().IsActive() is TRUE and the method.getName() is createCriteria. But it is ok for the first users, so the problem will come from the session/transaction is canceled?

------------------

If i decide to put the original library and change the filter to obtain:

<value><![CDATA[(&(sAMAccountName={0})(objectClass=user)(!(objectClass=computer)))]]></value>

I get :

2013-01-30 11:46:19,267 SEVERE [org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Failed to find IdentityObject in target store: 
org.picketlink.idm.common.exception.IdentityException: Found more than one identity object with name: CINDOC; Posible data inconsistency

Resolved by adding:

<value><![CDATA[(&(|(sAMAccountName={0})(cn={0}))(objectClass=user))]]></value>

But I return to the first problem.

------------------

Any ideas please ?

Regards,

seb