AD Synchronization (using REST) - Hibernate - eXo Platform
seb974 Feb 6, 2013 10:23 AMHello,
I am working with eXo Platform on JBoss and I have a problem about user synchronization with active directory (using picketlink-idm). When I launched the REST service to synchronize my users in eXo with :
/portal/rest/management/orgsync/syncAllUsers?eventType=ADDED
I get :
(See attachment for full log)
(http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Invoke member:a.cacilie:/platform/users Membership synchronization. 2013-02-06 11:41:00,804 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (DefaultQuartzScheduler_Worker-9) Going to start Hibernate transaction 2013-02-06 11:41:00,808 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (DefaultQuartzScheduler_Worker-9) Going to commit Hibernate transaction 2013-02-06 11:41:01,110 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Going to commit Hibernate transaction 2013-02-06 11:41:01,111 FINER [org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Exception occurred: org.hibernate.HibernateException: createCriteria is not valid without active transaction at org.hibernate.context.ThreadLocalSessionContext$TransactionProtectionWrapper.invoke(ThreadLocalSessionContext.java:338) .. 2013-02-06 11:41:01,118 FINER [org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Exception occurred: org.picketlink.idm.common.exception.IdentityException: IdentityObjectType[USER] not present in the store. .. Caused by: org.hibernate.HibernateException: createCriteria is not valid without active transaction 2013-02-06 11:41:01,119 FINER [org.picketlink.idm.impl.api.session.IdentitySessionImpl] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Exception occurred: org.picketlink.idm.api.query.QueryException: Failed to execute query .. Caused by: org.picketlink.idm.common.exception.IdentityException: IdentityObjectType[USER] not present in the store. .. Caused by: org.hibernate.HibernateException: createCriteria is not valid without active transaction
But when I launch again, the synchronization continues where it stopped before. And when I check the a.cacilie role, he's member of the /platform/users group.
I made some tests, and it seems that the hibernate session / transaction closes after some time.
Here is my environment:
- JBoss 5.10
- eXo Platform 3.5.5 with SSO (Spnego)
- active directory (Windows Server 2008 R2)
My filter is :
<value><![CDATA[(&(|(sAMAccountName={0})(dn={0}))(objectClass=user))]]></value>
----------
Before I had a problem to retrieve a user because the filter was:
<value><![CDATA[(&(|(sAMAccountName={0})(cn={0}))(objectClass=user))]]></value>
However, it has two users with the same cn but not the same OU.
In the code I found:
org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.java
String name = Tools.stripDnToName(dn); LDAPIdentityObjectImpl entry = (LDAPIdentityObjectImpl) this.findIdentityObject (ctx, name, match);
The DistinguishedName (DN) is split and the name is recovered to search.
So, I modified the picketlink-idm code for:
org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.java
String name = dn; LDAPIdentityObjectImpl entry = (LDAPIdentityObjectImpl) this.findIdentityObject (ctx, name, match);
And changed the filter for:
<value><![CDATA[(&(|(sAMAccountName={0})(distinguishedName={0}))(objectClass=user)(!(objectClass=computer)))]]></value>
Then resynchronised, and I found this error:
org.exoplatform.platform.organization.integration.OrganizationIntegrationService syncAllUsers .. Caused by: org.picketlink.idm.common.exception.IdentityException: IdentityObjectType[USER] not present in the store. .. Caused by: org.hibernate.HibernateException: createCriteria is not valid without active transaction
And every time you start the sync, it continues where it stopped.
In addition, if you add a user in AD and start the sync, I also get the error (despite the fact that he is recovering well *member* role for *platform / users*.
In debugging, I found :
org.hibernate.context.ThreadLocalSession.java
else if ( !realSession.getTransaction().isActive() ) { // limit the methods available if no transaction is active if ( "beginTransaction".equals( method.getName() ) || "getTransaction".equals( method.getName() ) || "isTransactionInProgress".equals( method.getName() ) || "setFlushMode".equals( method.getName() ) || "getSessionFactory".equals( method.getName() ) ) { log.trace( "allowing method [" + method.getName() + "] in non-transacted context" ); } else if ( "reconnect".equals( method.getName() ) || "disconnect".equals( method.getName() ) ) { // allow these (deprecated) methods to pass through } else { throw new HibernateException( method.getName() + " is not valid without active transaction" ); }
I get an exception because !realSession.getTransaction().IsActive() is TRUE and the method.getName() is createCriteria. But it is ok for the first users, so the problem will come from the session/transaction is canceled?
------------------
If i decide to put the original library and change the filter to obtain:
<value><![CDATA[(&(sAMAccountName={0})(objectClass=user)(!(objectClass=computer)))]]></value>
I get :
2013-01-30 11:46:19,267 SEVERE [org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository] (http-VM-test.testmitech.lan%2F192.168.1.106-8080-1) Failed to find IdentityObject in target store: org.picketlink.idm.common.exception.IdentityException: Found more than one identity object with name: CINDOC; Posible data inconsistency
Resolved by adding:
<value><![CDATA[(&(|(sAMAccountName={0})(cn={0}))(objectClass=user))]]></value>
But I return to the first problem.
------------------
Any ideas please ?
Regards,
seb
-
logpatched-0602.txt.zip 120.9 KB