11 Replies Latest reply on Feb 10, 2016 3:49 PM by rareddy

    ldap (active directory) VDB loaded, active but invalid.

    m.ardito

      I am struggling to understand a new concept to me, ie: VDB connecting to LDAP server

       

      I followed both LDAP Translator - Teiid 8.12 - Project Documentation Editor

      and https://github.com/teiid/teiid-quickstarts/tree/master/ldap-as-a-datasource

      examples, but what I get is:

      - a JCA Resource Adapter, named "ldapQS", which under "Available Connection Definitions" has: "ldapDS", with the flag "enabled".

      - a deployed VDB which is marked ACTIVE but not "valid"

       

      this is what I did (tried many times but can't figure what does not happen):

      1. from CLI used the setup.cli script:
        • /subsystem=resource-adapters/resource-adapter=ldapQS:add(module=org.jboss.teiid.resource-adapter.ldap)
        • /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS:add(jndi-name=java:/ldapDS, class-name=org.teiid.resource.adapter.ldap.LDAPManagedConnectionFactory, enabled=true, use-java-context=true)
        • /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS/config-properties=LdapUrl:add(value=ldap://<active directory server ip>:389)
        • /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS/config-properties=LdapAdminUserDN:add(value=<cn=user,ou=x,ou=y,ou=z,ou=k,dc=domain,dc=xx,dc=it>)
        • /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS/config-properties=LdapAdminUserPassword:add(value=<userpasswd>)
        • /subsystem=resource-adapters/resource-adapter=ldapQS:activate
      2. then issued #bin\jboss-cli --connect file=./setup.cli:
        • the output was
        • {    "outcome" => "success",    "response-headers" => {"process-state" => "reload-required"}}

          {    "outcome" => "success",    "response-headers" => {"process-state" => "reload-required"}}

          {    "outcome" => "success",    "response-headers" => {"process-state" => "reload-required"}}

          'dc' is not found among the supported properties: [value]

        • note the last line... ?!?
      3. then created and deployed the vdb like
        • <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

          <vdb name="ldapVDB" version="1">

              <model name="HRModel">

                  <source name="local" translator-name="ldap" connection-jndi-name="java:/ldapDS"/>

                      <metadata type="DDL"><![CDATA[

                              CREATE FOREIGN TABLE HR_Group (

                                      AccountName string options (nameinsource 'sAMAccountName'),

                                      SN string options (nameinsource 'sn'),

                                      UID string options (nameinsource 'uid'),

                                      MAIL string options (nameinsource 'mail'),

                                      NAME string options (nameinsource 'cn')

                              ) OPTIONS(nameinsource 'ou=users,ou=y,ou=z,ou=k,dc=domain,dc=xx,dc=it', updatable false);

                      ]]> </metadata>    

              </model>

          </vdb>

      4. As said the ldapVDB is "active" but not "valid", and  the web console reports for it the error/warning "Data Source java:/ldapDS not accessible."
      5. I can connect to the VBD from SQuirrel, but the result has an empty "HR_Group" table, and "SELECT * FROM HR_Group" issues this error
        • "Error: TEIID30504 Remote org.teiid.core.TeiidProcessingException: TEIID30504 local: TEIID30481 Failed to find the Connection Factory with JNDI name java:/ldapDS. Please check the name or deploy the Connection Factory with specified name.
          SQLState:  50000
          ErrorCode: 30504"

         

        ? What I did wrong?

        • I am quite sure the username/password, ip address, port, and full CN path are all right for my AD ( I use most of those in any other LDAP config and the windows LDP utility)
        • I used "translator-name="translator-ldap" in the VBD xml, because if I use "translator-name="translator-ldap"" as in the examples I found (above links), teiid server log complains with

        "WARN  [org.teiid.RUNTIME] (MSC service thread 1-4)  TEIID50077 The translator type "translator-ldap" was not found in configuration; VDB ldapVDB.1 will not be started until translator is available."

        • btw, I used <cn=user,ou=x,ou=y,ou=z,ou=k,dc=domain,dc=xx,dc=it> as an example but our DN is that complex (we have also a three level domain name)

         

         

        Thanks for any help.

          • 1. Re: ldap (active directory) VDB loaded, active but invalid.
            rareddy

            Did you restart the server or ran ":reload" after the resource-adapter is created?

             

            The issue is ldap resource adapter you created is not providing the connection to the VDB. For translator name, just use "ldap". No single ticks or double quote etc.

             

            Ramesh..

            • 2. Re: ldap (active directory) VDB loaded, active but invalid.
              m.ardito

              I stopped and restarted my server, now.

               

              now I see the ldapVDB "active" and "valid", but from Squirrelsql the result is the same, the table "hr_group" seems to be empty or null...?

               

              select * from hr_group gives now:

              Error: TEIID30504 Remote org.teiid.core.TeiidProcessingException: TEIID30504 local: TEIID60000 javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/ldapDS

              SQLState:  50000

              ErrorCode: 30504

              • 3. Re: ldap (active directory) VDB loaded, active but invalid.
                rareddy

                Your configuration to connect to LDAP is wrong, or not accessible with the given configuration. May be firewalls, in-sufficient privileges etc. See if there is more detailed exception in the log as to why you are failing to retrieve the connection.

                • 4. Re: ldap (active directory) VDB loaded, active but invalid.
                  m.ardito

                  mmm couldn' tbe anything else? I double checked with ldapsearch, I can connect from teiid server CLI to my AD server...

                   

                  ie: this works...

                  #ldapsearch -LLL -H ldap://192.168.x.y:389 -b 'dc=xxx,dc=xx,dc=it' -D CN=xxxx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=it -w 'xxx' '(sAMAccountName=ardito)'

                   

                  [edit] server log reports now

                  18:50:25,374 WARN  [org.teiid.PROCESSOR] (Worker13_QueryProcessorQueue249) tYkQmhDuZwPj TEIID30020 Processing exception for request tYkQmhDuZwPj.13 'TEIID30504 local: TEIID60000 javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/ldapDS'. Originally TeiidProcessingException 'Ldap Admin password property not found nor security-domain specified for the resource-adaptor.' LDAPConnectionImpl.java:125. Enable more detailed logging to see the entire stacktrace.

                   

                  but I am *sure* I provided the same username/password as in ldapsearch above (atm those are very very simple test values), meaning:

                  • /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS/config-properties=LdapAdminUserDN:add(value=<cn=user,ou=x,ou=y,ou=z,ou=k,dc=domain,dc=xx,dc=it>)
                  • /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS/config-properties=LdapAdminUserPassword:add(value=<userpasswd>)

                   

                  Is there any way to check what values I provided, or I need to remove and re-deploy this ldapDS but then I should reload the server again, perhaps?

                  • 5. Re: ldap (active directory) VDB loaded, active but invalid.
                    m.ardito

                    Also, I noted the last output line when I configured the ldap datasource (see first post):

                     

                    'dc' is not found among the supported properties: [value]

                     

                    Could this cause troubles? Our domain is a three level one, so we need three DC= fields.

                    Meaning, could it expect just two of them, like in example.com => DC=example,DC=com ?

                     

                    Anyway, how can I debug at this level to find ans solve the issue?

                    • 6. Re: ldap (active directory) VDB loaded, active but invalid.
                      rareddy

                      I am not LDAP expert, but may be you should try to connect using tools like LDAP Admin - a free LDAP directory browser and editor or http://jxplorer.org/ and make sure the connection from your machine the LDAP works and you have a URL that has been tested. Or find other tools in your organization that are connecting to LDAP and you may find the right set of configuration.


                      Ramesh..

                      • 7. Re: ldap (active directory) VDB loaded, active but invalid.
                        m.ardito

                        thanks for suggested links: I tried jxplorer, from my pc, and as with other tools I useed before, I can connect to our AD server just fine.

                         

                        I tried also (before):

                        - LDP.exe (windows standard tool) from my pc

                        - our LAN mediawiki app, which authenticates users through LDAP (and a few other similar web apps)

                        - ldapsearch (openldap query tool) from the same server (debian) that runs teiid

                         

                        I definitely can connect with the same values I provided to teiid, so I guess there's another catch, but I don't know how to find it.

                        • 8. Re: ldap (active directory) VDB loaded, active but invalid.
                          shawkins

                          > I definitely can connect with the same values I provided to teiid, so I guess there's another catch, but I don't know how to find it.


                          I think the issue is with the cli handling of the value.


                          value=<cn=user,ou=x,ou=y,ou=z,ou=k,dc=domain,dc=xx,dc=it>


                          Should be in double qoutes or escaped as the , and = have meaning to the cli parser.

                          • 9. Re: ldap (active directory) VDB loaded, active but invalid.
                            rareddy

                            You can edit the "<eap>/standalone/configuration/standalone-teiid.xml" file and under resource adapters sub-section, see if the connection information you entered and what is there match, if not correct it, save and restart the server.

                            • 10. Re: ldap (active directory) VDB loaded, active but invalid.
                              m.ardito

                              Sorry to be late... I was busy making other mistakes

                               

                              I went back on this ldap test, and tried to quote/escape the ldap DN as suggested... if I got it.

                              It still doesn't work.

                               

                              now  from jboss-cli I get:

                              ls /subsystem=resource-adapters/resource-adapter=ldapQS/connection-definitions=ldapDS/config-properties=LdapAdminUserDN

                              value=\"CN=<username>,OU=<sub OU1>,OU=<sub OU2>,OU=<sub OU3>,OU=<sub OU4>,DC=<domainL3>,DC=<domainL2>,DC=<domainL1>\"

                               

                              and in the standalone-teiid.xml file I have

                               

                              <resource-adapter id="ldapQS">

                                      <module slot="main" id="org.jboss.teiid.resource-adapter.ldap"/>

                                      <connection-definitions>

                                              <connection-definition class-name="org.teiid.resource.adapter.ldap.LDAPManagedConnectionFactory" jndi-name="java:/ldapDS" enabled="true" use-java-context="true" pool-name="ldapDS">

                                                      <config-property name="LdapAdminUserPassword">

                                                              <thepassword>

                                                      </config-property>

                                                      <config-property name="LdapUrl">

                                                              ldap://<the ip address>:389

                                                      </config-property>

                                                      <config-property name="LdapAdminUserDN">

                                                              \"CN=<username>,OU=<sub OU1>,OU=<sub OU2>,OU=<sub OU3>,OU=<sub OU4>,DC=<domainL3>,DC=<domainL2>,DC=<domainL1>\"

                                                      </config-property>

                                              </connection-definition>

                                      </connection-definitions>

                              </resource-adapter>

                               

                              where obviously I replaced here the right, valid, tested, values with sample values like <sample value>

                               

                              from squirrel, any query gets:

                              Error: TEIID30504 Remote org.teiid.core.TeiidProcessingException: TEIID30504 local: TEIID60000 javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/ldapDS

                              SQLState:  50000

                              ErrorCode: 30504

                               

                              (below is the whole stack trace after the sql query)

                               

                              the key error seems to be:

                              Unable to get managed connection for java:/ldapDS'. Originally TeiidProcessingException '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]' LdapCtx.java:3088.

                               

                              but I am double sure all auth values are sure, as said above...

                               

                              17:02:08,868 WARN  [org.teiid.CONNECTOR] (Worker3_QueryProcessorQueue23) bDBgzW1ds+5s Connector worker process failed for atomic-request=bDBgzW1ds+5s.9.0.1095: org.teiid.translator.TranslatorException: TEIID60000 javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/ldapDS

                                      at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:175) [teiid-api-8.12.3.jar:8.12.3]

                                      at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:194) [teiid-api-8.12.3.jar:8.12.3]

                                      at org.teiid.dqp.internal.datamgr.ConnectorWorkItem.execute(ConnectorWorkItem.java:313)

                                      at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source) [:1.7.0_91]

                                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_91]

                                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_91]

                                      at org.teiid.dqp.internal.datamgr.ConnectorManager$1.invoke(ConnectorManager.java:211)

                                      at com.sun.proxy.$Proxy46.execute(Unknown Source)

                                      at org.teiid.dqp.internal.process.DataTierTupleSource.getResults(DataTierTupleSource.java:306)

                                      at org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:112)

                                      at org.teiid.dqp.internal.process.DataTierTupleSource$1.call(DataTierTupleSource.java:108)

                                      at java.util.concurrent.FutureTask.run(FutureTask.java:262) [rt.jar:1.7.0_91]

                                      at org.teiid.dqp.internal.process.FutureWork.run(FutureWork.java:65)

                                      at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)

                                      at org.teiid.dqp.internal.process.ThreadReuseExecutor$RunnableWrapper.run(ThreadReuseExecutor.java:119)

                                      at org.teiid.dqp.internal.process.ThreadReuseExecutor$3.run(ThreadReuseExecutor.java:210)

                                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_91]

                                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_91]

                                      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_91]

                              Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/ldapDS

                                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:421)

                                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:327)

                                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:510)

                                      at org.teiid.resource.spi.WrappedConnectionFactory.getConnection(WrappedConnectionFactory.java:58) [teiid-api-8.12.3.jar:8.12.3]

                                      at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:173) [teiid-api-8.12.3.jar:8.12.3]

                                      ... 18 more

                              Caused by: javax.resource.ResourceException: IJ000658: Unexpected throwable while trying to create a connection: null

                                      at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:421)

                                      at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:453)

                                      at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:425)

                                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:354)

                                      ... 22 more

                              Caused by: javax.resource.ResourceException: Initializing LDAP directory context failed. Please check LDAP connection properties, including username and password: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]

                                      at org.teiid.resource.adapter.ldap.LDAPConnectionImpl.initializeLDAPContext(LDAPConnectionImpl.java:151)

                                      at org.teiid.resource.adapter.ldap.LDAPConnectionImpl.<init>(LDAPConnectionImpl.java:75)

                                      at org.teiid.resource.adapter.ldap.LDAPManagedConnectionFactory$1.getConnection(LDAPManagedConnectionFactory.java:49)

                                      at org.teiid.resource.adapter.ldap.LDAPManagedConnectionFactory$1.getConnection(LDAPManagedConnectionFactory.java:43)

                                      at org.teiid.resource.spi.BasicManagedConnectionFactory.createManagedConnection(BasicManagedConnectionFactory.java:71) [teiid-api-8.12.3.jar:8.12.3]

                                      at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:834)

                                      at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:379)

                                      ... 25 more

                              Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]

                                      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3088) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2836) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2750) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:317) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_91]

                                      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_91]

                                      at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:122)

                                      at org.jboss.as.naming.InitialContext.init(InitialContext.java:107)

                                      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_91]

                                      at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:98)

                                      at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:44)

                                      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_91]

                                      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_91]

                                      at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_91]

                                      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_91]

                                      at org.teiid.resource.adapter.ldap.LDAPConnectionImpl.initializeLDAPContext(LDAPConnectionImpl.java:148)

                                      ... 31 more

                               

                              17:02:09,005 WARN  [org.teiid.PROCESSOR] (Worker2_QueryProcessorQueue24) bDBgzW1ds+5s TEIID30020 Processing exception for request bDBgzW1ds+5s.9 'TEIID30504 local: TEIID60000 javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/ldapDS'. Originally TeiidProcessingException '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]' LdapCtx.java:3088. Enable more detailed logging to see the entire stacktrace.

                               

                              Any hint welcome...

                              • 11. Re: ldap (active directory) VDB loaded, active but invalid.
                                rareddy

                                I advise first test with tools like OpenLDAP and build your URL than use that in the above configuration. I have seen lot of different variations with different LDAP instances.