2 Replies Latest reply on Sep 1, 2010 10:50 AM by Anonymus User Anonymus User

    Picketlink Ldap; '&' in group names

    Anonymus User Anonymus User Newbie

      Hi!

      I am trying to connect a GateIn server to an ActiveDirectory. I'm using the picketlink-idm-msad-readonly-config.xml as a basis for my configuration.

      It appears that the users and groups are correctly imported, but when I go to the "Users and Group management"-page and select the correct group, the list of members is not displayed. The pagination links, however, are.

      Turning on tracing, I am also able to see that the server performs some sort of search for the correct users, so it appears that they have been imported to the local database.

       

      The structure of the AD is something like this:

      - DC=x, DC=y, DC=z

      | -- OU=CompanyOI

      | ---- OU=IT Department

      | ------ OU=Users & Groups

      | --------- CN= John Doe

      | --------- CN= John Smith

       

      When I tried importing users and groups not in the OU=Users & Groups, the users were correctly imported and displayed in "Users and Group management" under the appropriate group.

       

      Base on my experiences, I belive the '&' in the Users & Groups are causing these problems.

      Is anyone else experiencing this problem, have an explanation to it or a suggestion for solving it?

        • 1. Re: Picketlink Ldap; '&' in group names
          Boleslaw Dawidowicz Master

          Could you share your config and how do you plug the MSAD tree into gatein? I did a quick check with OpenDS (it shouldn't be MSAD specific) and was able to plug group containing "&" simply by putting the reference inside CDATA block in configuration. Sub entires should also be displayed properly. Please note that if you are trying to access groups nested more then one level below container DN that you specified in your identity type config then you should try adding this option:

           

           

          <option>
            <name>entrySearchScope</name>
            <value>subtree</value>
          </option>
          
          
          
          1 of 1 people found this helpful
          • 2. Re: Picketlink Ldap; '&' in group names
            Anonymus User Anonymus User Newbie

            Hi!

            Sorry for the late reply.

            You CDATA comment got me on the right path, and I'm not sure the problem is the '&'-sign anymore.

            However, I'm still having some troubles:

             

            Here is a more correct overview of the LDAP configuration:

            |-LDAPSERVER

                |--DC=tester,DC=ww-init,DC=com

                     |--OU=Administration and Admin Groups

                     |--CN=Builtin

                     |--CN=Users

                     |--OU=WW Group

                          |--OU=IT HUB Happy

                          |--OU=IT HUB Albie

                               |--OU=Users & Groups

                                    |--CN=Person With Name             <--Person

                                    |--CN=Fredrik Peterson                <--Person

                                    |--CN=gruppe_user                      <--Group, the users of which I want to import.

                                    |--CN=John Doe                           <--Person

             

            Here is an example of the path for the user John Doe shown above:

            distinguishedName = CN=John Doe,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com

            memberOf = CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com

            sAMAccountName = John.Doe

             

            Here is the relevant part of my idm-configuration.xml(The rest is unmodified):

            <entry>
                            <key><string>/gruppeUsers/*</string></key>
                             <value><string>msad_roles_type</string></value> 
            </entry>

             

            Here is the relevant part of my picketlink-idm-msad-readonly configuration.xml:

            <identity-store>
                    <id>PortalLDAPStore</id>
                    <class>org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl</class>
                    <external-config/>
                    <supported-relationship-types>
                      <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
                    </supported-relationship-types>
                    <supported-identity-object-types>
                      <identity-object-type>
                        <name>USER</name>
                        <relationships/>
                        <credentials>
                          <credential-type>PASSWORD</credential-type>
                        </credentials>
                        <attributes>
                          <attribute>
                            <name>firstName</name>
                            <mapping>givenName</mapping>
                            <type>text</type>
                            <isRequired>false</isRequired>
                            <isMultivalued>false</isMultivalued>
                            <isReadOnly>false</isReadOnly>
                          </attribute>
                          <attribute>
                            <name>lastName</name>
                            <mapping>sn</mapping>
                            <type>text</type>
                            <isRequired>false</isRequired>
                            <isMultivalued>false</isMultivalued>
                            <isReadOnly>false</isReadOnly>
                          </attribute>
                          <attribute>
                            <name>email</name>
                            <mapping>mail</mapping>
                            <type>text</type>
                            <isRequired>false</isRequired>
                            <isMultivalued>false</isMultivalued>
                            <isReadOnly>false</isReadOnly>
                            <isUnique>true</isUnique>
                          </attribute>
                        </attributes>
                        <options>
                          <option>
                            <name>idAttributeName</name>
                            <value>sAMAccountName</value>
                          </option>
                          <option>
                            <name>entrySearchFilter</name>
                           <value><![CDATA[(&(sAMAccountName={0})(objectClass=user) (memberOf=CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com))]]></value>
                          </option>
                          <option>
                            <name>passwordAttributeName</name>
                            <value>unicodePwd</value>
                          </option>
                          <option>
                            <name>enclosePasswordWith</name>
                            <value>"</value>
                          </option>
                          <option>
                            <name>passwordEncoding</name>
                            <value>UTF-16LE</value>
                          </option>
                          <option>
                            <name>ctxDNs</name>
                            <value><![CDATA[OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]]></value>
                          </option>
                          <option>
                            <name>allowCreateEntry</name>
                            <value>true</value>
                          </option>
                          <option>
                            <name>createEntryAttributeValues</name>
                            <value>objectClass=top</value>
                            <value>objectClass=inetOrgPerson</value>
                            <value>sn= </value>
                            <value>userAccountControl=514</value>
                            <!--<value>cn= </value>-->
                          </option>
                          <option>
                            <name>passwordUpdateAttributeValues</name>
                            <value>userAccountControl=512</value>
                          </option>
                        </options>
                      </identity-object-type>
                      <identity-object-type>
                        <name>msad_roles_type</name>
                        <relationships>
                          <relationship>
                            <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                            <identity-object-type-ref>USER</identity-object-type-ref>
                          </relationship>
                          <relationship>
                            <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
                            <identity-object-type-ref>msad_roles_type</identity-object-type-ref>
                          </relationship>
                        </relationships>
                        <credentials/>
                        <attributes>
                          <attribute>
                            <name>label</name>
                            <mapping>cn</mapping>
                            <type>text</type>
                            <isRequired>false</isRequired>
                            <isMultivalued>false</isMultivalued>
                            <isReadOnly>true</isReadOnly>
                          </attribute>
                          <attribute>
                            <name>description</name>
                            <mapping>description</mapping>
                            <type>text</type>
                            <isRequired>false</isRequired>
                            <isMultivalued>false</isMultivalued>
                            <isReadOnly>false</isReadOnly>
                          </attribute>
                        </attributes>
                        <options>
                        <option>
                            <name>idAttributeName</name>
                            <value>cn</value>
                          </option>
                          <option>
                            <name>ctxDNs</name>
                            <value><![CDATA[OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]]></value>
                          </option>
                          <option>
                            <name>entrySearchScope</name>
                            <value>subtree</value>
                            </option>
                          <option>
                            <name>entrySearchFilter</name>
                           <value><![CDATA[(&(sAMAccountName={0})(objectClass=group)(CN=gruppe_users))]]></value>
                          </option>
                          <option>
                            <name>allowCreateEntry</name>
                            <value>true</value>
                          </option>
                          <option>
                            <name>parentMembershipAttributeName</name>
                            <value>member</value>
                          </option>
                          <option>
                            <name>isParentMembershipAttributeDN</name>
                            <value>true</value>
                          </option>
                          <option>
                            <name>allowEmptyMemberships</name>
                            <value>true</value>
                          </option>
                          <option>
                            <name>createEntryAttributeValues</name>
                            <value>objectClass=top</value>
                            <value>objectClass=group</value>
                            <value>groupType=8</value>
                          </option>
                        </options>
                      </identity-object-type>
                   </supported-identity-object-types>
                    <options>

                       .... Connection info etc....

                    </options>
               </identity-store>

            ---------------------------------------------------

            If I go into the User Management tab in GateIn:

            All the useres are imported.

            The user John Doe is registered with the following membership:

            User Name Group Id Membership Type
            John.Doe
            /gruppeUsers/gruppe_users
            member

             

            On the Group Management tab, in the uniseveUsers/gruppe_users group, which si the correct one, it says "Empty Data"

             

            In the console I get the following error message when expanding the group:

            16:17:24,513 FINER [LDAPIdentityStoreImpl] Prepared LDAP Search ; contexts: [OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]; filter: (&(sAMAccountName={0})(objectClass=user) (memberOf=CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com)); filter args: [John Doe]; returning attributes: [sAMAccountName]
            16:17:24,517 FINER [JBossCacheIdentityStoreCacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheIdentityStoreCacheProviderImpl@230c586eObject found in cache: hash1338618379;namespace=PortalLDAPStore
            16:17:24,521 FINER [LDAPIdentityStoreImpl] LDAP search results found in cache. size=0
            16:17:24,525 FINER [FallbackIdentityStoreRepository] Exception occurred:

            org.picketlink.idm.common.exception.IdentityException: Cannot recognize identity object type by its DN: CN=John Doe,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com

             

             

            Anny suggestion to what might be causing this error? Any help would be very much appreciated.