-
1. Re: Picketlink Ldap; '&' in group names
bdaw Aug 12, 2010 4:58 AM (in response to bullso)1 of 1 people found this helpfulCould you share your config and how do you plug the MSAD tree into gatein? I did a quick check with OpenDS (it shouldn't be MSAD specific) and was able to plug group containing "&" simply by putting the reference inside CDATA block in configuration. Sub entires should also be displayed properly. Please note that if you are trying to access groups nested more then one level below container DN that you specified in your identity type config then you should try adding this option:
<option> <name>entrySearchScope</name> <value>subtree</value> </option>
-
2. Re: Picketlink Ldap; '&' in group names
bullso Sep 1, 2010 10:50 AM (in response to bdaw)Hi!
Sorry for the late reply.
You CDATA comment got me on the right path, and I'm not sure the problem is the '&'-sign anymore.
However, I'm still having some troubles:
Here is a more correct overview of the LDAP configuration:
|-LDAPSERVER
|--DC=tester,DC=ww-init,DC=com
|--OU=Administration and Admin Groups
|--CN=Builtin
|--CN=Users
|--OU=WW Group
|--OU=IT HUB Happy
|--OU=IT HUB Albie
|--OU=Users & Groups
|--CN=Person With Name <--Person
|--CN=Fredrik Peterson <--Person
|--CN=gruppe_user <--Group, the users of which I want to import.
|--CN=John Doe <--Person
Here is an example of the path for the user John Doe shown above:
distinguishedName = CN=John Doe,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com
memberOf = CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com
sAMAccountName = John.Doe
Here is the relevant part of my idm-configuration.xml(The rest is unmodified):
<entry>
<key><string>/gruppeUsers/*</string></key>
<value><string>msad_roles_type</string></value>
</entry>Here is the relevant part of my picketlink-idm-msad-readonly configuration.xml:
<identity-store>
<id>PortalLDAPStore</id>
<class>org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl</class>
<external-config/>
<supported-relationship-types>
<relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
</supported-relationship-types>
<supported-identity-object-types>
<identity-object-type>
<name>USER</name>
<relationships/>
<credentials>
<credential-type>PASSWORD</credential-type>
</credentials>
<attributes>
<attribute>
<name>firstName</name>
<mapping>givenName</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>false</isReadOnly>
</attribute>
<attribute>
<name>lastName</name>
<mapping>sn</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>false</isReadOnly>
</attribute>
<attribute>
<name>email</name>
<mapping>mail</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>false</isReadOnly>
<isUnique>true</isUnique>
</attribute>
</attributes>
<options>
<option>
<name>idAttributeName</name>
<value>sAMAccountName</value>
</option>
<option>
<name>entrySearchFilter</name>
<value><![CDATA[(&(sAMAccountName={0})(objectClass=user) (memberOf=CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com))]]></value>
</option>
<option>
<name>passwordAttributeName</name>
<value>unicodePwd</value>
</option>
<option>
<name>enclosePasswordWith</name>
<value>"</value>
</option>
<option>
<name>passwordEncoding</name>
<value>UTF-16LE</value>
</option>
<option>
<name>ctxDNs</name>
<value><![CDATA[OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]]></value>
</option>
<option>
<name>allowCreateEntry</name>
<value>true</value>
</option>
<option>
<name>createEntryAttributeValues</name>
<value>objectClass=top</value>
<value>objectClass=inetOrgPerson</value>
<value>sn= </value>
<value>userAccountControl=514</value>
<!--<value>cn= </value>-->
</option>
<option>
<name>passwordUpdateAttributeValues</name>
<value>userAccountControl=512</value>
</option>
</options>
</identity-object-type>
<identity-object-type>
<name>msad_roles_type</name>
<relationships>
<relationship>
<relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
<identity-object-type-ref>USER</identity-object-type-ref>
</relationship>
<relationship>
<relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref>
<identity-object-type-ref>msad_roles_type</identity-object-type-ref>
</relationship>
</relationships>
<credentials/>
<attributes>
<attribute>
<name>label</name>
<mapping>cn</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>true</isReadOnly>
</attribute>
<attribute>
<name>description</name>
<mapping>description</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>false</isReadOnly>
</attribute>
</attributes>
<options>
<option>
<name>idAttributeName</name>
<value>cn</value>
</option>
<option>
<name>ctxDNs</name>
<value><![CDATA[OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]]></value>
</option>
<option>
<name>entrySearchScope</name>
<value>subtree</value>
</option>
<option>
<name>entrySearchFilter</name>
<value><![CDATA[(&(sAMAccountName={0})(objectClass=group)(CN=gruppe_users))]]></value>
</option>
<option>
<name>allowCreateEntry</name>
<value>true</value>
</option>
<option>
<name>parentMembershipAttributeName</name>
<value>member</value>
</option>
<option>
<name>isParentMembershipAttributeDN</name>
<value>true</value>
</option>
<option>
<name>allowEmptyMemberships</name>
<value>true</value>
</option>
<option>
<name>createEntryAttributeValues</name>
<value>objectClass=top</value>
<value>objectClass=group</value>
<value>groupType=8</value>
</option>
</options>
</identity-object-type>
</supported-identity-object-types>
<options>.... Connection info etc....
</options>
</identity-store>---------------------------------------------------
If I go into the User Management tab in GateIn:
All the useres are imported.
The user John Doe is registered with the following membership:
User Name Group Id Membership Type John.Doe/gruppeUsers/gruppe_users memberOn the Group Management tab, in the uniseveUsers/gruppe_users group, which si the correct one, it says "Empty Data"
In the console I get the following error message when expanding the group:
16:17:24,513 FINER [LDAPIdentityStoreImpl] Prepared LDAP Search ; contexts: [OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com]; filter: (&(sAMAccountName={0})(objectClass=user) (memberOf=CN=gruppe_users,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com)); filter args: [John Doe]; returning attributes: [sAMAccountName]
16:17:24,517 FINER [JBossCacheIdentityStoreCacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheIdentityStoreCacheProviderImpl@230c586eObject found in cache: hash1338618379;namespace=PortalLDAPStore
16:17:24,521 FINER [LDAPIdentityStoreImpl] LDAP search results found in cache. size=0
16:17:24,525 FINER [FallbackIdentityStoreRepository] Exception occurred:org.picketlink.idm.common.exception.IdentityException: Cannot recognize identity object type by its DN: CN=John Doe,OU=Users & Groups,OU=IT HUB Albie,OU=WW Group,DC=tester,DC=ww-init,DC=com
Anny suggestion to what might be causing this error? Any help would be very much appreciated.