[Deploying Sakai] Active Directory Integration

Frizzell, Ryan rfrizzel at regis.edu
Wed May 5 11:21:30 PDT 2010


Hello all, 

I'm in the process of setting up a Sakai demo system with active directory integration. The error I'm running into upon attempts to authenticate is: 

2010-05-05 11:10:38,183  WARN http-8080-Processor19 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid credentials [userLogin = testUser]
2010-05-05 11:19:51,232 ERROR http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
LDAPException: Invalid Credentials (49) Invalid Credentials
LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
LDAPException: Matched DN:



I've been browsing the mail lists and documentation but I can't seem to determine the cause of this issue. I'm using the JLDAP provider. Here is my configuration for JLDAP, I'm building from 2.6.2: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>

	<bean id="org.sakaiproject.user.api.UserDirectoryProvider"
		class="edu.amc.sakai.user.JLDAPDirectoryProvider" init-method="init"
		destroy-method="destroy" singleton="true">
		
		<!-- Required. Host name or address of your LDAP server -->
		<property name="ldapHost">
			<value>myhost.domain.net</value>
		</property>

		<!-- Optional. LDAP connection port. Typically defaults to 
			JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389). Secured
			connections are usually on 636 -->
		<!-- property name="ldapPort">
			<value>389</value>
		</property-->

		<!--  If secureConnection is true, a keystore location must be provided
			unless javax.net.ssl.trustStore system property has already been 
			set -->
		<!--property name="keystoreLocation">
			<value>/usually/set/at/startup</value>
		</property-->

		<!--  If secureConnection is true, a keystore password must be provided
			unless javax.net.ssl.trustStorePassword system property has already
			been set -->
		<!--property name="keystorePassword">
			<value>usually-set-at-startup</value>
		</property-->

		<!-- Optional. DN to which to bind for directory searches. 
			Typically only necessary if autoBind is true -->
		<property name="ldapUser">
			<value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
		</property>

		<!-- Optional. Password for ldapUser defined above -->
		<property name="ldapPassword">
			<value>secret</value>
		</property -->

		<!-- Optional. Enables/disables secure LDAP connections.
			defaults to JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
		<!-- property name="secureConnection">
			<value>false</value>
		</property -->

		<!-- Optional. If secureConnection is true, this socket factory
			will be assigned globally to LDAPConnections. Defaults to an
			instance of com.novell.ldap.LDAPJSSESecureSocketFactory, which
			is appropriate for SSL connections. Use 
			com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
		<!-- property name="secureSocketFactory">
			<bean class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
		</property -->

		<!-- Optional. Indicate if connection allocation should
			implicitly bind as ${ldapUser}. Defaults to false -->
		<property name="autoBind">
			<value>true</value>
		</property> 

		<!-- Optional, but usually specified. Base DN for directory searches. -->
		<property name="basePath">
			<value>dc=mydomain,dc=net</value>
		</property>

		<!-- Optional. Indicate if connections should follow
			referrals. Defaults to  
			JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
		<property name="followReferrals">
			<value>true</value>
		</property>

		<!-- Optional. LDAP operation timeout in millis. Defaults 
			to JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
		<!-- property name="operationTimeout">
			<value>5000</value>
		</property -->

		<!-- Optional. User entry cache ttl in millis. Defaults
			to JLDAPDirectoryProvider.DEFAULT_CACHE_TTL (300000)-->
		<property name="cacheTTL">
			<value>300000</value>
		</property>

		<!-- Optional. Control case-sensitivity of cache keys (User.eid values).
		     Defaults to false. (Note that this is a departure from historical
		     behavior.) -->
		<property name="caseSensitiveCacheKeys">
			<value>false</value>
		</property>
		
		<!--  Optional. Control the return value of 
		      JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
		      on a global basis. Defaults to
		      JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST.  -->
		<!--  property name="authenticateWithProviderFirst">
			<value>false</value>
		</property -->
		
		<!--  Optional. Control whether or not authentication is attempted
		      on a global basis. "true" enables authentication attempts (but
		      does not automatically grant all authN attempts), "false" 
		      short-circuits that process and refuses all authN
		      attempts.  Defaults to 
		      JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION  -->
		<!--  property name="allowAuthentication">
			<value>true</value>
		</property -->
		
		<!-- Optional. Defaults to an instance of 
		edu.amc.sakai.user.SimpleLdapConnectionManager -->
		<!-- property name="ldapConnectionManager">
			<bean class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
		</property -->

		<!-- Optional. Use Connection Pooling?
			Defaults to JLDAPDirectoryProvider.DEFAULT_POOLING (false). 
			Has no effect if ldapConnectionManager has been explicitly
			assigned (unless that object honors this flag, of course). -->
		<!--  property name="pooling">
			<value>false</value>
		</property -->

		<!-- Optional. Maxmimum number of connections in the pool
			Defaults to JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
		<!--  property name="poolMaxConns">
			<value>10</value>
		</property -->
		
		<!-- Optional. Defaults to an instance of 
		edu.amc.sakai.user.SimpleLdapAttributeMapper -->
		<property name="ldapAttributeMapper">
			<ref bean="edu.amc.sakai.user.LdapAttributeMapper" />
		</property>
		
		<!-- Optional. Only considered if ldapAttributeMapper is not explicitly
		assigned. That is, if you choose to use the default LdapAttributeMapper
		implementation, it is sufficient to specify attribute mappings here
		and dispense with defining a edu.amc.sakai.user.LdapAttributeMapper bean.
		This preserves forward compatibility of pre-2.5 config -->
		<!--  property name="attributeMappings">
			<map>
				<entry key="logicalAttrName">
					<value>physicalAttrName</value>
				</entry>
			</map>
		</property -->
		
		<!-- Optional. Defaults to allowing searches on any EID, including empty
		and null Strings. -->
		<!-- property name="eidValidator">
			<bean class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
				<property name="regexpFlags">
					<bean id="java.util.regex.Pattern.CASE_INSENSITIVE"
						class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean" />
				</property>
				<property name="eidBlacklist">
					<list>
						<value>guest</value>
						<value>nobody</value>
						<value>adversary</value>
					</list>
				</property>
			</bean>
		</property -->
		
	</bean>
			
    <!-- An optional bean definition which can be used to customize LDAP
    attribute to Sakai User instance member mapping behaviors. This
    example describes availabel configuration options for SimpleLdapAttributeMapper
    (the default LdapAttributeMapper implementation). -->
	<bean id="edu.amc.sakai.user.LdapAttributeMapper"
			class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
			init-method="init"
			singleton="true">
			
		<!-- A typical set of attribute mappings. Keys are logical
		names expected by the application. Values are physical LDAP
		attribute names. If not specified or empty, defaults to
		AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
		<property name="attributeMappings">
			<map>
				<entry key="login"><value>sAMAccountName</value></entry>         
				<entry key="firstName"><value>givenName</value></entry> 
				<entry key="lastName"><value>sn</value></entry> 
				<entry key="email"><value>mail</value></entry>  
				     
			</map>
		</property>
		
		<!-- Several options for calculating Sakai user types based
		on LDAP attributes. Defaults to an instance of EmptyStringUserTypeMapper -->
		<property name="userTypeMapper">
			<!-- Select one of the following beans -->
			<ref bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
			<!-- ref bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
			<!-- ref bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
		</property>
		
	</bean>
	
	
	<!-- /// Begin Sample UserTypeMapper Beans /// -->
	
	<!-- Will usually only need at most one of the following UserTypeMapper
	beans. Three "standard" options shown here for documentation purposes. The 
	"active" bean will be selected by a bean reference in the userTypeMapper 
	property definition above. -->
	
	<!-- EmptyStringUserTypeMapper assigns gives all users an
	empty string as their Sakai "type" -->
	<bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
		class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
		singleton="true" />
		
	<!-- EntryAttributeToUserTypeMapper calculates Sakai user
		types by simply passing attribute values through a map with
		configurable "miss" behavior. -->
	<bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
		class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
		singleton="true">
		
		<!-- Optional. If not present or empty, behavior is
		determined by the value of returnLiteralAttributeValueIfNoMapping
		(see below). -->
		<!-- property name="attributeValueToSakaiUserTypeMap">
			<map>
				<entry key="faculty"><value>faculty</value></entry> 
				<entry key="students"><value>student</value></entry> 
			</map>
		</property -->
				
		<!-- Required. The logical name of the LDAP attribute which
		defines Sakai users' types. Value should be a key into the 
		attribute mappings associated with this LdapAttributeMapper 
		instance. -->
		<property name="logicalAttributeName">
			<value>groupMembership</value>
		</property>
				
		<!-- Optional. Defaults to false -->
		<!--  property name="returnLiteralAttributeValueIfNoMapping">
			<value>false</value>
		</property -->
				
		<!-- Optional. Only considered if returnLiteralAttributeValueIfNoMapping
			is false. Defaults to null. -->
		<!--  property name="defaultSakaiUserType">
			<null />
		</property -->
		
	</bean>
	
	<!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
		types by filtering a user entry's most-local RDN through the
		assigned map. -->
	<bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
		class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
		singleton="true">
		
		<!-- Optional. Maps between container RDN values and Sakai user types -->
		<!-- property name="rdnToSakaiUserTypeMap">
			<map>
				<entry key="facultyStaff"><value>faculty</value></entry> 
				<entry key="students"><value>student</value></entry> 
			</map>
		</property -->
				
		<!-- Optional. Defaults to false.  -->
		<!-- property name="returnLiteralRdnValueIfNoMapping">
			<value>false</value>
		</property -->
		
	</bean>
		
	<!-- /// End Sample UserTypeMapper Beans /// -->
	
</beans>





More information about the production mailing list