[Deploying Sakai] Active Directory Integration
Frizzell, Ryan
rfrizzel at regis.edu
Wed May 5 11:21:30 PDT 2010
Hello all,
I'm in the process of setting up a Sakai demo system with active directory integration. The error I'm running into upon attempts to authenticate is:
2010-05-05 11:10:38,183 WARN http-8080-Processor19 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid credentials [userLogin = testUser]
2010-05-05 11:19:51,232 ERROR http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
LDAPException: Invalid Credentials (49) Invalid Credentials
LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
LDAPException: Matched DN:
I've been browsing the mail lists and documentation but I can't seem to determine the cause of this issue. I'm using the JLDAP provider. Here is my configuration for JLDAP, I'm building from 2.6.2:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="org.sakaiproject.user.api.UserDirectoryProvider"
class="edu.amc.sakai.user.JLDAPDirectoryProvider" init-method="init"
destroy-method="destroy" singleton="true">
<!-- Required. Host name or address of your LDAP server -->
<property name="ldapHost">
<value>myhost.domain.net</value>
</property>
<!-- Optional. LDAP connection port. Typically defaults to
JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389). Secured
connections are usually on 636 -->
<!-- property name="ldapPort">
<value>389</value>
</property-->
<!-- If secureConnection is true, a keystore location must be provided
unless javax.net.ssl.trustStore system property has already been
set -->
<!--property name="keystoreLocation">
<value>/usually/set/at/startup</value>
</property-->
<!-- If secureConnection is true, a keystore password must be provided
unless javax.net.ssl.trustStorePassword system property has already
been set -->
<!--property name="keystorePassword">
<value>usually-set-at-startup</value>
</property-->
<!-- Optional. DN to which to bind for directory searches.
Typically only necessary if autoBind is true -->
<property name="ldapUser">
<value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
</property>
<!-- Optional. Password for ldapUser defined above -->
<property name="ldapPassword">
<value>secret</value>
</property -->
<!-- Optional. Enables/disables secure LDAP connections.
defaults to JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
<!-- property name="secureConnection">
<value>false</value>
</property -->
<!-- Optional. If secureConnection is true, this socket factory
will be assigned globally to LDAPConnections. Defaults to an
instance of com.novell.ldap.LDAPJSSESecureSocketFactory, which
is appropriate for SSL connections. Use
com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
<!-- property name="secureSocketFactory">
<bean class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
</property -->
<!-- Optional. Indicate if connection allocation should
implicitly bind as ${ldapUser}. Defaults to false -->
<property name="autoBind">
<value>true</value>
</property>
<!-- Optional, but usually specified. Base DN for directory searches. -->
<property name="basePath">
<value>dc=mydomain,dc=net</value>
</property>
<!-- Optional. Indicate if connections should follow
referrals. Defaults to
JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
<property name="followReferrals">
<value>true</value>
</property>
<!-- Optional. LDAP operation timeout in millis. Defaults
to JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
<!-- property name="operationTimeout">
<value>5000</value>
</property -->
<!-- Optional. User entry cache ttl in millis. Defaults
to JLDAPDirectoryProvider.DEFAULT_CACHE_TTL (300000)-->
<property name="cacheTTL">
<value>300000</value>
</property>
<!-- Optional. Control case-sensitivity of cache keys (User.eid values).
Defaults to false. (Note that this is a departure from historical
behavior.) -->
<property name="caseSensitiveCacheKeys">
<value>false</value>
</property>
<!-- Optional. Control the return value of
JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
on a global basis. Defaults to
JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST. -->
<!-- property name="authenticateWithProviderFirst">
<value>false</value>
</property -->
<!-- Optional. Control whether or not authentication is attempted
on a global basis. "true" enables authentication attempts (but
does not automatically grant all authN attempts), "false"
short-circuits that process and refuses all authN
attempts. Defaults to
JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION -->
<!-- property name="allowAuthentication">
<value>true</value>
</property -->
<!-- Optional. Defaults to an instance of
edu.amc.sakai.user.SimpleLdapConnectionManager -->
<!-- property name="ldapConnectionManager">
<bean class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
</property -->
<!-- Optional. Use Connection Pooling?
Defaults to JLDAPDirectoryProvider.DEFAULT_POOLING (false).
Has no effect if ldapConnectionManager has been explicitly
assigned (unless that object honors this flag, of course). -->
<!-- property name="pooling">
<value>false</value>
</property -->
<!-- Optional. Maxmimum number of connections in the pool
Defaults to JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
<!-- property name="poolMaxConns">
<value>10</value>
</property -->
<!-- Optional. Defaults to an instance of
edu.amc.sakai.user.SimpleLdapAttributeMapper -->
<property name="ldapAttributeMapper">
<ref bean="edu.amc.sakai.user.LdapAttributeMapper" />
</property>
<!-- Optional. Only considered if ldapAttributeMapper is not explicitly
assigned. That is, if you choose to use the default LdapAttributeMapper
implementation, it is sufficient to specify attribute mappings here
and dispense with defining a edu.amc.sakai.user.LdapAttributeMapper bean.
This preserves forward compatibility of pre-2.5 config -->
<!-- property name="attributeMappings">
<map>
<entry key="logicalAttrName">
<value>physicalAttrName</value>
</entry>
</map>
</property -->
<!-- Optional. Defaults to allowing searches on any EID, including empty
and null Strings. -->
<!-- property name="eidValidator">
<bean class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
<property name="regexpFlags">
<bean id="java.util.regex.Pattern.CASE_INSENSITIVE"
class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean" />
</property>
<property name="eidBlacklist">
<list>
<value>guest</value>
<value>nobody</value>
<value>adversary</value>
</list>
</property>
</bean>
</property -->
</bean>
<!-- An optional bean definition which can be used to customize LDAP
attribute to Sakai User instance member mapping behaviors. This
example describes availabel configuration options for SimpleLdapAttributeMapper
(the default LdapAttributeMapper implementation). -->
<bean id="edu.amc.sakai.user.LdapAttributeMapper"
class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
init-method="init"
singleton="true">
<!-- A typical set of attribute mappings. Keys are logical
names expected by the application. Values are physical LDAP
attribute names. If not specified or empty, defaults to
AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
<property name="attributeMappings">
<map>
<entry key="login"><value>sAMAccountName</value></entry>
<entry key="firstName"><value>givenName</value></entry>
<entry key="lastName"><value>sn</value></entry>
<entry key="email"><value>mail</value></entry>
</map>
</property>
<!-- Several options for calculating Sakai user types based
on LDAP attributes. Defaults to an instance of EmptyStringUserTypeMapper -->
<property name="userTypeMapper">
<!-- Select one of the following beans -->
<ref bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
<!-- ref bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
<!-- ref bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
</property>
</bean>
<!-- /// Begin Sample UserTypeMapper Beans /// -->
<!-- Will usually only need at most one of the following UserTypeMapper
beans. Three "standard" options shown here for documentation purposes. The
"active" bean will be selected by a bean reference in the userTypeMapper
property definition above. -->
<!-- EmptyStringUserTypeMapper assigns gives all users an
empty string as their Sakai "type" -->
<bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
singleton="true" />
<!-- EntryAttributeToUserTypeMapper calculates Sakai user
types by simply passing attribute values through a map with
configurable "miss" behavior. -->
<bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
singleton="true">
<!-- Optional. If not present or empty, behavior is
determined by the value of returnLiteralAttributeValueIfNoMapping
(see below). -->
<!-- property name="attributeValueToSakaiUserTypeMap">
<map>
<entry key="faculty"><value>faculty</value></entry>
<entry key="students"><value>student</value></entry>
</map>
</property -->
<!-- Required. The logical name of the LDAP attribute which
defines Sakai users' types. Value should be a key into the
attribute mappings associated with this LdapAttributeMapper
instance. -->
<property name="logicalAttributeName">
<value>groupMembership</value>
</property>
<!-- Optional. Defaults to false -->
<!-- property name="returnLiteralAttributeValueIfNoMapping">
<value>false</value>
</property -->
<!-- Optional. Only considered if returnLiteralAttributeValueIfNoMapping
is false. Defaults to null. -->
<!-- property name="defaultSakaiUserType">
<null />
</property -->
</bean>
<!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
types by filtering a user entry's most-local RDN through the
assigned map. -->
<bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
singleton="true">
<!-- Optional. Maps between container RDN values and Sakai user types -->
<!-- property name="rdnToSakaiUserTypeMap">
<map>
<entry key="facultyStaff"><value>faculty</value></entry>
<entry key="students"><value>student</value></entry>
</map>
</property -->
<!-- Optional. Defaults to false. -->
<!-- property name="returnLiteralRdnValueIfNoMapping">
<value>false</value>
</property -->
</bean>
<!-- /// End Sample UserTypeMapper Beans /// -->
</beans>
More information about the production
mailing list