[Deploying Sakai] Active Directory Integration
Mike De Simone
michael.desimone at rsmart.com
Wed May 5 11:47:36 PDT 2010
one quick thing I can see is the ldapPassword property has an XML syntax
error. the --> at the end of the element is there but the beginning of the
comment <!-- is not. This seems like it would cause spring to fail on
startup, and since that doesn't appear to be happening, I'm not entirely
sure this would cause your problems, but probably isn't helping things
either :)
Thanks,
-------------------------------
Mike DeSimone
Sr. Technical Consultant
rSmart
tel: 602-490-0473
icq: 161896611
On Wed, May 5, 2010 at 11:21, Frizzell, Ryan <rfrizzel at regis.edu> wrote:
> Hello all,
>
> I'm in the process of setting up a Sakai demo system with active directory
> integration. The error I'm running into upon attempts to authenticate is:
>
> 2010-05-05 11:10:38,183 WARN http-8080-Processor19
> edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid
> credentials [userLogin = testUser]
> 2010-05-05 11:19:51,232 ERROR http-8080-Processor23
> edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA, comment:
> AcceptSecurityContext error, data 525, v1772
> LDAPException: Matched DN:
>
>
>
> I've been browsing the mail lists and documentation but I can't seem to
> determine the cause of this issue. I'm using the JLDAP provider. Here is my
> configuration for JLDAP, I'm building from 2.6.2:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "
> http://www.springframework.org/dtd/spring-beans.dtd">
>
> <beans>
>
> <bean id="org.sakaiproject.user.api.UserDirectoryProvider"
> class="edu.amc.sakai.user.JLDAPDirectoryProvider"
> init-method="init"
> destroy-method="destroy" singleton="true">
>
> <!-- Required. Host name or address of your LDAP server -->
> <property name="ldapHost">
> <value>myhost.domain.net</value>
> </property>
>
> <!-- Optional. LDAP connection port. Typically defaults to
> JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389).
> Secured
> connections are usually on 636 -->
> <!-- property name="ldapPort">
> <value>389</value>
> </property-->
>
> <!-- If secureConnection is true, a keystore location must
> be provided
> unless javax.net.ssl.trustStore system property has
> already been
> set -->
> <!--property name="keystoreLocation">
> <value>/usually/set/at/startup</value>
> </property-->
>
> <!-- If secureConnection is true, a keystore password must
> be provided
> unless javax.net.ssl.trustStorePassword system
> property has already
> been set -->
> <!--property name="keystorePassword">
> <value>usually-set-at-startup</value>
> </property-->
>
> <!-- Optional. DN to which to bind for directory searches.
> Typically only necessary if autoBind is true -->
> <property name="ldapUser">
>
> <value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
> </property>
>
> <!-- Optional. Password for ldapUser defined above -->
> <property name="ldapPassword">
> <value>secret</value>
> </property -->
>
> <!-- Optional. Enables/disables secure LDAP connections.
> defaults to
> JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
> <!-- property name="secureConnection">
> <value>false</value>
> </property -->
>
> <!-- Optional. If secureConnection is true, this socket
> factory
> will be assigned globally to LDAPConnections.
> Defaults to an
> instance of
> com.novell.ldap.LDAPJSSESecureSocketFactory, which
> is appropriate for SSL connections. Use
> com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
> <!-- property name="secureSocketFactory">
> <bean
> class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
> </property -->
>
> <!-- Optional. Indicate if connection allocation should
> implicitly bind as ${ldapUser}. Defaults to false
> -->
> <property name="autoBind">
> <value>true</value>
> </property>
>
> <!-- Optional, but usually specified. Base DN for directory
> searches. -->
> <property name="basePath">
> <value>dc=mydomain,dc=net</value>
> </property>
>
> <!-- Optional. Indicate if connections should follow
> referrals. Defaults to
> JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS
> (false)-->
> <property name="followReferrals">
> <value>true</value>
> </property>
>
> <!-- Optional. LDAP operation timeout in millis. Defaults
> to
> JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
> <!-- property name="operationTimeout">
> <value>5000</value>
> </property -->
>
> <!-- Optional. User entry cache ttl in millis. Defaults
> to JLDAPDirectoryProvider.DEFAULT_CACHE_TTL
> (300000)-->
> <property name="cacheTTL">
> <value>300000</value>
> </property>
>
> <!-- Optional. Control case-sensitivity of cache keys
> (User.eid values).
> Defaults to false. (Note that this is a departure from
> historical
> behavior.) -->
> <property name="caseSensitiveCacheKeys">
> <value>false</value>
> </property>
>
> <!-- Optional. Control the return value of
>
> JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
> on a global basis. Defaults to
>
> JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST. -->
> <!-- property name="authenticateWithProviderFirst">
> <value>false</value>
> </property -->
>
> <!-- Optional. Control whether or not authentication is
> attempted
> on a global basis. "true" enables authentication
> attempts (but
> does not automatically grant all authN attempts),
> "false"
> short-circuits that process and refuses all authN
> attempts. Defaults to
> JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION
> -->
> <!-- property name="allowAuthentication">
> <value>true</value>
> </property -->
>
> <!-- Optional. Defaults to an instance of
> edu.amc.sakai.user.SimpleLdapConnectionManager -->
> <!-- property name="ldapConnectionManager">
> <bean
> class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
> </property -->
>
> <!-- Optional. Use Connection Pooling?
> Defaults to JLDAPDirectoryProvider.DEFAULT_POOLING
> (false).
> Has no effect if ldapConnectionManager has been
> explicitly
> assigned (unless that object honors this flag, of
> course). -->
> <!-- property name="pooling">
> <value>false</value>
> </property -->
>
> <!-- Optional. Maxmimum number of connections in the pool
> Defaults to
> JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
> <!-- property name="poolMaxConns">
> <value>10</value>
> </property -->
>
> <!-- Optional. Defaults to an instance of
> edu.amc.sakai.user.SimpleLdapAttributeMapper -->
> <property name="ldapAttributeMapper">
> <ref bean="edu.amc.sakai.user.LdapAttributeMapper"
> />
> </property>
>
> <!-- Optional. Only considered if ldapAttributeMapper is not
> explicitly
> assigned. That is, if you choose to use the default
> LdapAttributeMapper
> implementation, it is sufficient to specify attribute
> mappings here
> and dispense with defining a
> edu.amc.sakai.user.LdapAttributeMapper bean.
> This preserves forward compatibility of pre-2.5 config -->
> <!-- property name="attributeMappings">
> <map>
> <entry key="logicalAttrName">
> <value>physicalAttrName</value>
> </entry>
> </map>
> </property -->
>
> <!-- Optional. Defaults to allowing searches on any EID,
> including empty
> and null Strings. -->
> <!-- property name="eidValidator">
> <bean
> class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
> <property name="regexpFlags">
> <bean
> id="java.util.regex.Pattern.CASE_INSENSITIVE"
>
> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
> />
> </property>
> <property name="eidBlacklist">
> <list>
> <value>guest</value>
> <value>nobody</value>
> <value>adversary</value>
> </list>
> </property>
> </bean>
> </property -->
>
> </bean>
>
> <!-- An optional bean definition which can be used to customize LDAP
> attribute to Sakai User instance member mapping behaviors. This
> example describes availabel configuration options for
> SimpleLdapAttributeMapper
> (the default LdapAttributeMapper implementation). -->
> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
> class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
> init-method="init"
> singleton="true">
>
> <!-- A typical set of attribute mappings. Keys are logical
> names expected by the application. Values are physical LDAP
> attribute names. If not specified or empty, defaults to
> AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
> <property name="attributeMappings">
> <map>
> <entry
> key="login"><value>sAMAccountName</value></entry>
> <entry
> key="firstName"><value>givenName</value></entry>
> <entry
> key="lastName"><value>sn</value></entry>
> <entry
> key="email"><value>mail</value></entry>
>
> </map>
> </property>
>
> <!-- Several options for calculating Sakai user types based
> on LDAP attributes. Defaults to an instance of
> EmptyStringUserTypeMapper -->
> <property name="userTypeMapper">
> <!-- Select one of the following beans -->
> <ref
> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
> <!-- ref
> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
> <!-- ref
> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
> </property>
>
> </bean>
>
>
> <!-- /// Begin Sample UserTypeMapper Beans /// -->
>
> <!-- Will usually only need at most one of the following
> UserTypeMapper
> beans. Three "standard" options shown here for documentation
> purposes. The
> "active" bean will be selected by a bean reference in the
> userTypeMapper
> property definition above. -->
>
> <!-- EmptyStringUserTypeMapper assigns gives all users an
> empty string as their Sakai "type" -->
> <bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
> class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
> singleton="true" />
>
> <!-- EntryAttributeToUserTypeMapper calculates Sakai user
> types by simply passing attribute values through a map with
> configurable "miss" behavior. -->
> <bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
> class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
> singleton="true">
>
> <!-- Optional. If not present or empty, behavior is
> determined by the value of
> returnLiteralAttributeValueIfNoMapping
> (see below). -->
> <!-- property name="attributeValueToSakaiUserTypeMap">
> <map>
> <entry
> key="faculty"><value>faculty</value></entry>
> <entry
> key="students"><value>student</value></entry>
> </map>
> </property -->
>
> <!-- Required. The logical name of the LDAP attribute which
> defines Sakai users' types. Value should be a key into the
> attribute mappings associated with this LdapAttributeMapper
> instance. -->
> <property name="logicalAttributeName">
> <value>groupMembership</value>
> </property>
>
> <!-- Optional. Defaults to false -->
> <!-- property
> name="returnLiteralAttributeValueIfNoMapping">
> <value>false</value>
> </property -->
>
> <!-- Optional. Only considered if
> returnLiteralAttributeValueIfNoMapping
> is false. Defaults to null. -->
> <!-- property name="defaultSakaiUserType">
> <null />
> </property -->
>
> </bean>
>
> <!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
> types by filtering a user entry's most-local RDN through the
> assigned map. -->
> <bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
> class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
> singleton="true">
>
> <!-- Optional. Maps between container RDN values and Sakai
> user types -->
> <!-- property name="rdnToSakaiUserTypeMap">
> <map>
> <entry
> key="facultyStaff"><value>faculty</value></entry>
> <entry
> key="students"><value>student</value></entry>
> </map>
> </property -->
>
> <!-- Optional. Defaults to false. -->
> <!-- property name="returnLiteralRdnValueIfNoMapping">
> <value>false</value>
> </property -->
>
> </bean>
>
> <!-- /// End Sample UserTypeMapper Beans /// -->
>
> </beans>
>
>
>
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
>
> TO UNSUBSCRIBE: send email to
> production-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20100505/3ce4a404/attachment-0001.html
More information about the production
mailing list