[Deploying Sakai] Active Directory Integration
Daniel McCallum
dmccallum at unicon.net
Wed May 5 15:22:01 PDT 2010
The stack trace is cause by bad 'auto-bind' credentials. Can you verify
that your configured ldapUser and ldapPassword values work from the
command line, e.g.:
%> ldapsearch -H ldap://<your-ldap-host> -LLL \
-D CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net \
-x -W -b <your-search-base-dn> \
'(sAMAccountName=testUser)'
- Dan
Frizzell, Ryan wrote:
> I added the additional debugging directives to the sakai.properties file and here's what I'm getting now when trying to login. Not quite sure what to make of this.
>
> Thanks,
>
> -Ryan
>
> 2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getUserByEid(): [eid = null]
> 2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getCachedUserEntry(): [eid = null]
> 2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getCachedUserEntry(): cache access [found entry = false][entry expired = false]
> 2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - searchDirectoryForSingleEntry(): [filter = sAMAccountName=null][reusing conn = false]
> 2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - searchDirectory(): [filter = sAMAccountName=null][reusing conn = false]
> 2010-05-05 14:34:10,644 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection()
> 2010-05-05 14:34:10,685 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - applyConstraints(): values [timeout = 5000][follow referrals = true]
> 2010-05-05 14:34:10,685 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - connect()
> 2010-05-05 14:34:10,699 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection(): auto-binding
> 2010-05-05 14:34:10,699 DEBUG http-8080-Processor25 edu.amc.sakai.user.SimpleLdapConnectionManager - bind(): binding [dn = CN=lmsDemoAuth,OU=Service Accounts,OU=test,DC=mydomain,DC=net]
> 2010-05-05 14:34:10,744 ERROR http-8080-Processor25 edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
> LDAPException: Matched DN:
> at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
> at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
> at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
> at com.novell.ldap.LDAPConnection.bind(Unknown Source)
> at com.novell.ldap.LDAPConnection.bind(Unknown Source)
> at edu.amc.sakai.user.SimpleLdapConnectionManager.bind(SimpleLdapConnectionManager.java:123)
> at edu.amc.sakai.user.SimpleLdapConnectionManager.getConnection(SimpleLdapConnectionManager.java:92)
> at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectory(JLDAPDirectoryProvider.java:898)
> at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectoryForSingleEntry(JLDAPDirectoryProvider.java:846)
> at edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvider.java:768)
> at edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvider.java:722)
> at edu.amc.sakai.user.JLDAPDirectoryProvider.getUser(JLDAPDirectoryProvider.java:580)
> at org.sakaiproject.user.impl.BaseUserDirectoryService.getProvidedUserByEid(BaseUserDirectoryService.java:619)
> at org.sakaiproject.user.impl.BaseUserDirectoryService.getUserId(BaseUserDirectoryService.java:597)
> at org.sakaiproject.user.cover.UserDirectoryService.getUserId(UserDirectoryService.java:303)
> at org.sakaiproject.portal.charon.site.PortalSiteHelperImpl.getSiteVisit(PortalSiteHelperImpl.java:887)
> at org.sakaiproject.portal.charon.site.PortalSiteHelperImpl.getMyWorkspace(PortalSiteHelperImpl.java:680)
> at org.sakaiproject.portal.charon.site.AbstractSiteViewImpl.<init>(AbstractSiteViewImpl.java:99)
> at org.sakaiproject.portal.charon.site.SubSiteViewImpl.<init>(SubSiteViewImpl.java:58)
> at org.sakaiproject.portal.charon.site.PortalSiteHelperImpl.getSitesView(PortalSiteHelperImpl.java:1117)
> at org.sakaiproject.portal.charon.SkinnableCharonPortal.includeSubSites(SkinnableCharonPortal.java:403)
> at org.sakaiproject.portal.charon.handlers.SiteHandler.doSite(SiteHandler.java:228)
> at org.sakaiproject.portal.charon.handlers.SiteHandler.doGet(SiteHandler.java:113)
> at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:768)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:616)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
> at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
> at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
> at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
> at java.lang.Thread.run(Thread.java:595)
> 2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): [userLogin = testUser]
> 2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): allocating connection for login [userLogin = testUser]
> 2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection()
> 2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - applyConstraints(): values [timeout = 5000][follow referrals = true]
> 2010-05-05 14:34:36,981 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - connect()
> 2010-05-05 14:34:36,988 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - postConnect()
> 2010-05-05 14:34:36,988 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - getConnection(): auto-binding
> 2010-05-05 14:34:36,988 DEBUG http-8080-Processor23 edu.amc.sakai.user.SimpleLdapConnectionManager - bind(): binding [dn = CN=lmsDemoAuth,OU=Service Accounts,OU=test,DC=mydomain,DC=net]
> 2010-05-05 14:34:36,990 WARN http-8080-Processor23 edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid credentials [userLogin = testUser]
>
> -----Original Message-----
> From: Daniel McCallum [mailto:dmccallum at unicon.net]
> Sent: Wednesday, May 05, 2010 1:47 PM
> To: Frizzell, Ryan
> Cc: production at collab.sakaiproject.org
> Subject: Re: [Deploying Sakai] Active Directory Integration
>
> The null business is probably a red herring.
>
> Can you crank up logging to DEBUG and attach the output please?
>
> E.g. add the following to [sakai|local].properties:
>
> log.config.count=1
> log.config.1=DEBUG.edu.amc.sakai.user
>
> - Dan
>
> Frizzell, Ryan wrote:
>> Thanks for the catch on that, it seems I attached a slightly incorrect
>> version of the jldap-beans.XML. That error did cause startup issues.
>> I've resolved that issue however the error in the previous message still
>> exists.
>>
>>
>>
>> I've done some more digging and it sounds like, from the error it might
>> be related to the null EID option in the XML config however currently it
>> is disabled. Will turning on the eidValidator in the config file and
>> setting it to verify based on some pattern stop the null searching? The
>> error looks like, even though its been supplied a username that the ldap
>> search is still working with a null value.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Ryan
>>
>>
>>
>> Here's an updated version of the jldap-beans.xml:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
>> "http://www.springframework.org/dtd/spring-beans.dtd">
>>
>>
>>
>> <beans>
>>
>>
>>
>> <bean id="org.sakaiproject.user.api.UserDirectoryProvider"
>>
>>
>> class="edu.amc.sakai.user.JLDAPDirectoryProvider" init-method="init"
>>
>> destroy-method="destroy" singleton="true">
>>
>>
>>
>> <!-- Required. Host name or address of your LDAP
>> server -->
>>
>> <property name="ldapHost">
>>
>> <value>myhost.domain.net</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. LDAP connection port. Typically
>> defaults to
>>
>>
>> JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389). Secured
>>
>> connections are usually on 636 -->
>>
>> <!-- property name="ldapPort">
>>
>> <value>389</value>
>>
>> </property-->
>>
>>
>>
>> <!-- If secureConnection is true, a keystore
>> location must be provided
>>
>> unless javax.net.ssl.trustStore
>> system property has already been
>>
>> set -->
>>
>> <!--property name="keystoreLocation">
>>
>> <value>/usually/set/at/startup</value>
>>
>> </property-->
>>
>>
>>
>> <!-- If secureConnection is true, a keystore
>> password must be provided
>>
>> unless
>> javax.net.ssl.trustStorePassword system property has already
>>
>> been set -->
>>
>> <!--property name="keystorePassword">
>>
>> <value>usually-set-at-startup</value>
>>
>> </property-->
>>
>>
>>
>> <!-- Optional. DN to which to bind for directory
>> searches.
>>
>> Typically only necessary if autoBind
>> is true -->
>>
>> <property name="ldapUser">
>>
>>
>> <value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Password for ldapUser defined
>> above -->
>>
>> <property name="ldapPassword">
>>
>> <value>secret</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Enables/disables secure LDAP
>> connections.
>>
>> defaults to
>> JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
>>
>> <!-- property name="secureConnection">
>>
>> <value>false</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. If secureConnection is true, this
>> socket factory
>>
>> will be assigned globally to
>> LDAPConnections. Defaults to an
>>
>> instance of
>> com.novell.ldap.LDAPJSSESecureSocketFactory, which
>>
>> is appropriate for SSL connections. Use
>>
>>
>> com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
>>
>> <!-- property name="secureSocketFactory">
>>
>> <bean
>> class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Indicate if connection allocation
>> should
>>
>> implicitly bind as ${ldapUser}.
>> Defaults to false -->
>>
>> <property name="autoBind">
>>
>> <value>true</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional, but usually specified. Base DN
>> for directory searches. -->
>>
>> <property name="basePath">
>>
>> <value>dc=mydomain,dc=net</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Indicate if connections should follow
>>
>> referrals. Defaults to
>>
>>
>> JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
>>
>> <property name="followReferrals">
>>
>> <value>true</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. LDAP operation timeout in millis.
>> Defaults
>>
>> to
>> JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
>>
>> <!-- property name="operationTimeout">
>>
>> <value>5000</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. User entry cache ttl in millis.
>> Defaults
>>
>> to
>> JLDAPDirectoryProvider.DEFAULT_CACHE_TTL (300000)-->
>>
>> <property name="cacheTTL">
>>
>> <value>300000</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Control case-sensitivity of cache
>> keys (User.eid values).
>>
>> Defaults to false. (Note that this is a
>> departure from historical
>>
>> behavior.) -->
>>
>> <property name="caseSensitiveCacheKeys">
>>
>> <value>false</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Control the return value of
>>
>>
>> JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
>>
>> on a global basis. Defaults to
>>
>>
>> JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST. -->
>>
>> <!-- property name="authenticateWithProviderFirst">
>>
>> <value>false</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Control whether or not
>> authentication is attempted
>>
>> on a global basis. "true" enables
>> authentication attempts (but
>>
>> does not automatically grant all authN
>> attempts), "false"
>>
>> short-circuits that process and refuses
>> all authN
>>
>> attempts. Defaults to
>>
>>
>> JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION -->
>>
>> <!-- property name="allowAuthentication">
>>
>> <value>true</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Defaults to an instance of
>>
>> edu.amc.sakai.user.SimpleLdapConnectionManager -->
>>
>> <!-- property name="ldapConnectionManager">
>>
>> <bean
>> class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Use Connection Pooling?
>>
>> Defaults to
>> JLDAPDirectoryProvider.DEFAULT_POOLING (false).
>>
>> Has no effect if
>> ldapConnectionManager has been explicitly
>>
>> assigned (unless that object honors
>> this flag, of course). -->
>>
>> <!-- property name="pooling">
>>
>> <value>false</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Maxmimum number of connections in
>> the pool
>>
>> Defaults to
>> JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
>>
>> <!-- property name="poolMaxConns">
>>
>> <value>10</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Defaults to an instance of
>>
>> edu.amc.sakai.user.SimpleLdapAttributeMapper -->
>>
>> <property name="ldapAttributeMapper">
>>
>> <ref
>> bean="edu.amc.sakai.user.LdapAttributeMapper" />
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Only considered if
>> ldapAttributeMapper is not explicitly
>>
>> assigned. That is, if you choose to use the
>> default LdapAttributeMapper
>>
>> implementation, it is sufficient to specify
>> attribute mappings here
>>
>> and dispense with defining a
>> edu.amc.sakai.user.LdapAttributeMapper bean.
>>
>> This preserves forward compatibility of pre-2.5
>> config -->
>>
>> <!-- property name="attributeMappings">
>>
>> <map>
>>
>> <entry
>> key="logicalAttrName">
>>
>>
>> <value>physicalAttrName</value>
>>
>> </entry>
>>
>> </map>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Defaults to allowing searches on
>> any EID, including empty
>>
>> and null Strings. -->
>>
>> <!-- property name="eidValidator">
>>
>> <bean
>> class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
>>
>> <property
>> name="regexpFlags">
>>
>> <bean
>> id="java.util.regex.Pattern.CASE_INSENSITIVE"
>>
>>
>> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
>> />
>>
>> </property>
>>
>> <property
>> name="eidBlacklist">
>>
>> <list>
>>
>>
>> <value>guest</value>
>>
>>
>> <value>nobody</value>
>>
>>
>> <value>adversary</value>
>>
>> </list>
>>
>> </property>
>>
>> </bean>
>>
>> </property -->
>>
>>
>>
>> </bean>
>>
>>
>>
>> <!-- An optional bean definition which can be used to customize LDAP
>>
>> attribute to Sakai User instance member mapping behaviors. This
>>
>> example describes availabel configuration options for
>> SimpleLdapAttributeMapper
>>
>> (the default LdapAttributeMapper implementation). -->
>>
>> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
>>
>>
>> class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
>>
>> init-method="init"
>>
>> singleton="true">
>>
>>
>>
>> <!-- A typical set of attribute mappings. Keys
>> are logical
>>
>> names expected by the application. Values are
>> physical LDAP
>>
>> attribute names. If not specified or empty,
>> defaults to
>>
>> AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
>>
>> <property name="attributeMappings">
>>
>> <map>
>>
>> <entry
>> key="login"><value>sAMAccountName</value></entry>
>>
>> <entry
>> key="firstName"><value>givenName</value></entry>
>>
>> <entry
>> key="lastName"><value>sn</value></entry>
>>
>> <entry
>> key="email"><value>mail</value></entry>
>>
>>
>>
>> </map>
>>
>> </property>
>>
>>
>>
>> <!-- Several options for calculating Sakai user
>> types based
>>
>> on LDAP attributes. Defaults to an instance of
>> EmptyStringUserTypeMapper -->
>>
>> <property name="userTypeMapper">
>>
>> <!-- Select one of the following
>> beans -->
>>
>> <ref
>> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
>>
>> <!-- ref
>> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
>>
>> <!-- ref
>> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
>>
>> </property>
>>
>>
>>
>> </bean>
>>
>>
>>
>>
>>
>> <!-- /// Begin Sample UserTypeMapper Beans /// -->
>>
>>
>>
>> <!-- Will usually only need at most one of the following
>> UserTypeMapper
>>
>> beans. Three "standard" options shown here for documentation
>> purposes. The
>>
>> "active" bean will be selected by a bean reference in the
>> userTypeMapper
>>
>> property definition above. -->
>>
>>
>>
>> <!-- EmptyStringUserTypeMapper assigns gives all users an
>>
>> empty string as their Sakai "type" -->
>>
>> <bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
>>
>> class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
>>
>> singleton="true" />
>>
>>
>>
>> <!-- EntryAttributeToUserTypeMapper calculates Sakai user
>>
>> types by simply passing attribute values through
>> a map with
>>
>> configurable "miss" behavior. -->
>>
>> <bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
>>
>>
>> class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
>>
>> singleton="true">
>>
>>
>>
>> <!-- Optional. If not present or empty, behavior is
>>
>> determined by the value of
>> returnLiteralAttributeValueIfNoMapping
>>
>> (see below). -->
>>
>> <!-- property
>> name="attributeValueToSakaiUserTypeMap">
>>
>> <map>
>>
>> <entry
>> key="faculty"><value>faculty</value></entry>
>>
>> <entry
>> key="students"><value>student</value></entry>
>>
>> </map>
>>
>> </property -->
>>
>>
>>
>> <!-- Required. The logical name of the LDAP
>> attribute which
>>
>> defines Sakai users' types. Value should be a
>> key into the
>>
>> attribute mappings associated with this
>> LdapAttributeMapper
>>
>> instance. -->
>>
>> <property name="logicalAttributeName">
>>
>> <value>groupMembership</value>
>>
>> </property>
>>
>>
>>
>> <!-- Optional. Defaults to false -->
>>
>> <!-- property
>> name="returnLiteralAttributeValueIfNoMapping">
>>
>> <value>false</value>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Only considered if
>> returnLiteralAttributeValueIfNoMapping
>>
>> is false. Defaults to null. -->
>>
>> <!-- property name="defaultSakaiUserType">
>>
>> <null />
>>
>> </property -->
>>
>>
>>
>> </bean>
>>
>>
>>
>> <!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
>>
>> types by filtering a user entry's most-local RDN
>> through the
>>
>> assigned map. -->
>>
>> <bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
>>
>>
>> class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
>>
>> singleton="true">
>>
>>
>>
>> <!-- Optional. Maps between container RDN values
>> and Sakai user types -->
>>
>> <!-- property name="rdnToSakaiUserTypeMap">
>>
>> <map>
>>
>> <entry
>> key="facultyStaff"><value>faculty</value></entry>
>>
>> <entry
>> key="students"><value>student</value></entry>
>>
>> </map>
>>
>> </property -->
>>
>>
>>
>> <!-- Optional. Defaults to false. -->
>>
>> <!-- property
>> name="returnLiteralRdnValueIfNoMapping">
>>
>> <value>false</value>
>>
>> </property -->
>>
>>
>>
>> </bean>
>>
>>
>>
>> <!-- /// End Sample UserTypeMapper Beans /// -->
>>
>>
>>
>> </beans>:
>>
>>
>>
>> *From:* Mike De Simone [mailto:michael.desimone at rsmart.com]
>> *Sent:* Wednesday, May 05, 2010 12:48 PM
>> *To:* Frizzell, Ryan
>> *Cc:* production at collab.sakaiproject.org
>> *Subject:* Re: [Deploying Sakai] Active Directory Integration
>>
>>
>>
>> one quick thing I can see is the ldapPassword property has an XML syntax
>> error. the --> at the end of the element is there but the beginning of
>> the comment <!-- is not. This seems like it would cause spring to fail
>> on startup, and since that doesn't appear to be happening, I'm not
>> entirely sure this would cause your problems, but probably isn't helping
>> things either :)
>>
>>
>>
>> Thanks,
>>
>> -------------------------------
>> Mike DeSimone
>> Sr. Technical Consultant
>> rSmart
>> tel: 602-490-0473
>> icq: 161896611
>>
>> On Wed, May 5, 2010 at 11:21, Frizzell, Ryan <rfrizzel at regis.edu
>> <mailto:rfrizzel at regis.edu>> wrote:
>>
>> Hello all,
>>
>> I'm in the process of setting up a Sakai demo system with active
>> directory integration. The error I'm running into upon attempts to
>> authenticate is:
>>
>> 2010-05-05 11:10:38,183 WARN http-8080-Processor19
>> edu.amc.sakai.user.JLDAPDirectoryProvider - authenticateUser(): invalid
>> credentials [userLogin = testUser]
>> 2010-05-05 11:19:51,232 ERROR http-8080-Processor23
>> edu.amc.sakai.user.JLDAPDirectoryProvider - getUser() failed [eid: null]
>> LDAPException: Invalid Credentials (49) Invalid Credentials
>> LDAPException: Server Message: 80090308: LdapErr: DSID-0C0903AA,
>> comment: AcceptSecurityContext error, data 525, v1772
>> LDAPException: Matched DN:
>>
>>
>>
>> I've been browsing the mail lists and documentation but I can't seem to
>> determine the cause of this issue. I'm using the JLDAP provider. Here is
>> my configuration for JLDAP, I'm building from 2.6.2:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
>> "http://www.springframework.org/dtd/spring-beans.dtd">
>>
>> <beans>
>>
>> <bean id="org.sakaiproject.user.api.UserDirectoryProvider"
>> class="edu.amc.sakai.user.JLDAPDirectoryProvider"
>> init-method="init"
>> destroy-method="destroy" singleton="true">
>>
>> <!-- Required. Host name or address of your LDAP server -->
>> <property name="ldapHost">
>> <value>myhost.domain.net
>> <http://myhost.domain.net></value>
>> </property>
>>
>> <!-- Optional. LDAP connection port. Typically defaults to
>> JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389).
>> Secured
>> connections are usually on 636 -->
>> <!-- property name="ldapPort">
>> <value>389</value>
>> </property-->
>>
>> <!-- If secureConnection is true, a keystore location
>> must be provided
>> unless javax.net.ssl.trustStore system property
>> has already been
>> set -->
>> <!--property name="keystoreLocation">
>> <value>/usually/set/at/startup</value>
>> </property-->
>>
>> <!-- If secureConnection is true, a keystore password
>> must be provided
>> unless javax.net.ssl.trustStorePassword system
>> property has already
>> been set -->
>> <!--property name="keystorePassword">
>> <value>usually-set-at-startup</value>
>> </property-->
>>
>> <!-- Optional. DN to which to bind for directory searches.
>> Typically only necessary if autoBind is true -->
>> <property name="ldapUser">
>>
>> <value>CN=lmsDemoAuth,OU=lms,OU=test,DC=mydomain,DC=net</value>
>> </property>
>>
>> <!-- Optional. Password for ldapUser defined above -->
>> <property name="ldapPassword">
>> <value>secret</value>
>> </property -->
>>
>> <!-- Optional. Enables/disables secure LDAP connections.
>> defaults to
>> JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
>> <!-- property name="secureConnection">
>> <value>false</value>
>> </property -->
>>
>> <!-- Optional. If secureConnection is true, this socket
>> factory
>> will be assigned globally to LDAPConnections.
>> Defaults to an
>> instance of
>> com.novell.ldap.LDAPJSSESecureSocketFactory, which
>> is appropriate for SSL connections. Use
>> com.novell.ldap.LDAPJSSEStartTLSFactory for TLS. -->
>> <!-- property name="secureSocketFactory">
>> <bean
>> class="com.novell.ldap.LDAPJSSESecureSocketFactory" />
>> </property -->
>>
>> <!-- Optional. Indicate if connection allocation should
>> implicitly bind as ${ldapUser}. Defaults to false -->
>> <property name="autoBind">
>> <value>true</value>
>> </property>
>>
>> <!-- Optional, but usually specified. Base DN for
>> directory searches. -->
>> <property name="basePath">
>> <value>dc=mydomain,dc=net</value>
>> </property>
>>
>> <!-- Optional. Indicate if connections should follow
>> referrals. Defaults to
>>
>> JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
>> <property name="followReferrals">
>> <value>true</value>
>> </property>
>>
>> <!-- Optional. LDAP operation timeout in millis. Defaults
>> to
>> JLDAPDirectoryProvider.DEFAULT_OPERATION_TIMEOUT_MILLIS (5000) -->
>> <!-- property name="operationTimeout">
>> <value>5000</value>
>> </property -->
>>
>> <!-- Optional. User entry cache ttl in millis. Defaults
>> to JLDAPDirectoryProvider.DEFAULT_CACHE_TTL
>> (300000)-->
>> <property name="cacheTTL">
>> <value>300000</value>
>> </property>
>>
>> <!-- Optional. Control case-sensitivity of cache keys
>> (User.eid values).
>> Defaults to false. (Note that this is a departure
>> from historical
>> behavior.) -->
>> <property name="caseSensitiveCacheKeys">
>> <value>false</value>
>> </property>
>>
>> <!-- Optional. Control the return value of
>>
>> JLDAPDirectoryProvider.authenticateWithProviderFirst(String)
>> on a global basis. Defaults to
>>
>> JLDAPDirectoryProvider.DEFAULT_AUTHENTICATE_WITH_PROVIDER_FIRST. -->
>> <!-- property name="authenticateWithProviderFirst">
>> <value>false</value>
>> </property -->
>>
>> <!-- Optional. Control whether or not authentication is
>> attempted
>> on a global basis. "true" enables authentication
>> attempts (but
>> does not automatically grant all authN attempts),
>> "false"
>> short-circuits that process and refuses all authN
>> attempts. Defaults to
>> JLDAPDirectoryProvider.DEFAULT_ALLOW_AUTHENTICATION
>> -->
>> <!-- property name="allowAuthentication">
>> <value>true</value>
>> </property -->
>>
>> <!-- Optional. Defaults to an instance of
>> edu.amc.sakai.user.SimpleLdapConnectionManager -->
>> <!-- property name="ldapConnectionManager">
>> <bean
>> class="edu.amc.sakai.user.SimpleLdapConnectionManager" />
>> </property -->
>>
>> <!-- Optional. Use Connection Pooling?
>> Defaults to
>> JLDAPDirectoryProvider.DEFAULT_POOLING (false).
>> Has no effect if ldapConnectionManager has been
>> explicitly
>> assigned (unless that object honors this flag, of
>> course). -->
>> <!-- property name="pooling">
>> <value>false</value>
>> </property -->
>>
>> <!-- Optional. Maxmimum number of connections in the pool
>> Defaults to
>> JLDAPDirectoryProvider.DEFAULT_POOL_MAX_CONNS (10) -->
>> <!-- property name="poolMaxConns">
>> <value>10</value>
>> </property -->
>>
>> <!-- Optional. Defaults to an instance of
>> edu.amc.sakai.user.SimpleLdapAttributeMapper -->
>> <property name="ldapAttributeMapper">
>> <ref bean="edu.amc.sakai.user.LdapAttributeMapper" />
>> </property>
>>
>> <!-- Optional. Only considered if ldapAttributeMapper is
>> not explicitly
>> assigned. That is, if you choose to use the default
>> LdapAttributeMapper
>> implementation, it is sufficient to specify attribute
>> mappings here
>> and dispense with defining a
>> edu.amc.sakai.user.LdapAttributeMapper bean.
>> This preserves forward compatibility of pre-2.5 config -->
>> <!-- property name="attributeMappings">
>> <map>
>> <entry key="logicalAttrName">
>> <value>physicalAttrName</value>
>> </entry>
>> </map>
>> </property -->
>>
>> <!-- Optional. Defaults to allowing searches on any EID,
>> including empty
>> and null Strings. -->
>> <!-- property name="eidValidator">
>> <bean
>> class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
>> <property name="regexpFlags">
>> <bean
>> id="java.util.regex.Pattern.CASE_INSENSITIVE"
>>
>> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
>> />
>> </property>
>> <property name="eidBlacklist">
>> <list>
>> <value>guest</value>
>> <value>nobody</value>
>> <value>adversary</value>
>> </list>
>> </property>
>> </bean>
>> </property -->
>>
>> </bean>
>>
>> <!-- An optional bean definition which can be used to customize LDAP
>> attribute to Sakai User instance member mapping behaviors. This
>> example describes availabel configuration options for
>> SimpleLdapAttributeMapper
>> (the default LdapAttributeMapper implementation). -->
>> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
>> class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
>> init-method="init"
>> singleton="true">
>>
>> <!-- A typical set of attribute mappings. Keys are logical
>> names expected by the application. Values are physical LDAP
>> attribute names. If not specified or empty, defaults to
>> AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
>> <property name="attributeMappings">
>> <map>
>> <entry
>> key="login"><value>sAMAccountName</value></entry>
>> <entry
>> key="firstName"><value>givenName</value></entry>
>> <entry
>> key="lastName"><value>sn</value></entry>
>> <entry
>> key="email"><value>mail</value></entry>
>>
>> </map>
>> </property>
>>
>> <!-- Several options for calculating Sakai user types based
>> on LDAP attributes. Defaults to an instance of
>> EmptyStringUserTypeMapper -->
>> <property name="userTypeMapper">
>> <!-- Select one of the following beans -->
>> <ref
>> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" />
>> <!-- ref
>> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
>> <!-- ref
>> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
>> </property>
>>
>> </bean>
>>
>>
>> <!-- /// Begin Sample UserTypeMapper Beans /// -->
>>
>> <!-- Will usually only need at most one of the following
>> UserTypeMapper
>> beans. Three "standard" options shown here for documentation
>> purposes. The
>> "active" bean will be selected by a bean reference in the
>> userTypeMapper
>> property definition above. -->
>>
>> <!-- EmptyStringUserTypeMapper assigns gives all users an
>> empty string as their Sakai "type" -->
>> <bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
>> class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
>> singleton="true" />
>>
>> <!-- EntryAttributeToUserTypeMapper calculates Sakai user
>> types by simply passing attribute values through a map with
>> configurable "miss" behavior. -->
>> <bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
>> class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
>> singleton="true">
>>
>> <!-- Optional. If not present or empty, behavior is
>> determined by the value of
>> returnLiteralAttributeValueIfNoMapping
>> (see below). -->
>> <!-- property name="attributeValueToSakaiUserTypeMap">
>> <map>
>> <entry
>> key="faculty"><value>faculty</value></entry>
>> <entry
>> key="students"><value>student</value></entry>
>> </map>
>> </property -->
>>
>> <!-- Required. The logical name of the LDAP attribute which
>> defines Sakai users' types. Value should be a key into the
>> attribute mappings associated with this LdapAttributeMapper
>> instance. -->
>> <property name="logicalAttributeName">
>> <value>groupMembership</value>
>> </property>
>>
>> <!-- Optional. Defaults to false -->
>> <!-- property name="returnLiteralAttributeValueIfNoMapping">
>> <value>false</value>
>> </property -->
>>
>> <!-- Optional. Only considered if
>> returnLiteralAttributeValueIfNoMapping
>> is false. Defaults to null. -->
>> <!-- property name="defaultSakaiUserType">
>> <null />
>> </property -->
>>
>> </bean>
>>
>> <!-- EntryContainerRdnToUserTypeMapper calculates Sakai user
>> types by filtering a user entry's most-local RDN through the
>> assigned map. -->
>> <bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
>> class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
>> singleton="true">
>>
>> <!-- Optional. Maps between container RDN values and
>> Sakai user types -->
>> <!-- property name="rdnToSakaiUserTypeMap">
>> <map>
>> <entry
>> key="facultyStaff"><value>faculty</value></entry>
>> <entry
>> key="students"><value>student</value></entry>
>> </map>
>> </property -->
>>
>> <!-- Optional. Defaults to false. -->
>> <!-- property name="returnLiteralRdnValueIfNoMapping">
>> <value>false</value>
>> </property -->
>>
>> </bean>
>>
>> <!-- /// End Sample UserTypeMapper Beans /// -->
>>
>> </beans>
>>
>>
>>
>> _______________________________________________
>> production mailing list
>> production at collab.sakaiproject.org
>> <mailto:production at collab.sakaiproject.org>
>> http://collab.sakaiproject.org/mailman/listinfo/production
>>
>> TO UNSUBSCRIBE: send email to
>> production-unsubscribe at collab.sakaiproject.org
>> <mailto:production-unsubscribe at collab.sakaiproject.org> with a subject
>> of "unsubscribe"
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> Not spam
>> Forget previous vote
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> production mailing list
>> production at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/production
>>
>> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
>
> --
> BEGIN-ANTISPAM-VOTING-LINKS
> ------------------------------------------------------
>
> Teach CanIt if this mail (ID 10537024) is spam:
> Spam: https://antispam.regis.edu/canit/b.php?i=10537024&m=8c18b8607ef8&c=s
> Not spam: https://antispam.regis.edu/canit/b.php?i=10537024&m=8c18b8607ef8&c=n
> Forget vote: https://antispam.regis.edu/canit/b.php?i=10537024&m=8c18b8607ef8&c=f
> ------------------------------------------------------
> END-ANTISPAM-VOTING-LINKS
>
More information about the production
mailing list