[Building Sakai] SAKAI LDAP configuration
Steve Swinsburg
steve.swinsburg at gmail.com
Wed Jul 9 06:05:18 PDT 2014
Ok so using those same parameters are you able to perform an ldapsearch on
the commandline of your Sakai server for a given user?
On Wed, Jul 9, 2014 at 10:58 PM, Rashid, Amir <arashid at bu.edu> wrote:
> Hi
> Following properties are being used in the jldap-beans.xml file.
> *Thanks,*
> *--Amir*
>
>
>
> *Amir Rashid - 617.358.2782 *
>
> *Boston University - SMG ITS*
>
>
> <property name="memoryService">
>
> <ref bean=
> "org.sakaiproject.memory.api.MemoryService"/>
>
> </property>
>
>
> <!-- Required. Host name or address of your LDAP server
> -->
>
> <property name="ldapHost">
>
> <value>XX.XX.XXX</value>
>
> </property>
>
>
> <!-- Optional. LDAP connection port. Typically defaults
> to
>
> JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389).
> Secured
>
> connections are usually on 636 -->
>
> <property name="ldapPort">
>
> <value>389</value>
>
> </property>
>
>
> <!-- If secureConnection is true, a keystore location
> must be provided
>
> unless javax.net.ssl.trustStore system property
> has already been
>
> set -->
>
> <!--property name="keystoreLocation">
>
> <value>/usually/set/at/startup</value>
>
> </property-->
>
>
> <!-- If secureConnection is true, a keystore password
> must be provided
>
> unless javax.net.ssl.trustStorePassword system
> property has already
>
> been set -->
>
> <!--property name="keystorePassword">
>
> <value>usually-set-at-startup</value>
>
> </property-->
>
>
> <!-- Optional. DN to which to bind for directory
> searches.
>
> Typically only necessary if autoBind is true -->
>
> <property name=“ldapUser”>
>
> <value>cn=XXXXXXX,OU=people,dc=XX,dc=XX,dc=XXX
> </value>
>
> </property>
>
>
> <!-- Optional. Password for ldapUser defined above -->
>
> <property name=“ldapPassword”>
>
> <value>XXXXXXXXXX</value>
>
> </property>
>
>
> <!-- Optional. Enables/disables secure LDAP connections.
>
> defaults to
> JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
>
> <property name="secureConnection">
>
> <value>false</value>
>
> </property>
>
> <!-- Optional. Indicate if connection allocation should
>
> implicitly bind as ${ldapUser}. Defaults to false
> -->
>
> <property name="autoBind">
>
> <value>true</value>
>
> </property>
>
> <!-- Optional, but usually specified. Base DN for directory searches. -->
>
> <property name="basePath">
>
> <value>dc=XX,dc=XX,dc=XXX</value>
>
> </property>
>
>
> <!-- Optional. Indicate if connections should follow
>
> referrals. Defaults to
>
> JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS
> (false)-->
>
> <property name="followReferrals">
>
> <value>false</value>
>
> </property>
>
> <property name="caseSensitiveCacheKeys">
>
> <value>false</value>
>
> </property>
>
> <property name="ldapAttributeMapper">
>
> <ref bean="edu.amc.sakai.user.LdapAttributeMapper"
> />
>
> </property>
>
> <!-- Optional. If you don't provide an eidValidator the system
>
> defaults to allowing searches on any EID, including empty
>
> and null Strings. -->
>
> <property name="eidValidator">
>
> <bean class=
> "edu.amc.sakai.user.RegexpBlacklistEidValidator">
>
> <property name="regexpFlags">
>
> <bean id=
> "java.util.regex.Pattern.CASE_INSENSITIVE"
>
> class=
> "org.springframework.beans.factory.config.FieldRetrievingFactoryBean" />
>
> </property>
>
> <property name="eidBlacklist">
>
> <list>
>
> <value>null</value>
>
> <!--value>nobody</value-->
>
>
> <!--value>adversary</value-->
>
> </list>
>
> </property>
>
> </bean>
>
> </property>
>
> <property name="searchAliases"><value>false
> </value></property>
>
>
> </bean>
>
>
> <!-- An optional bean definition which can be used to customize LDAP
>
> attribute to Sakai User instance member mapping behaviors. This
>
> example describes availabel configuration options for
> SimpleLdapAttributeMapper
>
> (the default LdapAttributeMapper implementation). -->
>
> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
>
> class=
> "edu.amc.sakai.user.SimpleLdapAttributeMapper"
>
> init-method="init"
>
> singleton="true">
>
>
> <!-- A typical set of attribute mappings. Keys are
> logical
>
> names expected by the application. Values are physical LDAP
>
> attribute names. If not specified or empty, defaults to
>
> AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
>
> <property name="attributeMappings">
>
> <map>
>
> <entry key="login"><value>sAMAccountName
> </value></entry>
>
> <entry key="firstName"><value>givenName
> </value></entry>
>
> <!--entry
> key="preferredFirstName"><value>preferredName</value></entry-->
>
> <entry key="lastName"><value>sn
> </value></entry>
>
> <entry key="email"><value>mail
> </value></entry>
>
> <entry key="groupMembership"><value>
> groupMembership</value></entry>
>
> <!--entry
> key="jpegPhoto"><value>jpegPhoto</value></entry -->
>
> </map>
>
> </property>
>
>
> <!-- Several options for calculating Sakai user types
> based
>
> on LDAP attributes. Defaults to an instance of
> EmptyStringUserTypeMapper -->
>
> <property name="userTypeMapper">
>
> <!-- Select one of the following beans -->
>
> <!--ref
> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" /-->
>
> <!-- ref
> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
>
> <!-- ref
> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
>
> <ref bean=
> "edu.amc.sakai.user.StringUserTypeMapper" />
>
> </property>
>
>
> </bean>
>
>
>
>
> From: Steve Swinsburg <steve.swinsburg at gmail.com>
> Date: Tuesday, July 8, 2014 at 11:56 PM
> To: "Rashid, Amir" <arashid at bu.edu>
> Cc: "sakai-dev at collab.sakaiproject.org" <sakai-dev at collab.sakaiproject.org
> >
> Subject: Re: [Building Sakai] SAKAI LDAP configuration
>
> Looks like you need to provide a username and password in the LDAP
> config to get a bind. What are your LDAP settings from jldap-beans.xml ?
>
>
> On Wed, Jul 9, 2014 at 5:36 AM, Rashid, Amir <arashid at bu.edu> wrote:
>
>>
>> Hi Folks,
>>
>>
>> I have 2.81 in production right now. I am using one of the test
>> machine to install SAKAI 10. I am trying to configure it to use LDAP the
>> same as 2.8. Included is the trace from the log file. I can intermittently
>> log in if I try it a few times. Please let me know if there are any
>> undocumented configuration changes to the LDAP configuration settings .
>>
>> I will appreciate your help in this matter.
>>
>> *--Amir*
>>
>>
>> *Amir Rashid - 617.358.2782 *
>> *Boston University - SMG ITS*
>>
>>
>> 2014-07-08 13:26:36,428 WARN ajp-bio-8009-exec-14
>> org.sakaiproject.portal.util.ErrorReporter - Bug Report bug-id:
>> 573880ae-c5b0-42f5-8b47-534991e591a0 user: null usage-session: null time:
>> Jul 8, 2014 13:26:36 user comment: null stack trace
>> org.sakaiproject.portal.api.PortalHandlerException:
>> java.lang.RuntimeException: authenticateUser(): LDAPException during
>> authentication attempt [userLogin = arashid][result code = Operations
>> Error][error message = 00000000: LdapErr: DSID-0C090627, comment: In order
>> to perform this operation a successful bind must be completed on the
>> connection., data 0, vece]
>> at
>> org.sakaiproject.portal.charon.handlers.ReLoginHandler.doPost(ReLoginHandler.java:50)
>> caused by: java.lang.RuntimeException: authenticateUser(): LDAPException
>> during authentication attempt [userLogin = arashid][result code =
>> Operations Error][error message = 00000000: LdapErr: DSID-0C090627,
>> comment: In order to perform this operation a successful bind must be
>> completed on the connection., data 0, vece]
>> at
>> org.sakaiproject.user.impl.BaseUserDirectoryService.getProviderAuthenticatedUser(BaseUserDirectoryService.java:1668)
>> caused by: LDAPException: Operations Error (1) Operations Error
>> *LDAPException: Server Message: 00000000: LdapErr: DSID-0C090627,
>> comment: In order to perform this operation a successful bind must be
>> completed on the connection., data 0, vece*
>> *LDAPException: Matched DN: *
>> at com.novell.ldap.LDAPResponse.getResultException(null:-1)
>> at com.novell.ldap.LDAPResponse.chkResultCode(null:-1)
>> at com.novell.ldap.LDAPSearchResults.next(null:-1)
>> at
>> edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectory(JLDAPDirectoryProvider.java:959)
>> at
>> edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectoryForSingleEntry(JLDAPDirectoryProvider.java:856)
>> at
>> edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvider.java:778)
>> at
>> edu.amc.sakai.user.JLDAPDirectoryProvider.lookupUserBindDn(JLDAPDirectoryProvider.java:820)
>> at
>> edu.amc.sakai.user.JLDAPDirectoryProvider.authenticateUser(JLDAPDirectoryProvider.java:397)
>> at
>> org.sakaiproject.user.impl.BaseUserDirectoryService.getProviderAuthenticatedUser(BaseUserDirectoryService.java:1668)
>> at
>> org.sakaiproject.user.impl.BaseUserDirectoryService.authenticate(BaseUserDirectoryService.java:1611)
>> at
>> org.sakaiproject.user.impl.UserAuthnComponent.authenticate(UserAuthnComponent.java:108)
>> at
>> org.sakaiproject.login.impl.LoginServiceComponent.authenticate(LoginServiceComponent.java:90)
>> at
>> org.sakaiproject.login.tool.SkinnableLogin.doPost(SkinnableLogin.java:302)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:394)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378)
>> at
>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)
>> at
>> org.sakaiproject.tool.impl.ActiveToolComponent$MyActiveTool.help(ActiveToolComponent.java:583)
>> at
>> org.sakaiproject.portal.charon.SkinnableCharonPortal.doLogin(SkinnableCharonPortal.java:997)
>> at
>> org.sakaiproject.portal.charon.handlers.ReLoginHandler.doGet(ReLoginHandler.java:65)
>> at
>> org.sakaiproject.portal.charon.handlers.ReLoginHandler.doPost(ReLoginHandler.java:50)
>> at
>> org.sakaiproject.portal.charon.SkinnableCharonPortal.doPost(SkinnableCharonPortal.java:1296)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:455)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Tool Placement:
>> No Placement
>>
>> Request:
>> : AuthType:null
>> : CharEncoding:UTF-8
>> : ContentLength:38
>> : ContentType:application/x-www-form-urlencoded
>> : ContextPath:/portal
>> : LocalAddress:smgcms1.bu.edu
>> : LocalName:smgcms1.bu.edu
>> : LocalPort:443
>> : Method:POST
>> : PathInfo:/relogin
>> : Protocol:HTTP/1.1
>> : QueryString:null
>> : RemoteAddress:168.122.33.194
>> : RemoteHost:168.122.33.194
>> : RemotePort:-1
>> : Requested URL:https://smgcms1.bu.edu/portal/relogin
>> : Scheme:https
>> : ServerName:smgcms1.bu.edu
>> : Headers:
>> : Header:host:smgcms1.bu.edu
>> : Header:connection:keep-alive
>> : Header:content-length:38
>> : Header:Cache-Control:max-age=0
>> :
>> Header:accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>> : Header:Origin:https://smgcms1.bu.edu
>> : Header:user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
>> : Header:content-type:application/x-www-form-urlencoded
>> : Header:DNT:1
>> : Header:referer:https://smgcms1.bu.edu/portal/login
>> : Header:accept-encoding:gzip,deflate,sdch
>> : Header:accept-language:en-US,en;q=0.8
>> : Header:cookie:---censored---
>> : Parameters:
>> : Parameter:eid:0:----censored----
>> : Parameter:pw:0:----censored----
>> : Parameter:submit:0:Login
>> : Attributes:
>> :
>> Attribute:javax.servlet.request.ssl_session:1C4C47A3FFAEEA4FAF017B65F33A916271C8B1293EB3487C9F7EEC25B8206C46
>> :
>> Attribute:javax.servlet.request.ssl_session_id:1C4C47A3FFAEEA4FAF017B65F33A916271C8B1293EB3487C9F7EEC25B8206C46
>> :
>> Attribute:sakai.character.encoding.done:sakai.character.encoding.done
>> : Attribute:javax.servlet.request.key_size:128
>> : Attribute:sakai.filtered:sakai.filtered
>> : Attribute:javax.servlet.request.cipher_suite:DHE-RSA-AES128-SHA
>> :
>> Attribute:sakai.session:MyS_null{60cc469c-90b1-4a78-9bce-f06c3cc1c81a,
>> userId='null', at=8, ts=2, cs=2, Tue Jul 08 13:24:53 EDT 2014}
>> Session:
>> : Created:1404840293523
>> : LastAccess:1404840396425
>> : CreationDateAndTime:Tuesday, July 8, 2014
>> : LastAccessDateAndTime:Tuesday, July 8, 2014
>> : MaxInactive:3600
>> : Attributes:
>> : Attribute:portalskin:neoskin
>>
>>
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140709/f721d667/attachment.html
More information about the sakai-dev
mailing list