[Building Sakai] SAKAI LDAP configuration
Rashid, Amir
arashid at bu.edu
Thu Jul 10 07:50:43 PDT 2014
Thanks for your suggestions. Unfortunately the suggested changes to the bean configuration did not resolve the issue for us.
Please let us know if you see anything else that will help.
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
From: Ismail Naik <ismail.n at in.uaeexchange.com<mailto:ismail.n at in.uaeexchange.com>>
Date: Thursday, July 10, 2014 at 12:42 AM
To: "Rashid, Amir" <arashid at bu.edu<mailto:arashid at bu.edu>>, 'Steve Swinsburg' <steve.swinsburg at gmail.com<mailto:steve.swinsburg at gmail.com>>
Cc: "sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>" <sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>>
Subject: RE: [Building Sakai] SAKAI LDAP configuration
Hi Team,
We faced same issue, just do the below changes and try the luck.
· Comment out the eidValidator
<!--
<!-- Optional. If you don't provide an eidValidator the system
defaults to allowing searches on any EID, including empty
and null Strings. -->
<property name="eidValidator">
<bean class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
<property name="regexpFlags">
<bean id="java.util.regex.Pattern.CASE_INSENSITIVE"
class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean" />
</property>
<property name="eidBlacklist">
<list>
<value>null</value>
<!--value>nobody</value-->
<!--value>adversary</value-->
</list>
</property>
</bean>
</property>
<property name="searchAliases"><value>false</value></property>
-->
· Make followReferrals as true
<property name="followReferrals">
<value>true</value>
</property>
· Use the folloing keys for attributeMappings and use your values
<property name="attributeMappings">
<map>
<entry key="login"><value>sAMAccountName</value></entry>
<entry key="firstName"><value></value></entry>
<entry key="preferredFirstName">user ur prefereedFirstName<value> </value></entry>
<entry key="lastName"><value> this is okay</value></entry>
<entry key="email"><value>mail</value></entry>
</map>
</property>
Thanks & Regards
Ismail N. - IT Department
XmSoftware Solutions Pvt Ltd | SKCL | CENTRAL SQUARE- 1
CIPET Road | Thiru-Vi-Ka Industrial Estate| Guindy | Chennai- 600032.
TEL: 044-30464899 | FAX: 044-30464861|
Ext:613
ismail.n at in.uaeexchange.com<mailto:ismail.n at in.uaeexchange.com>
From: sakai-dev-bounces at collab.sakaiproject.org<mailto:sakai-dev-bounces at collab.sakaiproject.org> [mailto:sakai-dev-bounces at collab.sakaiproject.org] On Behalf Of Rashid, Amir
Sent: 09 July 2014 18:44
To: Steve Swinsburg
Cc: sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Yes. Infact I have a 2.8.1 instance on the same machine with the same LDAP setting that will boot up without any issues.
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
From: Steve Swinsburg <steve.swinsburg at gmail.com<mailto:steve.swinsburg at gmail.com>>
Date: Wednesday, July 9, 2014 at 9:05 AM
To: "Rashid, Amir" <arashid at bu.edu<mailto:arashid at bu.edu>>
Cc: "sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>" <sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>>
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Ok so using those same parameters are you able to perform an ldapsearch on the commandline of your Sakai server for a given user?
On Wed, Jul 9, 2014 at 10:58 PM, Rashid, Amir <arashid at bu.edu<mailto:arashid at bu.edu>> wrote:
Hi
Following properties are being used in the jldap-beans.xml file.
Thanks,
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
<property name="memoryService">
<ref bean="org.sakaiproject.memory.api.MemoryService"/>
</property>
<!-- Required. Host name or address of your LDAP server -->
<property name="ldapHost">
<value>XX.XX.XXX</value>
</property>
<!-- Optional. LDAP connection port. Typically defaults to
JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389). Secured
connections are usually on 636 -->
<property name="ldapPort">
<value>389</value>
</property>
<!-- If secureConnection is true, a keystore location must be provided
unless javax.net.ssl.trustStore system property has already been
set -->
<!--property name="keystoreLocation">
<value>/usually/set/at/startup</value>
</property-->
<!-- If secureConnection is true, a keystore password must be provided
unless javax.net.ssl.trustStorePassword system property has already
been set -->
<!--property name="keystorePassword">
<value>usually-set-at-startup</value>
</property-->
<!-- Optional. DN to which to bind for directory searches.
Typically only necessary if autoBind is true -->
<property name=“ldapUser”>
<value>cn=XXXXXXX,OU=people,dc=XX,dc=XX,dc=XXX</value>
</property>
<!-- Optional. Password for ldapUser defined above -->
<property name=“ldapPassword”>
<value>XXXXXXXXXX</value>
</property>
<!-- Optional. Enables/disables secure LDAP connections.
defaults to JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
<property name="secureConnection">
<value>false</value>
</property>
<!-- Optional. Indicate if connection allocation should
implicitly bind as ${ldapUser}. Defaults to false -->
<property name="autoBind">
<value>true</value>
</property>
<!-- Optional, but usually specified. Base DN for directory searches. -->
<property name="basePath">
<value>dc=XX,dc=XX,dc=XXX</value>
</property>
<!-- Optional. Indicate if connections should follow
referrals. Defaults to
JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
<property name="followReferrals">
<value>false</value>
</property>
<property name="caseSensitiveCacheKeys">
<value>false</value>
</property>
<property name="ldapAttributeMapper">
<ref bean="edu.amc.sakai.user.LdapAttributeMapper" />
</property>
<!-- Optional. If you don't provide an eidValidator the system
defaults to allowing searches on any EID, including empty
and null Strings. -->
<property name="eidValidator">
<bean class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
<property name="regexpFlags">
<bean id="java.util.regex.Pattern.CASE_INSENSITIVE"
class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean" />
</property>
<property name="eidBlacklist">
<list>
<value>null</value>
<!--value>nobody</value-->
<!--value>adversary</value-->
</list>
</property>
</bean>
</property>
<property name="searchAliases"><value>false</value></property>
</bean>
<!-- An optional bean definition which can be used to customize LDAP
attribute to Sakai User instance member mapping behaviors. This
example describes availabel configuration options for SimpleLdapAttributeMapper
(the default LdapAttributeMapper implementation). -->
<bean id="edu.amc.sakai.user.LdapAttributeMapper"
class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
init-method="init"
singleton="true">
<!-- A typical set of attribute mappings. Keys are logical
names expected by the application. Values are physical LDAP
attribute names. If not specified or empty, defaults to
AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
<property name="attributeMappings">
<map>
<entry key="login"><value>sAMAccountName</value></entry>
<entry key="firstName"><value>givenName</value></entry>
<!--entry key="preferredFirstName"><value>preferredName</value></entry-->
<entry key="lastName"><value>sn</value></entry>
<entry key="email"><value>mail</value></entry>
<entry key="groupMembership"><value>groupMembership</value></entry>
<!--entry key="jpegPhoto"><value>jpegPhoto</value></entry -->
</map>
</property>
<!-- Several options for calculating Sakai user types based
on LDAP attributes. Defaults to an instance of EmptyStringUserTypeMapper -->
<property name="userTypeMapper">
<!-- Select one of the following beans -->
<!--ref bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" /-->
<!-- ref bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
<!-- ref bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
<ref bean="edu.amc.sakai.user.StringUserTypeMapper" />
</property>
</bean>
From: Steve Swinsburg <steve.swinsburg at gmail.com<mailto:steve.swinsburg at gmail.com>>
Date: Tuesday, July 8, 2014 at 11:56 PM
To: "Rashid, Amir" <arashid at bu.edu<mailto:arashid at bu.edu>>
Cc: "sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>" <sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>>
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Looks like you need to provide a username and password in the LDAP config to get a bind. What are your LDAP settings from jldap-beans.xml ?
On Wed, Jul 9, 2014 at 5:36 AM, Rashid, Amir <arashid at bu.edu<mailto:arashid at bu.edu>> wrote:
Hi Folks,
I have 2.81 in production right now. I am using one of the test machine to install SAKAI 10. I am trying to configure it to use LDAP the same as 2.8. Included is the trace from the log file. I can intermittently log in if I try it a few times. Please let me know if there are any undocumented configuration changes to the LDAP configuration settings .
I will appreciate your help in this matter.
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
2014-07-08 13:26:36,428 WARN ajp-bio-8009-exec-14 org.sakaiproject.portal.util.ErrorReporter - Bug Report bug-id: 573880ae-c5b0-42f5-8b47-534991e591a0 user: null usage-session: null time: Jul 8, 2014 13:26:36 user comment: null stack trace
org.sakaiproject.portal.api.PortalHandlerException: java.lang.RuntimeException: authenticateUser(): LDAPException during authentication attempt [userLogin = arashid][result code = Operations Error][error message = 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]
at org.sakaiproject.portal.charon.handlers.ReLoginHandler.doPost(ReLoginHandler.java:50)
caused by: java.lang.RuntimeException: authenticateUser(): LDAPException during authentication attempt [userLogin = arashid][result code = Operations Error][error message = 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]
at org.sakaiproject.user.impl.BaseUserDirectoryService.getProviderAuthenticatedUser(BaseUserDirectoryService.java:1668)
caused by: LDAPException: Operations Error (1) Operations Error
LDAPException: Server Message: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
LDAPException: Matched DN:
at com.novell.ldap.LDAPResponse.getResultException(null:-1)
at com.novell.ldap.LDAPResponse.chkResultCode(null:-1)
at com.novell.ldap.LDAPSearchResults.next(null:-1)
at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectory(JLDAPDirectoryProvider.java:959)
at edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectoryForSingleEntry(JLDAPDirectoryProvider.java:856)
at edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvider.java:778)
at edu.amc.sakai.user.JLDAPDirectoryProvider.lookupUserBindDn(JLDAPDirectoryProvider.java:820)
at edu.amc.sakai.user.JLDAPDirectoryProvider.authenticateUser(JLDAPDirectoryProvider.java:397)
at org.sakaiproject.user.impl.BaseUserDirectoryService.getProviderAuthenticatedUser(BaseUserDirectoryService.java:1668)
at org.sakaiproject.user.impl.BaseUserDirectoryService.authenticate(BaseUserDirectoryService.java:1611)
at org.sakaiproject.user.impl.UserAuthnComponent.authenticate(UserAuthnComponent.java:108)
at org.sakaiproject.login.impl.LoginServiceComponent.authenticate(LoginServiceComponent.java:90)
at org.sakaiproject.login.tool.SkinnableLogin.doPost(SkinnableLogin.java:302)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:394)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)
at org.sakaiproject.tool.impl.ActiveToolComponent$MyActiveTool.help(ActiveToolComponent.java:583)
at org.sakaiproject.portal.charon.SkinnableCharonPortal.doLogin(SkinnableCharonPortal.java:997)
at org.sakaiproject.portal.charon.handlers.ReLoginHandler.doGet(ReLoginHandler.java:65)
at org.sakaiproject.portal.charon.handlers.ReLoginHandler.doPost(ReLoginHandler.java:50)
at org.sakaiproject.portal.charon.SkinnableCharonPortal.doPost(SkinnableCharonPortal.java:1296)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:455)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Tool Placement:
No Placement
Request:
: AuthType:null
: CharEncoding:UTF-8
: ContentLength:38
: ContentType:application/x-www-form-urlencoded
: ContextPath:/portal
: LocalAddress:smgcms1.bu.edu<http://bu.edu/>
: LocalName:smgcms1.bu.edu<http://smgcms1.bu.edu/>
: LocalPort:443
: Method:POST
: PathInfo:/relogin
: Protocol:HTTP/1.1
: QueryString:null
: RemoteAddress:168.122.33.194
: RemoteHost:168.122.33.194
: RemotePort:-1
: Requested URL:https://smgcms1.bu.edu/portal/relogin<http://smgcms1.bu.edu/portal/relogin>
: Scheme:https
: ServerName:smgcms1.bu.edu<http://smgcms1.bu.edu/>
: Headers:
: Header:host:smgcms1.bu.edu<http://bu.edu/>
: Header:connection:keep-alive
: Header:content-length:38
: Header:Cache-Control:max-age=0
: Header:accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
: Header:Origin:https://smgcms1.bu.edu<http://smgcms1.bu.edu/>
: Header:user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
: Header:content-type:application/x-www-form-urlencoded
: Header:DNT:1
: Header:referer:https://smgcms1.bu.edu/portal/login<http://smgcms1.bu.edu/portal/login>
: Header:accept-encoding:gzip,deflate,sdch
: Header:accept-language:en-US,en;q=0.8
: Header:cookie:---censored---
: Parameters:
: Parameter:eid:0:----censored----
: Parameter:pw:0:----censored----
: Parameter:submit:0:Login
: Attributes:
: Attribute:javax.servlet.request.ssl_session:1C4C47A3FFAEEA4FAF017B65F33A916271C8B1293EB3487C9F7EEC25B8206C46
: Attribute:javax.servlet.request.ssl_session_id:1C4C47A3FFAEEA4FAF017B65F33A916271C8B1293EB3487C9F7EEC25B8206C46
: Attribute:sakai.character.encoding.done:sakai.character.encoding.done
: Attribute:javax.servlet.request.key_size:128
: Attribute:sakai.filtered:sakai.filtered
: Attribute:javax.servlet.request.cipher_suite:DHE-RSA-AES128-SHA
: Attribute:sakai.session:MyS_null{60cc469c-90b1-4a78-9bce-f06c3cc1c81a, userId='null', at=8, ts=2, cs=2, Tue Jul 08 13:24:53 EDT 2014}
Session:
: Created:1404840293523
: LastAccess:1404840396425
: CreationDateAndTime:Tuesday, July 8, 2014
: LastAccessDateAndTime:Tuesday, July 8, 2014
: MaxInactive:3600
: Attributes:
: Attribute:portalskin:neoskin
_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org<mailto:sakai-dev at collab.sakaiproject.org>
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org<mailto:sakai-dev-unsubscribe at collab.sakaiproject.org> with a subject of "unsubscribe"
Disclaimer: This communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance upon the information is strictly prohibited and is unlawful. If you have received this communication by error, please notify us immediately by responding to this email before deleting it from your system. UAE Exchange cannot be held responsible for the improper or incomplete transmission of information contained in this communication, or for any delay in its receipt.
Warning: Internet communication cannot be guaranteed to be timely, secure, error-free or virus-free. It is the responsibility of the recipient to ensure that this email and its attachments, if any, are free from viruses. UAE Exchange doesn't accept liability for any damage that may result from viruses transmitted through this email.
Please be informed that as per UAE Exchange Information Security policy, we will never request you to disclose your Account Number, Credit Card Information, User ID, Personal Identification Number (PIN), Telephone Identification Number (TIN), Password or any such information through e-mails or phone.
Any e-mail or written communication received by you, which appears to have been sent from UAE Exchange seeking your personal & confidential information, should not be answered but advised to UAE Exchange at info.sec at uaeexchange.com<mailto:info.sec at uaeexchange.com>.
For further assistance email us at info.sec at uaeexchange.com<mailto:info.sec at uaeexchange.com>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140710/b6cda82a/attachment.html
More information about the sakai-dev
mailing list