[Building Sakai] SAKAI LDAP configuration
Ismail Naik
ismail.n at in.uaeexchange.com
Mon Jul 14 21:52:25 PDT 2014
Hi ,
Can you share the complete log, there is something missing. Check with your
System admin team for correct "basepath"(CN value should be user name of
ldap account holder) and "ldapuser". Refer below settings at our end is
working fine else after these setting check the jar
file(sakai-jldap-provider-2.9.3.jar) edit JLADAPDirectoryProvider.class
assign initial value to properties there also.
<!-- Required. Host name or address of your LDAP server -->
<property name="ldapHost">
<value>xxx</value>
</property>
<!-- Optional. LDAP connection port. Typically defaults
to
JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389).
Secured
connections are usually on 636 -->
<property name="ldapPort">
<value>389</value>
</property>
<!-- Optional. DN to which to bind for directory
searches.
Typically only necessary if autoBind is true
-->
<property name="ldapUser">
<value>CN=xxx,OU=xxx,DC=xxx,DC=xx</value>
</property>
<!-- Optional. Password for ldapUser defined above-->
<property name="ldapPassword">
<value>xxx</value>
</property>
<property name="autoBind">
<value>true</value>
</property>
<!-- Optional, but usually specified. Base DN for
directory searches. -->
<property name="basePath">
<value>DC=xxx,DC=xxx</value>
</property>
<!-- Optional. Indicate if connections should follow
referrals. Defaults to
JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS (false)-->
<property name="followReferrals">
<value>true</value>
</property>
Thanks & Regards
Ismail N. - IT Department
Xm Software Solutions Pvt Ltd | SKCL | CENTRAL SQUARE- 1
CIPET Road | Thiru-Vi-Ka Industrial Estate| Guindy | Chennai- 600032.
TEL: 044-30464899 | FAX: 044-30464861|
Ext:613
<mailto:ismail.n at in.uaeexchange.com> ismail.n at in.uaeexchange.com
From: Rashid, Amir [mailto:arashid at bu.edu]
Sent: 14 July 2014 23:35
To: Ismail Naik; 'Steve Swinsburg'
Cc: sakai-dev at collab.sakaiproject.org
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Executing something like this with the wrong login password gives me the
same error
ldapsearch -H ldap://xx.xx.xxx:389 -LLL -D
CN=xxxxxxx,OU=people,DC=ad,DC=bu,DC=edu -x -W -b
CN=xxxxxxxx,OU=people,DC=ad,DC=bu,DC=edu '(sAMAccountName=user)'
Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece:
Is there any other configuration that needs to be in place for login
credentials except for in the jldap-bean.xml and security.properties
Thanks,
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
From: <Rashid>, "Rashid, Amir" <arashid at bu.edu>
Date: Thursday, July 10, 2014 at 10:50 AM
To: Ismail Naik <ismail.n at in.uaeexchange.com>, 'Steve Swinsburg'
<steve.swinsburg at gmail.com>
Cc: "sakai-dev at collab.sakaiproject.org" <sakai-dev at collab.sakaiproject.org>
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Thanks for your suggestions. Unfortunately the suggested changes to the
bean configuration did not resolve the issue for us.
Please let us know if you see anything else that will help.
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
From: Ismail Naik <ismail.n at in.uaeexchange.com>
Date: Thursday, July 10, 2014 at 12:42 AM
To: "Rashid, Amir" <arashid at bu.edu>, 'Steve Swinsburg'
<steve.swinsburg at gmail.com>
Cc: "sakai-dev at collab.sakaiproject.org" <sakai-dev at collab.sakaiproject.org>
Subject: RE: [Building Sakai] SAKAI LDAP configuration
Hi Team,
We faced same issue, just do the below changes and try the luck.
. Comment out the eidValidator
<!--
<!-- Optional. If you don't provide an eidValidator the system
defaults to allowing searches on any EID, including empty
and null Strings. -->
<property name="eidValidator">
<bean
class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
<property name="regexpFlags">
<bean
id="java.util.regex.Pattern.CASE_INSENSITIVE"
class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
/>
</property>
<property name="eidBlacklist">
<list>
<value>null</value>
<!--value>nobody</value-->
<!--value>adversary</value-->
</list>
</property>
</bean>
</property>
<property
name="searchAliases"><value>false</value></property>
-->
. Make followReferrals as true
<property name="followReferrals">
<value>true</value>
</property>
. Use the folloing keys for attributeMappings and use your values
<property name="attributeMappings">
<map>
<entry
key="login"><value>sAMAccountName</value></entry>
<entry
key="firstName"><value></value></entry>
<entry key="preferredFirstName">user
ur prefereedFirstName<value> </value></entry>
<entry key="lastName"><value> this is
okay</value></entry>
<entry
key="email"><value>mail</value></entry>
</map>
</property>
Thanks & Regards
Ismail N. - IT Department
XmSoftware Solutions Pvt Ltd | SKCL | CENTRAL SQUARE- 1
CIPET Road | Thiru-Vi-Ka Industrial Estate| Guindy | Chennai- 600032.
TEL: 044-30464899 | FAX: 044-30464861|
Ext:613
<mailto:ismail.n at in.uaeexchange.com> ismail.n at in.uaeexchange.com
From:sakai-dev-bounces at collab.sakaiproject.org
[mailto:sakai-dev-bounces at collab.sakaiproject.org] On Behalf Of Rashid, Amir
Sent: 09 July 2014 18:44
To: Steve Swinsburg
Cc: sakai-dev at collab.sakaiproject.org
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Yes. Infact I have a 2.8.1 instance on the same machine with the same LDAP
setting that will boot up without any issues.
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
From: Steve Swinsburg <steve.swinsburg at gmail.com>
Date: Wednesday, July 9, 2014 at 9:05 AM
To: "Rashid, Amir" <arashid at bu.edu>
Cc: "sakai-dev at collab.sakaiproject.org" <sakai-dev at collab.sakaiproject.org>
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Ok so using those same parameters are you able to perform an ldapsearch on
the commandline of your Sakai server for a given user?
On Wed, Jul 9, 2014 at 10:58 PM, Rashid, Amir <arashid at bu.edu> wrote:
Hi
Following properties are being used in the jldap-beans.xml file.
Thanks,
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
<property name="memoryService">
<ref
bean="org.sakaiproject.memory.api.MemoryService"/>
</property>
<!-- Required. Host name or address of your LDAP server -->
<property name="ldapHost">
<value>XX.XX.XXX</value>
</property>
<!-- Optional. LDAP connection port. Typically defaults to
JLDAPDirectoryProvider.DEFAULT_LDAP_PORT (389).
Secured
connections are usually on 636 -->
<property name="ldapPort">
<value>389</value>
</property>
<!-- If secureConnection is true, a keystore location must
be provided
unless javax.net.ssl.trustStore system property has
already been
set -->
<!--property name="keystoreLocation">
<value>/usually/set/at/startup</value>
</property-->
<!-- If secureConnection is true, a keystore password must
be provided
unless javax.net.ssl.trustStorePassword system
property has already
been set -->
<!--property name="keystorePassword">
<value>usually-set-at-startup</value>
</property-->
<!-- Optional. DN to which to bind for directory searches.
Typically only necessary if autoBind is true -->
<property name="ldapUser">
<value>cn=XXXXXXX,OU=people,dc=XX,dc=XX,dc=XXX</value>
</property>
<!-- Optional. Password for ldapUser defined above -->
<property name="ldapPassword">
<value>XXXXXXXXXX</value>
</property>
<!-- Optional. Enables/disables secure LDAP connections.
defaults to
JLDAPDirectoryProvider.DEFAULT_IS_SECURE_CONNECTION (false) -->
<property name="secureConnection">
<value>false</value>
</property>
<!-- Optional. Indicate if connection allocation should
implicitly bind as ${ldapUser}. Defaults to false
-->
<property name="autoBind">
<value>true</value>
</property>
<!-- Optional, but usually specified. Base DN for directory searches. -->
<property name="basePath">
<value>dc=XX,dc=XX,dc=XXX</value>
</property>
<!-- Optional. Indicate if connections should follow
referrals. Defaults to
JLDAPDirectoryProvider.DEFAULT_IS_FOLLOW_REFERRALS
(false)-->
<property name="followReferrals">
<value>false</value>
</property>
<property name="caseSensitiveCacheKeys">
<value>false</value>
</property>
<property name="ldapAttributeMapper">
<ref bean="edu.amc.sakai.user.LdapAttributeMapper"
/>
</property>
<!-- Optional. If you don't provide an eidValidator the system
defaults to allowing searches on any EID, including empty
and null Strings. -->
<property name="eidValidator">
<bean
class="edu.amc.sakai.user.RegexpBlacklistEidValidator">
<property name="regexpFlags">
<bean
id="java.util.regex.Pattern.CASE_INSENSITIVE"
class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"
/>
</property>
<property name="eidBlacklist">
<list>
<value>null</value>
<!--value>nobody</value-->
<!--value>adversary</value-->
</list>
</property>
</bean>
</property>
<property
name="searchAliases"><value>false</value></property>
</bean>
<!-- An optional bean definition which can be used to customize LDAP
attribute to Sakai User instance member mapping behaviors. This
example describes availabel configuration options for
SimpleLdapAttributeMapper
(the default LdapAttributeMapper implementation). -->
<bean id="edu.amc.sakai.user.LdapAttributeMapper"
class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
init-method="init"
singleton="true">
<!-- A typical set of attribute mappings. Keys are logical
names expected by the application. Values are physical LDAP
attribute names. If not specified or empty, defaults to
AttributeMappingConstants.DEFAULT_ATTR_MAPPINGS. -->
<property name="attributeMappings">
<map>
<entry
key="login"><value>sAMAccountName</value></entry>
<entry
key="firstName"><value>givenName</value></entry>
<!--entry
key="preferredFirstName"><value>preferredName</value></entry-->
<entry
key="lastName"><value>sn</value></entry>
<entry
key="email"><value>mail</value></entry>
<entry
key="groupMembership"><value>groupMembership</value></entry>
<!--entry
key="jpegPhoto"><value>jpegPhoto</value></entry -->
</map>
</property>
<!-- Several options for calculating Sakai user types based
on LDAP attributes. Defaults to an instance of
EmptyStringUserTypeMapper -->
<property name="userTypeMapper">
<!-- Select one of the following beans -->
<!--ref
bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" /-->
<!-- ref
bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" /-->
<!-- ref
bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
<ref bean="edu.amc.sakai.user.StringUserTypeMapper"
/>
</property>
</bean>
From: Steve Swinsburg <steve.swinsburg at gmail.com>
Date: Tuesday, July 8, 2014 at 11:56 PM
To: "Rashid, Amir" <arashid at bu.edu>
Cc: "sakai-dev at collab.sakaiproject.org" <sakai-dev at collab.sakaiproject.org>
Subject: Re: [Building Sakai] SAKAI LDAP configuration
Looks like you need to provide a username and password in the LDAP config to
get a bind. What are your LDAP settings from jldap-beans.xml ?
On Wed, Jul 9, 2014 at 5:36 AM, Rashid, Amir <arashid at bu.edu> wrote:
Hi Folks,
I have 2.81 in production right now. I am using one of the test machine to
install SAKAI 10. I am trying to configure it to use LDAP the same as 2.8.
Included is the trace from the log file. I can intermittently log in if I
try it a few times. Please let me know if there are any undocumented
configuration changes to the LDAP configuration settings .
I will appreciate your help in this matter.
--Amir
Amir Rashid - 617.358.2782
Boston University - SMG ITS
2014-07-08 13:26:36,428 WARN ajp-bio-8009-exec-14
org.sakaiproject.portal.util.ErrorReporter - Bug Report bug-id:
573880ae-c5b0-42f5-8b47-534991e591a0 user: null usage-session: null time:
Jul 8, 2014 13:26:36 user comment: null stack trace
org.sakaiproject.portal.api.PortalHandlerException:
java.lang.RuntimeException: authenticateUser(): LDAPException during
authentication attempt [userLogin = arashid][result code = Operations
Error][error message = 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece]
at
org.sakaiproject.portal.charon.handlers.ReLoginHandler.doPost(ReLoginHandler
.java:50)
caused by: java.lang.RuntimeException: authenticateUser(): LDAPException
during authentication attempt [userLogin = arashid][result code = Operations
Error][error message = 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece]
at
org.sakaiproject.user.impl.BaseUserDirectoryService.getProviderAuthenticated
User(BaseUserDirectoryService.java:1668)
caused by: LDAPException: Operations Error (1) Operations Error
LDAPException: Server Message: 00000000: LdapErr: DSID-0C090627, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, vece
LDAPException: Matched DN:
at com.novell.ldap.LDAPResponse.getResultException(null:-1)
at com.novell.ldap.LDAPResponse.chkResultCode(null:-1)
at com.novell.ldap.LDAPSearchResults.next(null:-1)
at
edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectory(JLDAPDirectoryProv
ider.java:959)
at
edu.amc.sakai.user.JLDAPDirectoryProvider.searchDirectoryForSingleEntry(JLDA
PDirectoryProvider.java:856)
at
edu.amc.sakai.user.JLDAPDirectoryProvider.getUserByEid(JLDAPDirectoryProvide
r.java:778)
at
edu.amc.sakai.user.JLDAPDirectoryProvider.lookupUserBindDn(JLDAPDirectoryPro
vider.java:820)
at
edu.amc.sakai.user.JLDAPDirectoryProvider.authenticateUser(JLDAPDirectoryPro
vider.java:397)
at
org.sakaiproject.user.impl.BaseUserDirectoryService.getProviderAuthenticated
User(BaseUserDirectoryService.java:1668)
at
org.sakaiproject.user.impl.BaseUserDirectoryService.authenticate(BaseUserDir
ectoryService.java:1611)
at
org.sakaiproject.user.impl.UserAuthnComponent.authenticate(UserAuthnComponen
t.java:108)
at
org.sakaiproject.login.impl.LoginServiceComponent.authenticate(LoginServiceC
omponent.java:90)
at
org.sakaiproject.login.tool.SkinnableLogin.doPost(SkinnableLogin.java:302)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:208)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:394)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:208)
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.
java:748)
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis
patcher.java:486)
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch
er.java:378)
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher
.java:338)
at
org.sakaiproject.tool.impl.ActiveToolComponent$MyActiveTool.help(ActiveToolC
omponent.java:583)
at
org.sakaiproject.portal.charon.SkinnableCharonPortal.doLogin(SkinnableCharon
Portal.java:997)
at
org.sakaiproject.portal.charon.handlers.ReLoginHandler.doGet(ReLoginHandler.
java:65)
at
org.sakaiproject.portal.charon.handlers.ReLoginHandler.doPost(ReLoginHandler
.java:50)
at
org.sakaiproject.portal.charon.SkinnableCharonPortal.doPost(SkinnableCharonP
ortal.java:1296)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:208)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:455)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
.java:501)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171
)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102
)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstrac
tProtocol.java:607)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:
314)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
45)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
15)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.ja
va:61)
at java.lang.Thread.run(Thread.java:745)
Tool Placement:
No Placement
Request:
: AuthType:null
: CharEncoding:UTF-8
: ContentLength:38
: ContentType:application/x-www-form-urlencoded
: ContextPath:/portal
: LocalAddress:smgcms1.bu.edu <http://bu.edu/>
: LocalName:smgcms1.bu.edu <http://smgcms1.bu.edu/>
: LocalPort:443
: Method:POST
: PathInfo:/relogin
: Protocol:HTTP/1.1
: QueryString:null
: RemoteAddress:168.122.33.194
: RemoteHost:168.122.33.194
: RemotePort:-1
: Requested URL:https://smgcms1.bu.edu/portal/relogin
: Scheme:https
: ServerName:smgcms1.bu.edu <http://smgcms1.bu.edu/>
: Headers:
: Header:host:smgcms1.bu.edu <http://bu.edu/>
: Header:connection:keep-alive
: Header:content-length:38
: Header:Cache-Control:max-age=0
:
Header:accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/we
bp,*/*;q=0.8
: Header:Origin:https://smgcms1.bu.edu <http://smgcms1.bu.edu/>
: Header:user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
: Header:content-type:application/x-www-form-urlencoded
: Header:DNT:1
: Header:referer:https://smgcms1.bu.edu/portal/login
: Header:accept-encoding:gzip,deflate,sdch
: Header:accept-language:en-US,en;q=0.8
: Header:cookie:---censored---
: Parameters:
: Parameter:eid:0:----censored----
: Parameter:pw:0:----censored----
: Parameter:submit:0:Login
: Attributes:
:
Attribute:javax.servlet.request.ssl_session:1C4C47A3FFAEEA4FAF017B65F33A9162
71C8B1293EB3487C9F7EEC25B8206C46
:
Attribute:javax.servlet.request.ssl_session_id:1C4C47A3FFAEEA4FAF017B65F33A9
16271C8B1293EB3487C9F7EEC25B8206C46
:
Attribute:sakai.character.encoding.done:sakai.character.encoding.done
: Attribute:javax.servlet.request.key_size:128
: Attribute:sakai.filtered:sakai.filtered
: Attribute:javax.servlet.request.cipher_suite:DHE-RSA-AES128-SHA
:
Attribute:sakai.session:MyS_null{60cc469c-90b1-4a78-9bce-f06c3cc1c81a,
userId='null', at=8, ts=2, cs=2, Tue Jul 08 13:24:53 EDT 2014}
Session:
: Created:1404840293523
: LastAccess:1404840396425
: CreationDateAndTime:Tuesday, July 8, 2014
: LastAccessDateAndTime:Tuesday, July 8, 2014
: MaxInactive:3600
: Attributes:
: Attribute:portalskin:neoskin
_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org
with a subject of "unsubscribe"
Disclaimer: This communication is intended solely for the use of the
individual or entity to whom it is addressed and others authorized to
receive it. It may contain confidential or legally privileged information.
If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or action taken in reliance upon the
information is strictly prohibited and is unlawful. If you have received
this communication by error, please notify us immediately by responding to
this email before deleting it from your system. UAE Exchange cannot be held
responsible for the improper or incomplete transmission of information
contained in this communication, or for any delay in its receipt.
Warning: Internet communication cannot be guaranteed to be timely, secure,
error-free or virus-free. It is the responsibility of the recipient to
ensure that this email and its attachments, if any, are free from viruses.
UAE Exchange doesn't accept liability for any damage that may result from
viruses transmitted through this email.
Please be informed that as per UAE Exchange Information Security policy, we
will never request you to disclose your Account Number, Credit Card
Information, User ID, Personal Identification Number (PIN), Telephone
Identification Number (TIN), Password or any such information through
e-mails or phone.
Any e-mail or written communication received by you, which appears to have
been sent from UAE Exchange seeking your personal & confidential
information, should not be answered but advised to UAE Exchange at
info.sec at uaeexchange.com.
For further assistance email us at info.sec at uaeexchange.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140715/13236ad2/attachment.html
More information about the sakai-dev
mailing list