Adding users in active directory (AD) over ssl with cq5 | Community
Skip to main content
A
Anonymous
October 16, 2015
Solved

Adding users in active directory (AD) over ssl with cq5

  • October 16, 2015
  • 14 replies
  • 4358 views

Hi,

I am trying to add users to AD which is working fine without secure ldap. The problem is when i try to set password for the user at the time of registration in the unicodePwd attribute this does not work. I am getting error (WILL_NOT_PERFORM) in the logs.

I have got a certificate in my jre/security/cacerts on Fedora ( I have been provided this cert by support guys) I am not sure if it is valid and will work fine when app interacts with AD. 

While discussing the issue further with support, they are keen to give us a self signed cert which somehow will be trusted but i am concerned that users of the application might see errors on their browsers if it is self signed.

Does anyone know how can i get rid of the error (WILL_NOT_PERFORM) i.e. steps i can perform to know if it all works or not and if my apprehension of user warning will be true with self signed certs.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

samthadhani wrote...

Sham HC wrote...

 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

 

 

I actually opened a wireshark terminal and i can see that ldap is running on 636 port and connection is secure. 

This is how i am adding the certificate

keytool -importcert -file cmsCA.cer -trustcacerts -storepass myPassword -alias cqse

 

 

sam       4787     1  1 10:53 pts/0    00:04:20 java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Dsling.run.modes=publish -jar crx-quickstart/app/cq-quickstart-5.6.1-standalone.jar start -c crx-quickstart -i launchpad -p 4503

sam      17303  4917  0 14:46 pts/1    00:00:00 grep --color=auto java

 

This is the exception i am getting when i hit a sling servlet in CQ which actually tries to connect to 636. I don't have much custom code except setting attribute and writing that entry with LDAP.

I am using these API's http://grepcode.com/file/repo1.maven.org/maven2/com.adobe.granite/day-commons-ldapclient/1.1.8/com/day/ldap/LDAPConnection.java

Connection Failedcom.day.ldap.LDAPException: Server down (80); Unknown error

    at com.day.ldap.LDAPConnThread.networkError(LDAPConnThread.java:624)
    at com.day.ldap.LDAPConnThread.run(LDAPConnThread.java:441)

26.05.2014 14:52:16.570 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.RegisterUser LDAP Exception in finally block {}unable to disconnect() without connecting
26.05.2014 14:52:16.705 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.UserCQSync Login Exception for user {}javax.jcr.LoginException: Login Failure: all modules ignored
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at nz.co.tvnz.core.services.user.register.UserCQSync.loginAndCreateUserNodes(UserCQSync.java:97)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doPost(RegisterUser.java:181)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doGet(RegisterUser.java:118)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:268)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:139)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
    at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)
    at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
    at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:146)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:356)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:168)

 

 

You are importing into alias cqse, In your Implementation loginAndCreateUserNodes method make sure SSLSocketFactory using right key store Or alterntively import into <java_home>/jre/lib/security/cacerts 

14 replies

Show previous replies
A
Anonymous
October 16, 2015

Sham HC wrote...

The custom code to register with Active Directory will it be running on CQ?  

 

yes.

Sham_HC
Sham_HC
Level 10
October 16, 2015

The custom code to register with Active Directory will it be running on CQ?  

A
Anonymous
October 16, 2015

Sham HC wrote...

Are you using CQ login page OR cq configured as SSO with custom login page served from different application ?  if cq login page then can you enclose password in double quotes and verify since you are using unicodePwd. 

 

Thanks Sham for your reply.

I am using LDAP Login module but i have created a custom authentication to validate users. The problem is not w.r.t logging in the users. I am able to successfully login the users to the system. The problem is in registering them to Active Directory with their passwords. I can register users without password and if i reset their password using AD interface i can get them to login but as soon as i provide additional attribute (unicodePwd) AD throws WILL_NOT_PERFORM error. I googled it and the possible reason looks like certificate issue which i haven't been able to figure out. By the way at the time of registration i am enclosing the password within quotes and encoding them with UTF-16LE or something.

So any opinion you might have as to how should i integrate the certificate with AD?

 Is there a way to bypass it whole in the meantime support figures out we can integrate with the application. I haven't worked with AD before so forgive me if i sound rudimentary. 

Sham_HC
Sham_HC
Level 10
October 16, 2015

Are you using CQ login page OR cq configured as SSO with custom login page served from different application ?  if cq login page then can you enclose password in double quotes and verify since you are using unicodePwd. 

Terms & ConditionsAccessibility statement

Loading footer...