Level 4

Solved

Error When Checking for external user in LDAP

Forum|Forum|7 years ago
April 11, 2018
7 replies
4945 views

I will preface this by saying I am not super familiar with LDAP.

I am trying to pull over some users from LDAP programmatically (I'm aware of the JMX servlet, however my script also adds some profile data and assigns users to groups, which is why I'm trying to do this without turning to that).

I'm grabbing the ldap identity provider, setting up an external identity reference, and trying to get identity, but I get an error (see below) that "A value is mossing in some RDN"

I'm having a hard time making sense of this. Is it more likely to be an ldap identity provider config problem or a problem with my code?

Caused by: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException: Error during ldap lookup.

at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.lookupFailedException(LdapIdentityProvider.java:818)

at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getIdentity(LdapIdentityProvider.java:212)

at org.uc.news.core.servlets.VirtualUserPostServlet.doPost(VirtualUserPostServlet.java:132)

... 116 more

Caused by: org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: ERR_04202 A value is missing on some RDN

at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:279)

at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:211)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.lookup(LdapNetworkConnection.java:3428)

at org.apache.directory.ldap.client.api.LdapConnectionWrapper.lookup(LdapConnectionWrapper.java:497)

at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getIdentity(LdapIdentityProvider.java:200)

... 117 more

Here is the code that is failing:

//see if the user exists in ldap
//grab the identiy provider
ExternalIdentityProvider ldapIP = eipm.getProvider(IDP_NAME);
//set to the refernce to the users, using the id
ExternalIdentityRef eir = new ExternalIdentityRef(idString,ldapIP.getName());
//try to get the identity
ExternalIdentity externalIdentity = ldapIP.getIdentity(eir);

the idString is our internal userID

Here is the ldapIdentityProvider setup:

adminPool.lookupOnValidate	true
adminPool.maxActive	8
bind.dn	CN=cmsproxy,OU=admins,o=uc
bind.password	XXXXXXXXXXX
component.id	142
component.name	org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
group.baseDN	ou=People,o=uc
group.extraFilter
group.makeDnPath	false
group.memberAttribute	uniquemember
group.nameAttribute	cn
group.objectclass	groupOfUniqueNames
host.name	auth.uc.edu
host.noCertCheck	false
host.port	636
host.ssl	true
host.tls	false
provider.name	ldap
searchTimeout	60s
service.bundleid	90
service.factoryPid	org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
Service PID	org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.704f2089-1821-4ee0-913c-5b2f5a62f0c5
service.scope	bundle
Service Vendor	The Apache Software Foundation
user.baseDN	ou=People,o=uc
user.extraFilter
user.idAttribute	uid
user.makeDnPath	false
user.objectclass	person
userPool.lookupOnValidate	true
userPool.maxActive	8
Using Bundles	org.apache.jackrabbit.oak-auth-external (89)

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by smacdonald2008

Can you successfully pull in the data without doing it using code. That is by configuring AEM to use LDAP. We have an older community article that shows use of that -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6 to use Apache Directory Service

smacdonald2008Accepted solution

Level 10

Can you successfully pull in the data without doing it using code. That is by configuring AEM to use LDAP. We have an older community article that shows use of that -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6 to use Apache Directory Service

smacdonald2008

Level 10

Also - if you are using Java - see if you can successfully use an LDAP Java API to communicate with the LDAP service from a Java IDE. Does the code work outside of AEM?

B

BenSt10Author

Level 4

Here's the result of running Ljava.lang.String; syncUsers([Ljava.lang.String; p1, boolean p2) with [stockwbn],false :{op:"upd",uid:"stockwbn",eid:"cn=stockwbn,ou=People,o=uc;ldap"}

Seems like it's working?

I also was able to successfully connect and read users from ldap using the credentials from the ldap identity provider in eclipse using the apache directory plugin.

B

BenSt10Author

Level 4

I've gotten a littel closer on my own with this, but am still having issues.

I changed the line where I initialize the ExternalIdentityReference so that instead of just searching on a 6+2, I add more information:

ExternalIdentityRef eir = new ExternalIdentityRef("cn=" + idString + ",ou=People,o=uc",ldapIP.getName());

However, the line where I get the identity returns null, and the following error shows in the log:

11.04.2018 15:59:38.283 *WARN* [0:0:0:0:0:0:0:1 [1523476778265] POST /apps/news/users/submit HTTP/1.1] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=barnescy,ou=People,o=uc;ldap

So it seems like I make a connection and it finds the user, but doesn't know what to do with the user once it's found. Perhaps because my ldap id provider is misconfigured?

smacdonald2008

Level 10

It may be misconfigured. See if you can configure it with AEM. See the article above i referenced.

B

BenSt10Author

Level 4

You're right, the config was set to look for "person" but the actual value of the object class was "Person"