Adobe Experience Manager Sites & More

Sham HC wrote...

Are you using CQ login page OR cq configured as SSO with custom login page served from different application ?  if cq login page then can you enclose password in double quotes and verify since you are using unicodePwd. 

 

Thanks Sham for your reply.

I am using LDAP Login module but i have created a custom authentication to validate users. The problem is not w.r.t logging in the users. I am able to successfully login the users to the system. The problem is in registering them to Active Directory with their passwords. I can register users without password and if i reset their password using AD interface i can get them to login but as soon as i provide additional attribute (unicodePwd) AD throws WILL_NOT_PERFORM error. I googled it and the possible reason looks like certificate issue which i haven't been able to figure out. By the way at the time of registration i am enclosing the password within quotes and encoding them with UTF-16LE or something.

So any opinion you might have as to how should i integrate the certificate with AD?

 Is there a way to bypass it whole in the meantime support figures out we can integrate with the application. I haven't worked with AD before so forgive me if i sound rudimentary. 

Sham HC wrote...

The custom code to register with Active Directory will it be running on CQ?  

 

yes.

Sham HC wrote...

*   Is CQ using same keystore where you imported certs?

*   Are you able to run program outside cq in java envirnoment succesfully?

 

* How do i know which keystore CQ is looking at? I was working on Windows and then switched to Fedora because there is only one keystore in unix under jre/lib/security something. 

* I have not tried running the program outside CQ. Let me do it and will update. 

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

I am getting the same error from my java code not executing in cq environment . I started adding the certificate in trusted keystore and added in jre, i had two versions so added the certificate there as well but not helping. Do you by any chance know why this would be. I know it is a certificate issue because i have added the certificate everywhere i could add (on a desperate hunt :D ) but phew !! still the same. I came across an article which stated "Always happen without fail if self-signed certificate is used. :) Well, importing the Root CA cert of the self-signed certificate into the cacerts store in JDK will resolve the issue."  for the error i am facing. we are using a self signed cert i think.

Sham HC wrote...

samthadhani wrote...

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

 

Along with secure parameter did you updated port to secure port? 

 

Yes i did that but that isn't working as well. 

Sham HC wrote...

 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

 

 

I actually opened a wireshark terminal and i can see that ldap is running on 636 port and connection is secure. 

This is how i am adding the certificate

keytool -importcert -file cmsCA.cer -trustcacerts -storepass myPassword -alias cqse

sam       4787     1  1 10:53 pts/0    00:04:20 java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Dsling.run.modes=publish -jar crx-quickstart/app/cq-quickstart-5.6.1-standalone.jar start -c crx-quickstart -i launchpad -p 4503

sam      17303  4917  0 14:46 pts/1    00:00:00 grep --color=auto java

This is the exception i am getting when i hit a sling servlet in CQ which actually tries to connect to 636. I don't have much custom code except setting attribute and writing that entry with LDAP.

I am using these API's http://grepcode.com/file/repo1.maven.org/maven2/com.adobe.granite/day-commons-ldapclient/1.1.8/com/d...

Connection Failedcom.day.ldap.LDAPException: Server down (80); Unknown error

    at com.day.ldap.LDAPConnThread.networkError(LDAPConnThread.java:624)
    at com.day.ldap.LDAPConnThread.run(LDAPConnThread.java:441)

26.05.2014 14:52:16.570 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.RegisterUser LDAP Exception in finally block {}unable to disconnect() without connecting
26.05.2014 14:52:16.705 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.UserCQSync Login Exception for user {}javax.jcr.LoginException: Login Failure: all modules ignored
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at nz.co.tvnz.core.services.user.register.UserCQSync.loginAndCreateUserNodes(UserCQSync.java:97)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doPost(RegisterUser.java:181)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doGet(RegisterUser.java:118)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:268)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:139)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
    at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)
    at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
    at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:146)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:356)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:168)