Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Adding users in active directory (AD) over ssl with cq5

samthadhani
Level 3
Level 3

Hi,

I am trying to add users to AD which is working fine without secure ldap. The problem is when i try to set password for the user at the time of registration in the unicodePwd attribute this does not work. I am getting error (WILL_NOT_PERFORM) in the logs.

I have got a certificate in my jre/security/cacerts on Fedora ( I have been provided this cert by support guys) I am not sure if it is valid and will work fine when app interacts with AD. 

While discussing the issue further with support, they are keen to give us a self signed cert which somehow will be trusted but i am concerned that users of the application might see errors on their browsers if it is self signed.

Does anyone know how can i get rid of the error (WILL_NOT_PERFORM) i.e. steps i can perform to know if it all works or not and if my apprehension of user warning will be true with self signed certs.

1 Accepted Solution
Sham_HC
Correct answer by
Level 10
Level 10

samthadhani wrote...

Sham HC wrote...

 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

 

 

I actually opened a wireshark terminal and i can see that ldap is running on 636 port and connection is secure. 

This is how i am adding the certificate

keytool -importcert -file cmsCA.cer -trustcacerts -storepass myPassword -alias cqse

 

 

sam       4787     1  1 10:53 pts/0    00:04:20 java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Dsling.run.modes=publish -jar crx-quickstart/app/cq-quickstart-5.6.1-standalone.jar start -c crx-quickstart -i launchpad -p 4503

sam      17303  4917  0 14:46 pts/1    00:00:00 grep --color=auto java

 

This is the exception i am getting when i hit a sling servlet in CQ which actually tries to connect to 636. I don't have much custom code except setting attribute and writing that entry with LDAP.

I am using these API's http://grepcode.com/file/repo1.maven.org/maven2/com.adobe.granite/day-commons-ldapclient/1.1.8/com/d...

Connection Failedcom.day.ldap.LDAPException: Server down (80); Unknown error

    at com.day.ldap.LDAPConnThread.networkError(LDAPConnThread.java:624)
    at com.day.ldap.LDAPConnThread.run(LDAPConnThread.java:441)

26.05.2014 14:52:16.570 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.RegisterUser LDAP Exception in finally block {}unable to disconnect() without connecting
26.05.2014 14:52:16.705 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.UserCQSync Login Exception for user {}javax.jcr.LoginException: Login Failure: all modules ignored
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at nz.co.tvnz.core.services.user.register.UserCQSync.loginAndCreateUserNodes(UserCQSync.java:97)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doPost(RegisterUser.java:181)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doGet(RegisterUser.java:118)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:268)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:139)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
    at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)
    at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
    at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:146)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:356)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:168)

 

 

You are importing into alias cqse, In your Implementation loginAndCreateUserNodes method make sure SSLSocketFactory using right key store Or alterntively import into <java_home>/jre/lib/security/cacerts 

View solution in original post

0 Replies
Sham_HC
Level 10
Level 10

Are you using CQ login page OR cq configured as SSO with custom login page served from different application ?  if cq login page then can you enclose password in double quotes and verify since you are using unicodePwd. 

samthadhani
Level 3
Level 3

Sham HC wrote...

Are you using CQ login page OR cq configured as SSO with custom login page served from different application ?  if cq login page then can you enclose password in double quotes and verify since you are using unicodePwd. 

 

Thanks Sham for your reply.

I am using LDAP Login module but i have created a custom authentication to validate users. The problem is not w.r.t logging in the users. I am able to successfully login the users to the system. The problem is in registering them to Active Directory with their passwords. I can register users without password and if i reset their password using AD interface i can get them to login but as soon as i provide additional attribute (unicodePwd) AD throws WILL_NOT_PERFORM error. I googled it and the possible reason looks like certificate issue which i haven't been able to figure out. By the way at the time of registration i am enclosing the password within quotes and encoding them with UTF-16LE or something.

So any opinion you might have as to how should i integrate the certificate with AD?

 Is there a way to bypass it whole in the meantime support figures out we can integrate with the application. I haven't worked with AD before so forgive me if i sound rudimentary. 

Sham_HC
Level 10
Level 10

The custom code to register with Active Directory will it be running on CQ?  

samthadhani
Level 3
Level 3

Sham HC wrote...

The custom code to register with Active Directory will it be running on CQ?  

 

yes.

Sham_HC
Level 10
Level 10

*   Is CQ using same keystore where you imported certs?

*   Are you able to run program outside cq in java envirnoment succesfully?

samthadhani
Level 3
Level 3

Sham HC wrote...

*   Is CQ using same keystore where you imported certs?

*   Are you able to run program outside cq in java envirnoment succesfully?

 

* How do i know which keystore CQ is looking at? I was working on Windows and then switched to Fedora because there is only one keystore in unix under jre/lib/security something. 

* I have not tried running the program outside CQ. Let me do it and will update. 

Sham_HC
Level 10
Level 10

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

samthadhani
Level 3
Level 3

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

samthadhani
Level 3
Level 3

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

I am getting the same error from my java code not executing in cq environment . I started adding the certificate in trusted keystore and added in jre, i had two versions so added the certificate there as well but not helping. Do you by any chance know why this would be. I know it is a certificate issue because i have added the certificate everywhere i could add (on a desperate hunt 😄 ) but phew !! still the same. I came across an article which stated "Always happen without fail if self-signed certificate is used. 🙂 Well, importing the Root CA cert of the self-signed certificate into the cacerts store in JDK will resolve the issue."  for the error i am facing. we are using a self signed cert i think.

Sham_HC
Level 10
Level 10

samthadhani wrote...

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

 

Along with secure parameter did you updated port to secure port? 

samthadhani
Level 3
Level 3

Sham HC wrote...

samthadhani wrote...

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

 

Along with secure parameter did you updated port to secure port? 

 

Yes i did that but that isn't working as well. 

Sham_HC
Level 10
Level 10

samthadhani wrote...

Sham HC wrote...

samthadhani wrote...

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

 

Along with secure parameter did you updated port to secure port? 

 

Yes i did that but that isn't working as well. 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

samthadhani
Level 3
Level 3

Sham HC wrote...

 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

 

 

I actually opened a wireshark terminal and i can see that ldap is running on 636 port and connection is secure. 

This is how i am adding the certificate

keytool -importcert -file cmsCA.cer -trustcacerts -storepass myPassword -alias cqse

 

 

sam       4787     1  1 10:53 pts/0    00:04:20 java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Dsling.run.modes=publish -jar crx-quickstart/app/cq-quickstart-5.6.1-standalone.jar start -c crx-quickstart -i launchpad -p 4503

sam      17303  4917  0 14:46 pts/1    00:00:00 grep --color=auto java

 

This is the exception i am getting when i hit a sling servlet in CQ which actually tries to connect to 636. I don't have much custom code except setting attribute and writing that entry with LDAP.

I am using these API's http://grepcode.com/file/repo1.maven.org/maven2/com.adobe.granite/day-commons-ldapclient/1.1.8/com/d...

Connection Failedcom.day.ldap.LDAPException: Server down (80); Unknown error

    at com.day.ldap.LDAPConnThread.networkError(LDAPConnThread.java:624)
    at com.day.ldap.LDAPConnThread.run(LDAPConnThread.java:441)

26.05.2014 14:52:16.570 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.RegisterUser LDAP Exception in finally block {}unable to disconnect() without connecting
26.05.2014 14:52:16.705 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.UserCQSync Login Exception for user {}javax.jcr.LoginException: Login Failure: all modules ignored
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at nz.co.tvnz.core.services.user.register.UserCQSync.loginAndCreateUserNodes(UserCQSync.java:97)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doPost(RegisterUser.java:181)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doGet(RegisterUser.java:118)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:268)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:139)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
    at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)
    at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
    at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:146)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:356)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:168)

Sham_HC
Correct answer by
Level 10
Level 10

samthadhani wrote...

Sham HC wrote...

 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

 

 

I actually opened a wireshark terminal and i can see that ldap is running on 636 port and connection is secure. 

This is how i am adding the certificate

keytool -importcert -file cmsCA.cer -trustcacerts -storepass myPassword -alias cqse

 

 

sam       4787     1  1 10:53 pts/0    00:04:20 java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Dsling.run.modes=publish -jar crx-quickstart/app/cq-quickstart-5.6.1-standalone.jar start -c crx-quickstart -i launchpad -p 4503

sam      17303  4917  0 14:46 pts/1    00:00:00 grep --color=auto java

 

This is the exception i am getting when i hit a sling servlet in CQ which actually tries to connect to 636. I don't have much custom code except setting attribute and writing that entry with LDAP.

I am using these API's http://grepcode.com/file/repo1.maven.org/maven2/com.adobe.granite/day-commons-ldapclient/1.1.8/com/d...

Connection Failedcom.day.ldap.LDAPException: Server down (80); Unknown error

    at com.day.ldap.LDAPConnThread.networkError(LDAPConnThread.java:624)
    at com.day.ldap.LDAPConnThread.run(LDAPConnThread.java:441)

26.05.2014 14:52:16.570 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.RegisterUser LDAP Exception in finally block {}unable to disconnect() without connecting
26.05.2014 14:52:16.705 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.UserCQSync Login Exception for user {}javax.jcr.LoginException: Login Failure: all modules ignored
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at nz.co.tvnz.core.services.user.register.UserCQSync.loginAndCreateUserNodes(UserCQSync.java:97)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doPost(RegisterUser.java:181)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doGet(RegisterUser.java:118)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:268)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:139)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
    at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)
    at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
    at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:146)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:356)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:168)

 

 

You are importing into alias cqse, In your Implementation loginAndCreateUserNodes method make sure SSLSocketFactory using right key store Or alterntively import into <java_home>/jre/lib/security/cacerts