Adding users in active directory (AD) over ssl with cq5

Sham HC wrote...

samthadhani wrote...

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

 

Along with secure parameter did you updated port to secure port? 

 

Yes i did that but that isn't working as well. 

samthadhani wrote...

Sham HC wrote...

samthadhani wrote...

Sham HC wrote...

*   In start up script make sure same jre is used where you imported.  In using different jre set the system properties ( javax.net.ssl.keyStore and javax.net.ssl.trustStore) in start up script accordingly.

* Ok

 

Hi,

I got my independent program working after i got a new cert from support. I am able to add the user to Active directory with a password and since i my CQ instance is able to connect to AD via lda_login.conf so i am able to log the user in without having to reset the password for that user. Earlier for logging the user i was resetting the password from AD.

I had added that certificate in both the jre that were existing in my system hoping whichever CQ will pick it should work. I have listed the error message which i am getting.

LDAP Connection Failedcom.day.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ; DSA is unwilling to perform

I tried adding the truststore property within the bat file and system wasn't starting, so obviously something was wrong but i added these properties within the code just to make sure that somehow i am incorporating them but i am still getting the same error. My ldap file is being picked up by CQ because before it adds the user, there is a lookup operation log which seems to be working fine. I am somehow feeling that connection b/w AD and CQ is not secure but the parameter secure is set as true in login.conf file.

I would appreciate if you can give any pointers.

 

Along with secure parameter did you updated port to secure port? 

 

Yes i did that but that isn't working as well. 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

Sham HC wrote...

 

 

I heavily doubt connection is not secure. Anyhow you can confirm it by running proxy.jar Or using tcp dump.  My suspect would be you have not imported certificates into default alias Or you reffering different trustStore.   If you have support contract get official help Or send me output of [1] to see if any thing unusual. 

[1]

*    Command & output how you added certs

*    Output of below command 

ps -ef | grep java

Or cq port number 

ps -ef | grep 4502

*    snip of your custom logic in osgi

 

 

I actually opened a wireshark terminal and i can see that ldap is running on 636 port and connection is secure. 

This is how i am adding the certificate

keytool -importcert -file cmsCA.cer -trustcacerts -storepass myPassword -alias cqse

sam       4787     1  1 10:53 pts/0    00:04:20 java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true -Djava.security.auth.login.config=crx-quickstart/conf/ldap_login.conf -Dsling.run.modes=publish -jar crx-quickstart/app/cq-quickstart-5.6.1-standalone.jar start -c crx-quickstart -i launchpad -p 4503

sam      17303  4917  0 14:46 pts/1    00:00:00 grep --color=auto java

This is the exception i am getting when i hit a sling servlet in CQ which actually tries to connect to 636. I don't have much custom code except setting attribute and writing that entry with LDAP.

I am using these API's http://grepcode.com/file/repo1.maven.org/maven2/com.adobe.granite/day-commons-ldapclient/1.1.8/com/day/ldap/LDAPConnection.java

Connection Failedcom.day.ldap.LDAPException: Server down (80); Unknown error

    at com.day.ldap.LDAPConnThread.networkError(LDAPConnThread.java:624)
    at com.day.ldap.LDAPConnThread.run(LDAPConnThread.java:441)

26.05.2014 14:52:16.570 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.RegisterUser LDAP Exception in finally block {}unable to disconnect() without connecting
26.05.2014 14:52:16.705 *ERROR* [0:0:0:0:0:0:0:1 [1401072736545] GET /bin/ldapConnection HTTP/1.1] nz.co.tvnz.core.services.user.register.UserCQSync Login Exception for user {}javax.jcr.LoginException: Login Failure: all modules ignored
    at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:107)
    at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
    at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
    at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
    at nz.co.tvnz.core.services.user.register.UserCQSync.loginAndCreateUserNodes(UserCQSync.java:97)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doPost(RegisterUser.java:181)
    at nz.co.tvnz.core.services.user.register.RegisterUser.doGet(RegisterUser.java:118)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:268)
    at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:139)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
    at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
    at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)
    at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
    at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:146)
    at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:356)
    at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:168)