Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

[ERROR] unable to bind connection on LDAP with Windows server 2012 active directory

Avatar

Level 1

good afternoon,

recently, I`m trying to connect the AEM 6.1  with the windows Server 2012 Active Directory using LDAP. But its always failed.

this is the error that occured :

org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider LdapIdentityProvider initialized: LdapProviderConfig{name='ldap', hostname='softnetadc.softdev.co.id', port=389, useSSL=false, useTLS=false, noCertCheck=false, bindDN='uid=Administrator,ou=Users,dc=softdev,dc=co,dc=id', bindPassword='***', searchTimeout=60000, groupMemberAttribute='uniquemember', memberOfFilterTemplate='null', adminPoolConfig=PoolConfig{maxActiveSize=8, lookupOnValidate=true}, userPoolConfig=PoolConfig{maxActiveSize=8, lookupOnValidate=true}, userConfig=Identity{baseDN='ou=Development,dc=softdev,dc=co,dc=id', objectClasses=[Development], idAttribute='cn', extraFilter='', filterTemplate='null', makeDnPath=false}, groupConfig=Identity{baseDN='ou=Development,dc=softdev,dc=co,dc=id', objectClasses=[groupOfUniqueNames], idAttribute='uid', extraFilter='', filterTemplate='null', makeDnPath=false}} 19.08.2016 14:10:07.368 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/system/config/org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider-d17c4d3d-c641-4058-bc4f-c8f1ebce571a.config] 19.08.2016 14:10:39.668 *INFO* [sling-threadpool-3ceebce2-2cdf-47c4-b06f-9f42f07a75cf-(apache-sling-job-thread-pool)-137-com_day_cq_replication_job_publish(com/day/cq/replication/job/publish)] com.day.cq.replication.Agent.publish.queue Job for agent publish processed in 1006ms. Failed. 19.08.2016 14:10:43.266 *INFO* [qtp1028969176-3509] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials 19.08.2016 14:10:43.288 *WARN* [0:0:0:0:0:0:0:1 [1471590643280] GET /libs/granite/core/content/login.html HTTP/1.1] libs.granite.core.components.login.login$jsp j_reason param value 'unknown' cannot be mapped to a valid reason message: ignoring 19.08.2016 14:10:48.310 *ERROR* [qtp1028969176-3512] org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory unable to bind connection: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580� 19.08.2016 14:10:48.312 *ERROR* [qtp1028969176-3512] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider Error while connecting to the ldap server. org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580� at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2021) at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:129) org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:133) at org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:59) at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188) at org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:123) at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:771) at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getUser(LdapIdentityProvider.java:221) 16 14:10:48.313 *ERROR* [qtp1028969176-3512] org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule Error while authenticating 'admin_dev' with ldap org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException: Error while connecting to the ldap server. at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:776) at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getUser(LdapIdentityProvider.java:221) at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.authenticate(LdapIdentityProvider.java:349) at org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule.login(ExternalLoginModule.java:221) at org.apache.felix.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:52) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at org.apache.jackrabbit.oak.core.ContentRepositoryImpl.login(ContentRepositoryImpl.java:165) at org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl.login(RepositoryImpl.java:280) at com.adobe.granite.repository.impl.CRX3RepositoryImpl.login(CRX3RepositoryImpl.java:94) at org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl.login(RepositoryImpl.java:219) at org.apache.sling.jcr.base.AbstractSlingRepository2.login(AbstractSlingRepository2.java:288) at org.apache.sling.jcr.resource.internal.helper.jcr.JcrProviderStateFactory.createProviderState(JcrProviderStateFactory.java:121) at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProvider.authenticate(JcrResourceProvider.java:267) at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProvider.authenticate(JcrResourceProvider.java:78) at org.apache.sling.resourceresolver.impl.providers.stateful.ProviderManager.authenticate(ProviderManager.java:161) at org.apache.sling.resourceresolver.impl.providers.stateful.ProviderManager.getOrCreateProvider(ProviderManager.java:87) at org.apache.sling.resourceresolver.impl.providers.stateful.ProviderManager.authenticateAll(ProviderManager.java:129) at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.createControl(ResourceResolverImpl.java:154) at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:116) at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:110) at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:257) at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:162) at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:99) at org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:782) at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:497) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580� at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2021) org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:123) at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:771) ... 57 common frames omitted 19.08.2016 14:10:48.314 *INFO* [qtp1028969176-3512] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenti ate null: Login Failure: all modules ignored is there anyone who have the same problem with me..? how is the solution..?

I`ve already trying to change the Bind DN a couple of time, but its always the same.

hope for your help. Thank you.

 

Best Regards,

5 Replies

Avatar

Level 4

How are you running the AEM instance?  As a run-as?  Sometimes AD/LDAP will request the credential from the contacting machine to validate network access.

I also commonly use the ldp.exe tool from Microsoft to verify the connection before putting it in code.  Whatever details you work out with ldp.exe tool are generally copy/pastable into the code or configuration panel -- and is faster to test, IMHO.

You may need to see if the AD/LDAP is 389 (default, non-encrypted) or 636 (SSL-encrypted, which then will require certificate credential via -D for java runtime and/or possible certificate installation to the host machine to allow the network communication to that 636 AD/LDAP server)

Hope this helps.

Avatar

Level 1

First of all thank you for the advice, I`ve tried it. but I`m still cannot login with LDAP and also got a new error.

the error :

/job/publish)] com.day.cq.replication.Agent.publish.queue Job for agent publish processed in 1004ms. Failed. 29.08.2016 11:02:37.815 *INFO* [qtp258898575-2872] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials 29.08.2016 11:02:38.406 *INFO* [qtp258898575-2801] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials 29.08.2016 11:02:38.484 *WARN* [0:0:0:0:0:0:0:1 [1472443358480] GET /libs/granite/core/content/login.html HTTP/1.1] libs.granite.core.components.login.login$jsp j_reason param value 'unknown' cannot be mapped to a valid reason message: ignoring 29.08.2016 11:02:44.347 *INFO* [qtp258898575-2801] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate null: Login Failure: all modules ignored 29.08.2016 11:02:54.622 *INFO* [qtp258898575-2872] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate null: Login Failure: all modules ignored

how about this one..?

thank you

Best Regards,

Avatar

Level 4

Is this to say you have validated your bind and login to LDAP using the LDP.EXE?  If not, do that first.  If you cannot get native tools to login then the account is not setup correctly or the credential you are using are not valid.

The new error only suggests you have not setup JAAS correctly.  Java Authorization and Authentication Service (JAAS) uses module definitions for authentication.  That is a completely different subject.  Please tackle one at a time.

Avatar

Level 1

Dear Mr Bob,

I`m running the AEM instance in my computer locally, and I`m trying to connect to windows server active directory in different IP, 192.168.0.24 and the port is 389.

I have try to ping the IP and its fine. I`m also can get through the IP for share a folder and take a data form the folder inside that IP.

I have bind using ldap.exe inside the windows server active directory, the login detail :

- user : administrator

- pass : asd@123

- domain : softdev.co.id

- IP computer : 192.168.0.24 / softnetadc.softdev.co.id

how about this one..?

thank  you.

 

Best Regards,

Avatar

Level 4

Hmmm... 192.168 is an internal, non-routable address.  Did you try running your code on the server itself?  The ldp.exe is portable to other Windows machines, did you try to run that same ldap bind with ldp.exe on your machine?

Some other suggestions:

1 - change the password to not have an @ symbol.  That is actually a reserved symbol for ftp://user:password@hostname.  I've been burned by that before....

2 - update the user 'administrator' first name and last name; looking at your original post the identifier is  idAttribute='cn' which is common name "First Name Last Name" not uid which is 'administrator'.  Look at the detail in the browse LDAP after you bind with ldp.exe...