I will preface this by saying I am not super familiar with LDAP.
I am trying to pull over some users from LDAP programmatically (I'm aware of the JMX servlet, however my script also adds some profile data and assigns users to groups, which is why I'm trying to do this without turning to that).
I'm grabbing the ldap identity provider, setting up an external identity reference, and trying to get identity, but I get an error (see below) that "A value is mossing in some RDN"
I'm having a hard time making sense of this. Is it more likely to be an ldap identity provider config problem or a problem with my code?
Caused by: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException: Error during ldap lookup.
at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.lookupFailedException(LdapIdentityProvider.java:818)
at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getIdentity(LdapIdentityProvider.java:212)
at org.uc.news.core.servlets.VirtualUserPostServlet.doPost(VirtualUserPostServlet.java:132)
... 116 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: ERR_04202 A value is missing on some RDN
at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:279)
at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:211)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.lookup(LdapNetworkConnection.java:3428)
at org.apache.directory.ldap.client.api.LdapConnectionWrapper.lookup(LdapConnectionWrapper.java:497)
at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getIdentity(LdapIdentityProvider.java:200)
... 117 more
Here is the code that is failing:
//see if the user exists in ldap
//grab the identiy provider
ExternalIdentityProvider ldapIP = eipm.getProvider(IDP_NAME);
//set to the refernce to the users, using the id
ExternalIdentityRef eir = new ExternalIdentityRef(idString,ldapIP.getName());
//try to get the identity
ExternalIdentity externalIdentity = ldapIP.getIdentity(eir);
the idString is our internal userID
Here is the ldapIdentityProvider setup:
adminPool.lookupOnValidate | true |
adminPool.maxActive | 8 |
bind.dn | CN=cmsproxy,OU=admins,o=uc |
bind.password | XXXXXXXXXXX |
component.id | 142 |
component.name | org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider |
group.baseDN | ou=People,o=uc |
group.extraFilter | |
group.makeDnPath | false |
group.memberAttribute | uniquemember |
group.nameAttribute | cn |
group.objectclass | groupOfUniqueNames |
host.name | auth.uc.edu |
host.noCertCheck | false |
host.port | 636 |
host.ssl | true |
host.tls | false |
provider.name | ldap |
searchTimeout | 60s |
service.bundleid | 90 |
service.factoryPid | org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider |
Service PID | org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.704f2089-1821-4ee0-913c-5b2f5a62f0c5 |
service.scope | bundle |
Service Vendor | The Apache Software Foundation |
user.baseDN | ou=People,o=uc |
user.extraFilter | |
user.idAttribute | uid |
user.makeDnPath | false |
user.objectclass | person |
userPool.lookupOnValidate | true |
userPool.maxActive | 8 |
Using Bundles | org.apache.jackrabbit.oak-auth-external (89) |
Solved! Go to Solution.
Views
Replies
Total Likes
Can you successfully pull in the data without doing it using code. That is by configuring AEM to use LDAP. We have an older community article that shows use of that -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6 to use Apache Directory Servi...
Views
Replies
Total Likes
Can you successfully pull in the data without doing it using code. That is by configuring AEM to use LDAP. We have an older community article that shows use of that -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6 to use Apache Directory Servi...
Views
Replies
Total Likes
Also - if you are using Java - see if you can successfully use an LDAP Java API to communicate with the LDAP service from a Java IDE. Does the code work outside of AEM?
Views
Replies
Total Likes
Here's the result of running Ljava.lang.String; syncUsers([Ljava.lang.String; p1, boolean p2) with [stockwbn],false :{op:"upd",uid:"stockwbn",eid:"cn=stockwbn,ou=People,o=uc;ldap"}
Seems like it's working?
I also was able to successfully connect and read users from ldap using the credentials from the ldap identity provider in eclipse using the apache directory plugin.
Views
Replies
Total Likes
I've gotten a littel closer on my own with this, but am still having issues.
I changed the line where I initialize the ExternalIdentityReference so that instead of just searching on a 6+2, I add more information:
ExternalIdentityRef eir = new ExternalIdentityRef("cn=" + idString + ",ou=People,o=uc",ldapIP.getName());
However, the line where I get the identity returns null, and the following error shows in the log:
11.04.2018 15:59:38.283 *WARN* [0:0:0:0:0:0:0:1 [1523476778265] POST /apps/news/users/submit HTTP/1.1] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=barnescy,ou=People,o=uc;ldap
So it seems like I make a connection and it finds the user, but doesn't know what to do with the user once it's found. Perhaps because my ldap id provider is misconfigured?
Views
Replies
Total Likes
It may be misconfigured. See if you can configure it with AEM. See the article above i referenced.
Views
Replies
Total Likes
You're right, the config was set to look for "person" but the actual value of the object class was "Person"
Views
Replies
Total Likes
please go through with below article: http://www.adobeaemclub.com/configuring-ldap-in-aem-6-x/
Views
Replies
Total Likes
Views
Like
Replies
Views
Likes
Replies