Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Error When Checking for external user in LDAP

Avatar

Level 5

I will preface this by saying I am not super familiar with LDAP.

I am trying to pull over some users from LDAP programmatically (I'm aware of the JMX servlet, however my script also adds some profile data and assigns users to groups, which is why I'm trying to do this without turning to that).

I'm grabbing the ldap identity provider, setting up an external identity reference, and trying to get identity, but I get an error (see below) that "A value is mossing in some RDN"

I'm having a hard time making sense of this. Is it more likely to be an ldap identity provider config problem or a problem with my code?

Caused by: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException: Error during ldap lookup.

  at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.lookupFailedException(LdapIdentityProvider.java:818)

  at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getIdentity(LdapIdentityProvider.java:212)

  at org.uc.news.core.servlets.VirtualUserPostServlet.doPost(VirtualUserPostServlet.java:132)

  ... 116 more

Caused by: org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: ERR_04202 A value is missing on some RDN

  at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:279)

  at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:211)

  at org.apache.directory.ldap.client.api.LdapNetworkConnection.lookup(LdapNetworkConnection.java:3428)

  at org.apache.directory.ldap.client.api.LdapConnectionWrapper.lookup(LdapConnectionWrapper.java:497)

  at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.getIdentity(LdapIdentityProvider.java:200)

  ... 117 more

Here is the code that is failing:

//see if the user exists in ldap

//grab the identiy provider

ExternalIdentityProvider ldapIP = eipm.getProvider(IDP_NAME);

//set to the refernce to the users, using the id

ExternalIdentityRef eir = new ExternalIdentityRef(idString,ldapIP.getName());

//try to get the identity

ExternalIdentity externalIdentity = ldapIP.getIdentity(eir);

the idString is our internal userID

Here is the ldapIdentityProvider setup:

adminPool.lookupOnValidatetrue
adminPool.maxActive8
bind.dnCN=cmsproxy,OU=admins,o=uc
bind.passwordXXXXXXXXXXX
component.id142
component.nameorg.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
group.baseDNou=People,o=uc
group.extraFilter
group.makeDnPathfalse
group.memberAttributeuniquemember
group.nameAttributecn
group.objectclassgroupOfUniqueNames
host.nameauth.uc.edu
host.noCertCheckfalse
host.port636
host.ssltrue
host.tlsfalse
provider.nameldap
searchTimeout60s
service.bundleid90
service.factoryPidorg.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
Service PIDorg.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.704f2089-1821-4ee0-913c-5b2f5a62f0c5
service.scopebundle
Service VendorThe Apache Software Foundation
user.baseDNou=People,o=uc
user.extraFilter
user.idAttributeuid
user.makeDnPathfalse
user.objectclassperson
userPool.lookupOnValidatetrue
userPool.maxActive8
Using Bundlesorg.apache.jackrabbit.oak-auth-external (89)
1 Accepted Solution

Avatar

Correct answer by
Level 10

Can you successfully pull in the data without doing it using code. That is by configuring AEM to use LDAP. We have an older community article that shows use of that -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6 to use Apache Directory Servi...

View solution in original post

7 Replies

Avatar

Correct answer by
Level 10

Can you successfully pull in the data without doing it using code. That is by configuring AEM to use LDAP. We have an older community article that shows use of that -- Adobe Experience Manager Help | Configuring Adobe Experience Manager 6 to use Apache Directory Servi...

Avatar

Level 10

Also - if you are using Java - see if you can successfully use an LDAP Java API to communicate with the LDAP service from a Java IDE. Does the code work outside of AEM?

Avatar

Level 5

Here's the result of running  Ljava.lang.String; syncUsers([Ljava.lang.String; p1, boolean p2) with [stockwbn],false :{op:"upd",uid:"stockwbn",eid:"cn=stockwbn,ou=People,o=uc;ldap"}

Seems like it's working?

I also was able to successfully connect and read users from ldap using the credentials from the ldap identity provider in eclipse using the apache directory plugin.

Avatar

Level 5

I've gotten a littel closer on my own with this, but am still having issues.

I changed the line where I initialize the ExternalIdentityReference so that instead of just searching on a 6+2, I add more information:

ExternalIdentityRef eir = new ExternalIdentityRef("cn=" + idString + ",ou=People,o=uc",ldapIP.getName());

However, the line where I get the identity returns null, and the following error shows in the log:

11.04.2018 15:59:38.283 *WARN* [0:0:0:0:0:0:0:1 [1523476778265] POST /apps/news/users/submit HTTP/1.1] org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider referenced identity is neither user or group: cn=barnescy,ou=People,o=uc;ldap

So it seems like I make a connection and it finds the user, but doesn't know what to do with the user once it's found. Perhaps because my ldap id provider is  misconfigured?

Avatar

Level 10

It may be misconfigured. See if you can configure it with AEM. See the article above i referenced.

Avatar

Level 5

You're right, the config was set to look for "person" but the actual value of the object class was "Person"