Adobe Experience Manager Sites & More

Rajesh_Kamalath · 10/15/15

Hi,

I've been struggling with getting Active Directory to integrate with CQ5. I'm currently getting the bellow error message.

*DEBUG* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below OU=North America,DC=PEROOT,DC=com with filter (&(uid=PEROOT\vkamara)(objectclass=person))
12.05.2015 02:44:00.601 *WARN* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider Error finding user PEROOT\vkamara com.day.crx.security.ldap.LDAPRepositoryException: LDAP error: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:396)
at com.day.crx.security.ldap.LDAPLoginModule.getPrincipal(LDAPLoginModule.java:505)

org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:319)
at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:108)
at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)     org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:76)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:762)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272)
(HttpServlet.java:820)
at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250)
at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321)
at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340)
at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383)
at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:360)
at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644)
at java.lang.Thread.run(Thread.java:662)
Caused by: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
at com.day.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4882)
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:378)
... 71 more
12.05.2015 02:44:00.603 *DEBUG* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule login: unkown User for ID ''PEROOT\vkamara'' -> set to ignore
12.05.2015 02:44:12.132 *DEBUG* [10.25.153.101 [1431398652127] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below OU=North America,DC=PEROOT,DC=com with filter (&(uid=PEROOT\vkamara)(objectclass=person))
12.05.2015 02:44:12.140 *WARN* [10.25.153.101 [1431398652127] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider Error finding user PEROOT\vkamara com.day.crx.security.ldap.LDAPRepositoryException: LDAP error: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:396)
at com.day.crx.security.ldap.LDAPLoginModule.getPrincipal(LDAPLoginModule.java:505)
at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:319)
at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.apache.jackrabbit.core.security.authentication.JAASAuthContext.login(JAASAuthContext.java:60)
   at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)
at org.apache.sling.resourceresolver.impl.tree.ResourceProviderFactoryHandler.login(ResourceProviderFactoryHandler.java:164)
at org.apache.sling.resourceresolver.impl.tree.RootResourceProviderEntry.loginToRequiredFactories(RootResourceProviderEntry.java:95)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolverInternal(ResourceResolverFactoryImpl.java:95)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFac
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:378) ... 71 more
12.05.2015 09:27:32.892 *DEBUG* [10.25.153.113 [1431422852627] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule login: unkown User for ID ''PEROOT\vkamara'' -> set to ignore
12.05.2015 09:28:14.616 *DEBUG* [10.32.144.102 [1431422894613] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com
12.05.2015 09:31:14.711 *DEBUG* [10.32.144.102 [1431423074706] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com
12.05.2015 09:34:14.767 *DEBUG* [10.32.144.102 [1431423254764] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com

My Configuration is below:

I have doubt about this three entries only:

1.userRoot, 2.groupRoot, 3.authDn

principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="i have placed valid host entry here "
port="389"
secure="false"
userRoot="OU=North America,DC=PEROOT,DC=com"
groupRoot="ou=cq-groups,DC=PEROOT,DC=com"
authDn="uid="valid service account id here",OU=North America,DC=PEROOT,DC=com"
authPw="Valid password here#"
groupMembershipAttribute="uniquemember"
autocreate="create"
autocreate.user.mail="profile/email"
autocreate.user.givenname="profile/givenName"
autocreate.user.sn="profile/familyName"
autocreate.group.description="profile/aboutMe"
autocreate.group.mail="profile/email"
autocreate.group.cn="profile/givenName"
autocreate.path="direct"
cache.expiration="600"
cache.maxsize="100";

- in groupRoot I have taken this entries in existing configuration (ou=cq-groups) if this one causes the issue. Kindly advice how to sortout this issue.

Thanks,

Rajesh .K

ClintLundmark · 10/15/15

Rajesh,

Not sure I understand your problem completely. The only major difference I see is that for authDN you start with uid= instead of cn=. Here is our configuration using LDAP and AD that works well with CQ5. (AEM 6 is configured differently). Of course make sure your HOST and USER are in proper LDAP format and match your environment.

Once configured a user can login with their AD user ID and password. It will create a user node in the repository as well as create all the groups they are a member of in the groupRoot ou.

java is started with this parameter:

-Djava.security.auth.login.config=E:\author\crx-quickstart\conf\ldap_login.conf

ldap_login.conf:

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
       principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
       host="HOST.example.com"
       port="389"
       secure="false"
       authDn="cn=USER,ou=accounts,dc=example,dc=com"
       authPw="PASSWORD"
       searchTimeout="100"
       userRoot="ou=accounts,dc=example,dc=com"
       userFilter="(objectclass=person)"
       userIdAttribute="samaccountname"
       groupRoot="ou=CQ,ou=groups,dc=example,dc=com"
       groupFilter="(objectclass=group)"
       groupMembershipAttribute="member"
       groupNameAttribute="cn"
       autocreate="create"
       autocreate.path="splitdn"
       autocreate.user.mail="profile/email"
       autocreate.user.givenname="profile/givenName"
       autocreate.user.sn="profile/familyName"
       autocreate.group.description="profile/aboutMe"
       autocreate.group.mail="profile/email"
       autocreate.group.cn="profile/givenName"
       cache.expiration="600"
       cache.maxsize="100";
};

View solution in original post

smacdonald2008 · 10/15/15

We have a community article that talks about using CQ 5.5 and Apache DS

https://helpx.adobe.com/experience-manager/using/configuring-cq-apache-directory-service.html

Looks like there is something wrong with this configuration.

Are you following documentation?

Rajesh_Kamalath · 10/15/15

Hi Mac/team,

Thanks for your input. After validate the entries in the configuration file still we are facing the authentication issue. if we need to do anything after the the ldap conf file change.

Like anyone of our usergroups i need to upload or need to sync somewhere in crx repository or anything else. could you please help this steps.

Thanks,

Rajesh.K

ClintLundmark · 10/15/15

Rajesh,

Not sure I understand your problem completely. The only major difference I see is that for authDN you start with uid= instead of cn=. Here is our configuration using LDAP and AD that works well with CQ5. (AEM 6 is configured differently). Of course make sure your HOST and USER are in proper LDAP format and match your environment.

Once configured a user can login with their AD user ID and password. It will create a user node in the repository as well as create all the groups they are a member of in the groupRoot ou.

java is started with this parameter:

-Djava.security.auth.login.config=E:\author\crx-quickstart\conf\ldap_login.conf

ldap_login.conf:

com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
       principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
       host="HOST.example.com"
       port="389"
       secure="false"
       authDn="cn=USER,ou=accounts,dc=example,dc=com"
       authPw="PASSWORD"
       searchTimeout="100"
       userRoot="ou=accounts,dc=example,dc=com"
       userFilter="(objectclass=person)"
       userIdAttribute="samaccountname"
       groupRoot="ou=CQ,ou=groups,dc=example,dc=com"
       groupFilter="(objectclass=group)"
       groupMembershipAttribute="member"
       groupNameAttribute="cn"
       autocreate="create"
       autocreate.path="splitdn"
       autocreate.user.mail="profile/email"
       autocreate.user.givenname="profile/givenName"
       autocreate.user.sn="profile/familyName"
       autocreate.group.description="profile/aboutMe"
       autocreate.group.mail="profile/email"
       autocreate.group.cn="profile/givenName"
       cache.expiration="600"
       cache.maxsize="100";
};

Rajesh_Kamalath · 10/15/15

Hi Team,

I was trying with this configuration in Adobe CQ (5.6.0.20130125) version. Is it write approach or anything else I need to follow.

Thanks,

Rajesh.K

Rajesh_Kamalath · 10/15/15

Hi ClintLundmark,

I was trying with this configuration in Adobe CQ (5.6.0.20130125) version. Is it write approach or anything else I need to follow.

Thanks,

Rajesh.K

Adobe Experience Manager Sites & More

Getting exception while Integrating Active Directory With CQ5

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe