Hi,
I've been struggling with getting Active Directory to integrate with CQ5. I'm currently getting the bellow error message.
*DEBUG* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below OU=North America,DC=PEROOT,DC=com with filter (&(uid=PEROOT\vkamara)(objectclass=person))
12.05.2015 02:44:00.601 *WARN* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider Error finding user PEROOT\vkamara com.day.crx.security.ldap.LDAPRepositoryException: LDAP error: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:396)
at com.day.crx.security.ldap.LDAPLoginModule.getPrincipal(LDAPLoginModule.java:505)
org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:319)
at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:108)
at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144) org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:76)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:762)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272)
(HttpServlet.java:820)
at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250)
at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321)
at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340)
at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383)
at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:360)
at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644)
at java.lang.Thread.run(Thread.java:662)
Caused by: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
at com.day.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4882)
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:378)
... 71 more
12.05.2015 02:44:00.603 *DEBUG* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule login: unkown User for ID ''PEROOT\vkamara'' -> set to ignore
12.05.2015 02:44:12.132 *DEBUG* [10.25.153.101 [1431398652127] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below OU=North America,DC=PEROOT,DC=com with filter (&(uid=PEROOT\vkamara)(objectclass=person))
12.05.2015 02:44:12.140 *WARN* [10.25.153.101 [1431398652127] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider Error finding user PEROOT\vkamara com.day.crx.security.ldap.LDAPRepositoryException: LDAP error: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:396)
at com.day.crx.security.ldap.LDAPLoginModule.getPrincipal(LDAPLoginModule.java:505)
at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:319)
at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.apache.jackrabbit.core.security.authentication.JAASAuthContext.login(JAASAuthContext.java:60)
at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)
at org.apache.sling.resourceresolver.impl.tree.ResourceProviderFactoryHandler.login(ResourceProviderFactoryHandler.java:164)
at org.apache.sling.resourceresolver.impl.tree.RootResourceProviderEntry.loginToRequiredFactories(RootResourceProviderEntry.java:95)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolverInternal(ResourceResolverFactoryImpl.java:95)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFac
at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:378) ... 71 more
12.05.2015 09:27:32.892 *DEBUG* [10.25.153.113 [1431422852627] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule login: unkown User for ID ''PEROOT\vkamara'' -> set to ignore
12.05.2015 09:28:14.616 *DEBUG* [10.32.144.102 [1431422894613] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com
12.05.2015 09:31:14.711 *DEBUG* [10.32.144.102 [1431423074706] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com
12.05.2015 09:34:14.767 *DEBUG* [10.32.144.102 [1431423254764] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com
My Configuration is below:
I have doubt about this three entries only:
1.userRoot, 2.groupRoot, 3.authDn
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="i have placed valid host entry here "
port="389"
secure="false"
userRoot="OU=North America,DC=PEROOT,DC=com"
groupRoot="ou=cq-groups,DC=PEROOT,DC=com"
authDn="uid="valid service account id here",OU=North America,DC=PEROOT,DC=com"
authPw="Valid password here#"
groupMembershipAttribute="uniquemember"
autocreate="create"
autocreate.user.mail="profile/email"
autocreate.user.givenname="profile/givenName"
autocreate.user.sn="profile/familyName"
autocreate.group.description="profile/aboutMe"
autocreate.group.mail="profile/email"
autocreate.group.cn="profile/givenName"
autocreate.path="direct"
cache.expiration="600"
cache.maxsize="100";
- in groupRoot I have taken this entries in existing configuration (ou=cq-groups) if this one causes the issue. Kindly advice how to sortout this issue.
Thanks,
Rajesh .K
Solved! Go to Solution.
Views
Replies
Total Likes
Rajesh,
Not sure I understand your problem completely. The only major difference I see is that for authDN you start with uid= instead of cn=. Here is our configuration using LDAP and AD that works well with CQ5. (AEM 6 is configured differently). Of course make sure your HOST and USER are in proper LDAP format and match your environment.
Once configured a user can login with their AD user ID and password. It will create a user node in the repository as well as create all the groups they are a member of in the groupRoot ou.
java is started with this parameter:
-Djava.security.auth.login.config=E:\author\crx-quickstart\conf\ldap_login.conf
ldap_login.conf:
com.day.crx {
com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="HOST.example.com"
port="389"
secure="false"
authDn="cn=USER,ou=accounts,dc=example,dc=com"
authPw="PASSWORD"
searchTimeout="100"
userRoot="ou=accounts,dc=example,dc=com"
userFilter="(objectclass=person)"
userIdAttribute="samaccountname"
groupRoot="ou=CQ,ou=groups,dc=example,dc=com"
groupFilter="(objectclass=group)"
groupMembershipAttribute="member"
groupNameAttribute="cn"
autocreate="create"
autocreate.path="splitdn"
autocreate.user.mail="profile/email"
autocreate.user.givenname="profile/givenName"
autocreate.user.sn="profile/familyName"
autocreate.group.description="profile/aboutMe"
autocreate.group.mail="profile/email"
autocreate.group.cn="profile/givenName"
cache.expiration="600"
cache.maxsize="100";
};
Views
Replies
Total Likes
We have a community article that talks about using CQ 5.5 and Apache DS
https://helpx.adobe.com/experience-manager/using/configuring-cq-apache-directory-service.html
Looks like there is something wrong with this configuration.
Are you following documentation?
Views
Replies
Total Likes
Hi Mac/team,
Thanks for your input. After validate the entries in the configuration file still we are facing the authentication issue. if we need to do anything after the the ldap conf file change.
Like anyone of our usergroups i need to upload or need to sync somewhere in crx repository or anything else. could you please help this steps.
Thanks,
Rajesh.K
Views
Replies
Total Likes
Rajesh,
Not sure I understand your problem completely. The only major difference I see is that for authDN you start with uid= instead of cn=. Here is our configuration using LDAP and AD that works well with CQ5. (AEM 6 is configured differently). Of course make sure your HOST and USER are in proper LDAP format and match your environment.
Once configured a user can login with their AD user ID and password. It will create a user node in the repository as well as create all the groups they are a member of in the groupRoot ou.
java is started with this parameter:
-Djava.security.auth.login.config=E:\author\crx-quickstart\conf\ldap_login.conf
ldap_login.conf:
com.day.crx {
com.day.crx.core.CRXLoginModule sufficient;
com.day.crx.security.ldap.LDAPLoginModule required
principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
host="HOST.example.com"
port="389"
secure="false"
authDn="cn=USER,ou=accounts,dc=example,dc=com"
authPw="PASSWORD"
searchTimeout="100"
userRoot="ou=accounts,dc=example,dc=com"
userFilter="(objectclass=person)"
userIdAttribute="samaccountname"
groupRoot="ou=CQ,ou=groups,dc=example,dc=com"
groupFilter="(objectclass=group)"
groupMembershipAttribute="member"
groupNameAttribute="cn"
autocreate="create"
autocreate.path="splitdn"
autocreate.user.mail="profile/email"
autocreate.user.givenname="profile/givenName"
autocreate.user.sn="profile/familyName"
autocreate.group.description="profile/aboutMe"
autocreate.group.mail="profile/email"
autocreate.group.cn="profile/givenName"
cache.expiration="600"
cache.maxsize="100";
};
Views
Replies
Total Likes
Hi Team,
I was trying with this configuration in Adobe CQ (5.6.0.20130125) version. Is it write approach or anything else I need to follow.
Thanks,
Rajesh.K
Views
Replies
Total Likes
Hi ClintLundmark,
I was trying with this configuration in Adobe CQ (5.6.0.20130125) version. Is it write approach or anything else I need to follow.
Thanks,
Rajesh.K
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies