Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Getting exception while Integrating Active Directory With CQ5

Avatar

Level 2

Hi,

I've been struggling with getting Active Directory to integrate with CQ5. I'm currently getting the bellow error message. 

*DEBUG* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below OU=North America,DC=PEROOT,DC=com with filter (&(uid=PEROOT\vkamara)(objectclass=person))
12.05.2015 02:44:00.601 *WARN* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider Error finding user PEROOT\vkamara com.day.crx.security.ldap.LDAPRepositoryException: LDAP error: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
        at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:396)
        at com.day.crx.security.ldap.LDAPLoginModule.getPrincipal(LDAPLoginModule.java:505)

 org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:319)
        at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at com.day.crx.mount.virtual.VirtualRepository$1.call(VirtualRepository.java:108)
        at com.day.crx.mount.Util.callWithContextClassLoader(Util.java:123)
        at com.day.crx.mount.virtual.VirtualRepository.login(VirtualRepository.java:105)
        at com.day.crx.sling.server.impl.SlingRepositoryWrapper.login(SlingRepositoryWrapper.java:127)
  org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)             org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:76)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:762)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483)
        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438)
        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148)
        at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272)
      (HttpServlet.java:820)
        at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250)
        at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321)
        at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340)
        at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383)
        at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:360)
        at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644)
        at java.lang.Thread.run(Thread.java:662)
Caused by: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
        at com.day.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4882)        
        at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:378)
        ... 71 more
12.05.2015 02:44:00.603 *DEBUG* [10.25.153.101 [1431398640377] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule login: unkown User for ID ''PEROOT\vkamara'' -> set to ignore
12.05.2015 02:44:12.132 *DEBUG* [10.25.153.101 [1431398652127] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPEntryResolver search below OU=North America,DC=PEROOT,DC=com with filter (&(uid=PEROOT\vkamara)(objectclass=person))
12.05.2015 02:44:12.140 *WARN* [10.25.153.101 [1431398652127] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.principals.LDAPPrincipalProvider Error finding user PEROOT\vkamara com.day.crx.security.ldap.LDAPRepositoryException: LDAP error: com.day.ldap.LDAPException: error result (49); 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials
        at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:396)
        at com.day.crx.security.ldap.LDAPLoginModule.getPrincipal(LDAPLoginModule.java:505)
        at org.apache.jackrabbit.core.security.authentication.AbstractLoginModule.login(AbstractLoginModule.java:319)
        at com.day.crx.security.ldap.LDAPLoginModule.login(LDAPLoginModule.java:234)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at org.apache.jackrabbit.core.security.authentication.JAASAuthContext.login(JAASAuthContext.java:60)
        at org.apache.sling.jcr.resource.internal.helper.jcr.JcrResourceProviderFactory.getResourceProviderInternal(JcrResourceProviderFactory.java:144)     
        at org.apache.sling.resourceresolver.impl.tree.ResourceProviderFactoryHandler.login(ResourceProviderFactoryHandler.java:164)
        at org.apache.sling.resourceresolver.impl.tree.RootResourceProviderEntry.loginToRequiredFactories(RootResourceProviderEntry.java:95)
        at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolverInternal(ResourceResolverFactoryImpl.java:95)
        at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFac 
        at com.day.crx.security.ldap.principals.LDAPPrincipalProvider.findUser(LDAPPrincipalProvider.java:378)        ... 71 more
12.05.2015 09:27:32.892 *DEBUG* [10.25.153.113 [1431422852627] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule login: unkown User for ID ''PEROOT\vkamara'' -> set to ignore
12.05.2015 09:28:14.616 *DEBUG* [10.32.144.102 [1431422894613] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com

12.05.2015 09:31:14.711 *DEBUG* [10.32.144.102 [1431423074706] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com
12.05.2015 09:34:14.767 *DEBUG* [10.32.144.102 [1431423254764] GET /bin/querybuilder.json?fulltext=.properties&group.path=/apps/shared/giza-configuration/config.author.qa03&p.limit=-1 HTTP/1.1] com.day.crx.security.ldap.LDAPLoginModule ignoring uid=giza-config-user,ou=wcm-users,ou=People,dc=pearson,dc=savvis,dc=net, does not belong to OU=North America,DC=PEROOT,DC=com

My Configuration is below:

I have doubt about this three entries only:

1.userRoot, 2.groupRoot, 3.authDn

principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
              host="i have placed valid host entry here "
              port="389"
              secure="false"
              userRoot="OU=North America,DC=PEROOT,DC=com"
              groupRoot="ou=cq-groups,DC=PEROOT,DC=com"
              authDn="uid="valid service account id here",OU=North America,DC=PEROOT,DC=com"
              authPw="Valid password here#"
              groupMembershipAttribute="uniquemember"
              autocreate="create"
              autocreate.user.mail="profile/email"
              autocreate.user.givenname="profile/givenName"
              autocreate.user.sn="profile/familyName"
              autocreate.group.description="profile/aboutMe"
              autocreate.group.mail="profile/email"
              autocreate.group.cn="profile/givenName"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="100";

 - in groupRoot I have taken this entries in existing configuration (ou=cq-groups) if this one causes the issue. Kindly advice how to sortout this issue.

Thanks,

Rajesh .K 

1 Accepted Solution

Avatar

Correct answer by
Level 3

Rajesh,

Not sure I understand your problem completely.  The only major difference I see is that for authDN you start with uid= instead of cn=. Here is our configuration using LDAP and AD that works well with CQ5.  (AEM 6 is configured differently).  Of course make sure your HOST and USER are in proper LDAP format and match your environment.

Once configured a user can login with their AD user ID and password.  It will create a user node in the repository as well as create all the groups they are a member of in the groupRoot ou.

 

java is started with this parameter:

-Djava.security.auth.login.config=E:\author\crx-quickstart\conf\ldap_login.conf

ldap_login.conf:

com.day.crx {
    com.day.crx.core.CRXLoginModule sufficient;
    com.day.crx.security.ldap.LDAPLoginModule required
        principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
        host="HOST.example.com"
        port="389"
        secure="false"
        authDn="cn=USER,ou=accounts,dc=example,dc=com"
        authPw="PASSWORD"
        searchTimeout="100"
        userRoot="ou=accounts,dc=example,dc=com"
        userFilter="(objectclass=person)"
        userIdAttribute="samaccountname"
        groupRoot="ou=CQ,ou=groups,dc=example,dc=com"
        groupFilter="(objectclass=group)"
        groupMembershipAttribute="member"
        groupNameAttribute="cn"
        autocreate="create"
        autocreate.path="splitdn"
        autocreate.user.mail="profile/email"
        autocreate.user.givenname="profile/givenName"
        autocreate.user.sn="profile/familyName"
        autocreate.group.description="profile/aboutMe"
        autocreate.group.mail="profile/email"
        autocreate.group.cn="profile/givenName"
        cache.expiration="600"
        cache.maxsize="100";
};

View solution in original post

5 Replies

Avatar

Level 10

We have a community article that talks about using CQ 5.5 and Apache DS

https://helpx.adobe.com/experience-manager/using/configuring-cq-apache-directory-service.html

Looks like there is something wrong with this configuration.

Are you following documentation? 

Avatar

Level 2

Hi Mac/team,

Thanks for your input. After validate the entries in the configuration file still we are facing the authentication issue. if we need to do anything after the the ldap conf file change.

Like anyone of our usergroups i need to upload or need to sync somewhere in crx repository or anything else. could you please help this steps.

Thanks,

Rajesh.K

Avatar

Correct answer by
Level 3

Rajesh,

Not sure I understand your problem completely.  The only major difference I see is that for authDN you start with uid= instead of cn=. Here is our configuration using LDAP and AD that works well with CQ5.  (AEM 6 is configured differently).  Of course make sure your HOST and USER are in proper LDAP format and match your environment.

Once configured a user can login with their AD user ID and password.  It will create a user node in the repository as well as create all the groups they are a member of in the groupRoot ou.

 

java is started with this parameter:

-Djava.security.auth.login.config=E:\author\crx-quickstart\conf\ldap_login.conf

ldap_login.conf:

com.day.crx {
    com.day.crx.core.CRXLoginModule sufficient;
    com.day.crx.security.ldap.LDAPLoginModule required
        principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
        host="HOST.example.com"
        port="389"
        secure="false"
        authDn="cn=USER,ou=accounts,dc=example,dc=com"
        authPw="PASSWORD"
        searchTimeout="100"
        userRoot="ou=accounts,dc=example,dc=com"
        userFilter="(objectclass=person)"
        userIdAttribute="samaccountname"
        groupRoot="ou=CQ,ou=groups,dc=example,dc=com"
        groupFilter="(objectclass=group)"
        groupMembershipAttribute="member"
        groupNameAttribute="cn"
        autocreate="create"
        autocreate.path="splitdn"
        autocreate.user.mail="profile/email"
        autocreate.user.givenname="profile/givenName"
        autocreate.user.sn="profile/familyName"
        autocreate.group.description="profile/aboutMe"
        autocreate.group.mail="profile/email"
        autocreate.group.cn="profile/givenName"
        cache.expiration="600"
        cache.maxsize="100";
};

Avatar

Level 2

Hi Team,

I was trying with this configuration in Adobe CQ (5.6.0.20130125) version. Is it write approach or anything else I need to follow.

Thanks,

Rajesh.K

Avatar

Level 2

Hi ClintLundmark,

I was trying with this configuration in Adobe CQ (5.6.0.20130125) version. Is it write approach or anything else I need to follow.

Thanks,

Rajesh.K