from what i can read in micrososft notes, we should always use global directory if there are global users/groups, as it transparently follows the referrals and returns response as if they were in the global directory. however, i still do not understand why it was working on 4.0.4. even if many things have changed in the group members resolutions, the request on ldap server just differs in the search base and the scope. can you give me the complete dn of some of your users and groups (local and global) ? also, do you know if your users are the global or local domain ?
thomas
Le 27 janv. 05, � 10:08, Pascal a �crit :
So what happens when you change the ldap-port from 389 to 3268 is that you
query the Active Directory so-called Global Catalog (as suggested here:
http://forum.java.sun.com/thread.jspa?threadID=365198).
And then all of a sudden you can query users, groups and group-members from
Jahia 4.0.5 without any problem! (Safe for this exception which is - sometimes - thrown
when querying groups (and their members) but I can't see the reason why. (see the end
of this mail for the exception trace))
However, I believe this is not entirely good news since although it fixes the issues here in
our development-environment, switching the ldap-port from 389 to 3268 might not be
acceptable for some production environments, especially when you consider the
firewall setups/policies in some companies.
Additional comments and suggestions are appreciated!
pascal
"[1/27/05 9:10:29:296 CET] 2c9def81 SystemOut O 2005-01-27 09:10:29,296 WARN usermanager.JahiaUserManagerLDAPProvide
r getUsers - Reconnection required
javax.naming.CommunicationException: connection closed. Root exception is
java.io.IOException: connection closed
at com.sun.jndi.ldap.LdapClient.ensureOpen(LdapClient.java:1665)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:611)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1964)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1751)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirConte xt.java:386)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompo siteDirContext.java:347)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompo siteDirContext.java:332)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java: 252)
at org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.getUsers(Ja hiaUserManagerLDAPProvider.java:1492)
at org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.lookupUserF romDN(JahiaUserManagerLDAPProvider.jav
a:898)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.getGroupMe mbers(JahiaGroupManagerLDAPProvider.ja
va:1328)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.ldapToJahi aGroup(JahiaGroupManagerLDAPProvider.j
ava(Compiled Code))
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.searchGrou ps(JahiaGroupManagerLDAPProvider.java:
636)"
----- Original Message ----- From: "Pascal" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, January 26, 2005 6:46 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405 upgrade
To summarize the latest status of the problem:
- listing users now works
- listing groups works but users are not shown for Active Directory groups of type "Security Group - Global".
The members for Active Directory groups of type "Security Group - Domain local" *are* shown.
In Jahia 4.0.4 the members for both group types were shown, and all our customers depend on this "feature"
(whether this is correct or not, I'm no AD-expert)
FYI: In our dev-environment the AD-server is not configured for referral
Using the 4_0_4 LDAPProvider-classes is a no-go, I'm afraid, because of too many compiler errors in Eclipse
when importing the corresponding source files in my Jahia 4.0.5 web-project
I'm going to have a look at what's being suggested over here: http://forum.java.sun.com/thread.jspa?threadID=365198
I'll keep you guys posted.
cheers pascal
----- Original Message ----- From: "Thomas Draier" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, January 25, 2005 4:38 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405 upgrade
do you mean that you still have the same error, but only when accessing
group members ? you were getting the exact same exception when listing
all users without the patch ? that is quite strange, as the same
context is used for all methods in the JahiaUserManagerLDAPProvider ..?
i don't really know how active directory organize its data - do you
have any idea of the referrals configuration on your ad server ? it
looks like jndi cannot follow a reference on another server because of
an authentication issue. maybe you can try to change your credentials
as explained in
http://www-10.lotus.com/ldd/lsforum.nsf/0/
cd28ce081e3ebc5685256e5c005ce15c?OpenDocument . also i don't know why
it was working on jahia 4.0.4 - many changes have been made on the
group members resolution, but not really on the global user/group
search . if this is the only solution i believe you can use the 4.0.4
classes for both providers.
thomas
Le 25 janv. 05, � 10:43, Pascal a �crit :
Thx Thomas!
After patching the JahiaUserManagerLDAPProvider (tagged with JAHIA_4_0_5 in the CVS) and adding "users.ldap.refferal = follow" to the users.ldap.properties I was able to lookup users in Active Directory from the Jahia Administration panels.
There's still one minor issue when looking up groups that didn't occur to me until now: the Active Directory groups appear, but the lookup of users for each group (so that the user list can be displayed between brackets after each group name) fails with a similar error (see stack trace below). Adding the "groups.ldap.refferal = follow" to the groups.ldap.properties and restarting Jahia does not help.
For what it's worth: did I mention user- and group-lookup for Active Directory were OK in version 4.0.4?
thx again for your time pascal
2005-01-25 10:05:33,004 WARN usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI warning
javax.naming.PartialResultException. Root exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java : 90)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferr al Exception.java:148)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEn um eration.java:350)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumera ti on.java:223)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration .j ava:186)
at org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.lookupUse rF romDN(JahiaUserManagerLDAPProvider.java:900)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.getGroup Me mbers(JahiaGroupManagerLDAPProvider.java:1327)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.ldapToJa hi aGroup(JahiaGroupManagerLDAPProvider.java:1008)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.searchGr ou ps(JahiaGroupManagerLDAPProvider.java:636)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. ja va:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces so rImpl.java(Compiled Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at org.jahia.services.usermanager.JahiaGroupManagerRoutingService.routeC al l(JahiaGroupManagerRoutingService.java(Compiled Code))
at org.jahia.services.usermanager.JahiaGroupManagerRoutingService.search Gr oups(JahiaGroupManagerRoutingService.java:762)
at org.jahia.data.viewhelper.principal.PrincipalViewHelper.getGroupSearc hR esult(PrincipalViewHelper.java:385)
at org.jahia.admin.users.ManageGroups.displayGroupList(ManageGroups.java : 255)
at org.jahia.admin.users.ManageGroups.userRequestDispatcher(ManageGroups .j ava:144)
at org.jahia.admin.users.ManageGroups.<init>(ManageGroups.java:121)
at org.jahia.bin.JahiaAdministration.userRequestDispatcher(JahiaAdminist ra tion.java:388)
at org.jahia.bin.JahiaAdministration.service(JahiaAdministration.java: 245)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
and also
2005-01-25 10:05:33,064 WARN usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI warning
javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java: 652)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java: 256)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.jav a: 293)
at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(In it ialDirContext.java:98)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.jav a: 251)
at org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.getUsers( Ja hiaUserManagerLDAPProvider.java:1492)
at org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.lookupUse rF romDN(JahiaUserManagerLDAPProvider.java:898)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.getGroup Me mbers(JahiaGroupManagerLDAPProvider.java:1327)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.ldapToJa hi aGroup(JahiaGroupManagerLDAPProvider.java:1008)
at org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.searchGr ou ps(JahiaGroupManagerLDAPProvider.java:636)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. ja va:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces so rImpl.java(Compiled Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at org.jahia.services.usermanager.JahiaGroupManagerRoutingService.routeC al l(JahiaGroupManagerRoutingService.java(Compiled Code))
at org.jahia.services.usermanager.JahiaGroupManagerRoutingService.search Gr oups(JahiaGroupManagerRoutingService.java:762)
at org.jahia.data.viewhelper.principal.PrincipalViewHelper.getGroupSearc hR esult(PrincipalViewHelper.java:385)
at org.jahia.admin.users.ManageGroups.displayGroupList(ManageGroups.java : 255)
at org.jahia.admin.users.ManageGroups.userRequestDispatcher(ManageGroups .j ava:144)
at org.jahia.admin.users.ManageGroups.<init>(ManageGroups.java:121)
at org.jahia.bin.JahiaAdministration.userRequestDispatcher(JahiaAdminist ra tion.java:388)
at org.jahia.bin.JahiaAdministration.service(JahiaAdministration.java: 245)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
----- Original Message ----- From: "Thomas Draier" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, January 24, 2005 7:06 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405 upgrade
hi pascal,
i've made the change on the JAHIA-4-0-BRANCH and created a patch for
this version, but you can also apply it on the JAHIA_4_0_5. strangely
the patch is already applied on JahiaGroupManagerLDAPProvider - you
only need to change JahiaUserManagerLDAPProvider. then try to set the
parameter users.ldap.refferal to "follow" instead of the default
"ignore" in your property file.
thomas
Le 24 janv. 05, � 18:43, Pascal a �crit :
I'll try that, but could you point me to the correct version of the sourcefiles I should start with when applying the suggested fix?
I'm guessing these are the right versions, but I'm not sure http://cvspub.jahia.org/cgi-bin/cvsweb.cgi/jahia/src/java/org/jahia/ services/usermanager/Attic/JahiaGroupManagerLDAPProvider.java? only_with_tag=JAHIA_4_0_5 http://cvspub.jahia.org/cgi-bin/cvsweb.cgi/jahia/src/java/org/jahia/ services/usermanager/Attic/JahiaUserManagerLDAPProvider.java? only_with_tag=JAHIA_4_0_5
tia pascal
----- Original Message ----- From: "Thomas Draier" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, January 24, 2005 3:29 PM Subject: Re: lookupUserFromDN to Active Directory fails after 405 upgrade
hi,
this may be related to a referral server problem, as described in
http://www.mail-archive.com/[email protected]/msg00235.html . a patch
was provided at that time, but it think it's not in 4.0.5, only in the
cvs head - you can try to add the parameter described by anton in the
connectToPublicDir method . but the complete stack trace would be
useful for a better understanding of the problem.
thomas
Le 24 janv. 05, � 14:40, Pascal a �crit :
Both in the administration and in the user rights panels for
containers, looking up users in Active Directory yields the following
errors.
Lookup of Active Directory groups works and login to the site with an
Active Directory user is no problem. The new settings in
group-router-config.xml and router-config.xml appear to be configured
correctly, including the
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory> setting to which
the problem seems related.
usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI
warning
javax.naming.PartialResultException. Root exception is
javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext
error, data 52e, v893
<snip>
WARN usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI
warning
javax.naming.NoInitialContextException: Need to specify class name in
environment or system property, or as an applet parameter, or in an
application resource file: java.naming.factory.initial
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java :
652)
Any help is appreciated pascal
