Re: lookupUserFromDN to Active Directory fails after 405 upgrade

[Thomas Draier]

just an idea - try to remove the groups.ldap.members.attribute.map from  
your properties file.

Le 27 janv. 05, � 16:06, Pascal a �crit :
Example user DN: CN=JahiaAdministrator,CN=Users,DC=thedomain,DC=com
Example goup DN: CN=AllJahiaEditors,CN=Users,DC=thedomain,DC=com
Other realted info:
groups.ldap.search.name = cn=Users,DC=thedomain,DC=com
groups.ldap.dn.identifier.attribute = cn
groups.ldap.search.objectclass = group
groups.ldap.search.objectclass = group
groups.ldap.members.attribute = member
groups.ldap.groupname.attribute.map = CN
groups.ldap.members.attribute.map = member
users.ldap.uid.search.attribute = CN
users.ldap.uid.search.name = cn=Users,DC=thedomain,DC=com
users.ldap.dn.identifier.attribute = CN
users.ldap.search.objectclass = person
In our dev-environment users are in the local domain and the relevant  
groups are of
the type "Distribution Group - Global"

regards
pascal
----- Original Message ----- From: "Thomas Draier"  
<[EMAIL PROTECTED]>
To: <dev_list@jahia.org>
Sent: Thursday, January 27, 2005 3:13 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405  
upgrade

good news, at least we have a workaround !
from what i can read in micrososft notes, we should always use global
directory if there are global users/groups, as it transparently follows
the referrals and returns response as if they were in the global
directory. however, i still do not understand why it was working on
4.0.4. even if many things have changed in the group members
resolutions, the request on ldap server just differs in the search base
and the scope. can you give me the complete dn of some of your users
and groups (local and global) ? also, do you know if  your users are
the global or local domain ?
thomas
Le 27 janv. 05, � 10:08, Pascal a �crit :
So what happens when you change the ldap-port from 389 to  3268 is   
that you
query the Active Directory so-called Global Catalog (as suggested  
here:
http://forum.java.sun.com/thread.jspa?threadID=365198).

And then all of a sudden you can query users, groups and  
group-members from
Jahia 4.0.5 without any problem! (Safe for this exception which is -  
sometimes - thrown
when querying groups (and their members) but I can't see the reason   
why. (see the end
of this mail for the exception trace))

However, I believe this is not entirely good news since although it   
fixes the issues here in
our development-environment, switching the ldap-port from 389 to 3268  
might not be
acceptable for some production environments, especially when you   
consider the
firewall setups/policies in some companies.

Additional comments and suggestions are appreciated!
pascal

"[1/27/05 9:10:29:296 CET] 2c9def81 SystemOut     O 2005-01-27  
09:10:29,296 WARN  usermanager.JahiaUserManagerLDAPProvide
r getUsers                  - Reconnection required
javax.naming.CommunicationException: connection closed.  Root   
exception is
java.io.IOException: connection closed
       at  
com.sun.jndi.ldap.LdapClient.ensureOpen(LdapClient.java:1665)
       at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:611)
       at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1964)
       at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
       at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1751)
       at  
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirCont 
e xt.java:386)
       at  
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialComp 
o siteDirContext.java:347)
       at  
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialComp 
o siteDirContext.java:332)
       at  
javax.naming.directory.InitialDirContext.search(InitialDirContext.java 
: 252)
       at  
org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.getUsers(J 
a hiaUserManagerLDAPProvider.java:1492)
       at  
org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.lookupUser 
F romDN(JahiaUserManagerLDAPProvider.jav
a:898)
       at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.getGroupM 
e mbers(JahiaGroupManagerLDAPProvider.ja
va:1328)
       at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.ldapToJah 
i aGroup(JahiaGroupManagerLDAPProvider.j
ava(Compiled Code))
       at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.searchGro 
u ps(JahiaGroupManagerLDAPProvider.java:
636)"

----- Original Message ----- From: "Pascal" <[EMAIL PROTECTED]>
To: <dev_list@jahia.org>
Sent: Wednesday, January 26, 2005 6:46 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405   
upgrade


To summarize the latest status of the problem:
- listing users now works
- listing groups works but users are not shown for Active Directory  
groups of type "Security Group  - Global".
The members for Active Directory groups of type "Security Group  -  
Domain local" *are* shown.

In Jahia 4.0.4 the members for both group types were shown, and all   
our customers depend on this "feature"
(whether this is correct or not, I'm no AD-expert)

FYI: In our dev-environment the AD-server is not configured for   
referral

Using the 4_0_4 LDAPProvider-classes is a no-go, I'm afraid, because  
 of too many compiler errors in Eclipse
when importing the corresponding source files in my Jahia 4.0.5  
web-project

I'm going to have a look at what's being suggested over here:  
http://forum.java.sun.com/thread.jspa?threadID=365198

I'll keep you guys posted.
cheers
pascal


----- Original Message ----- From: "Thomas Draier"  
<[EMAIL PROTECTED]>
To: <dev_list@jahia.org>
Sent: Tuesday, January 25, 2005 4:38 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405  
upgrade

do you mean that you still have the same error, but only when   
accessing
group members ? you were getting the exact same exception when  
listing
all users without the patch ? that is quite strange, as the same
context is used for all methods in the JahiaUserManagerLDAPProvider   
..?
i don't really know how active directory organize its data - do you
have any idea of the referrals configuration on your ad server ? it
looks like jndi cannot follow a reference on another server because  
of
an authentication issue. maybe you can try to change your credentials
as explained in
http://www-10.lotus.com/ldd/lsforum.nsf/0/
cd28ce081e3ebc5685256e5c005ce15c?OpenDocument . also i don't know why
it was working on jahia 4.0.4 - many changes have been made on the
group members resolution, but not really on the global user/group
search . if this is the only solution i believe you can use the 4.0.4
classes for both providers.
thomas

Le 25 janv. 05, � 10:43, Pascal a �crit :
Thx Thomas!
After patching the JahiaUserManagerLDAPProvider (tagged with  
JAHIA_4_0_5 in the CVS) and adding "users.ldap.refferal = follow"  
to the users.ldap.properties I was able to lookup users in Active  
Directory from the Jahia Administration panels.

There's still one minor issue when looking up groups that didn't   
occur to me until now: the Active Directory groups appear, but the   
lookup of users for each group (so that the user list can be   
displayed between brackets after each group name) fails with a   
similar error (see stack trace below). Adding the   
"groups.ldap.refferal = follow" to the groups.ldap.properties and   
restarting Jahia does not help.

For what it's worth: did I mention user- and group-lookup for  
Active Directory were OK in version 4.0.4?

thx again for your time
pascal
2005-01-25 10:05:33,004 WARN   
usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI   
warning
javax.naming.PartialResultException. Root exception is
javax.naming.AuthenticationException: [LDAP: error code 49 -   
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext   
error, data 52e, v893
at  
com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.jav 
a : 90)
at  
com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapRefer 
r al Exception.java:148)
at  
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingE 
n um eration.java:350)
at  
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumer 
a ti on.java:223)
at  
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeratio 
n .j ava:186)
at  
org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.lookupUs 
e rF romDN(JahiaUserManagerLDAPProvider.java:900)
at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.getGrou 
p Me mbers(JahiaGroupManagerLDAPProvider.java:1327)
at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.ldapToJ 
a hi aGroup(JahiaGroupManagerLDAPProvider.java:1008)
at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.searchG 
r ou ps(JahiaGroupManagerLDAPProvider.java:636)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at  
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl 
. ja va:79)
at  
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce 
s so rImpl.java(Compiled Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at  
org.jahia.services.usermanager.JahiaGroupManagerRoutingService.route 
C al l(JahiaGroupManagerRoutingService.java(Compiled Code))
at  
org.jahia.services.usermanager.JahiaGroupManagerRoutingService.searc 
h Gr oups(JahiaGroupManagerRoutingService.java:762)
at  
org.jahia.data.viewhelper.principal.PrincipalViewHelper.getGroupSear 
c hR esult(PrincipalViewHelper.java:385)
at  
org.jahia.admin.users.ManageGroups.displayGroupList(ManageGroups.jav 
a : 255)
at  
org.jahia.admin.users.ManageGroups.userRequestDispatcher(ManageGroup 
s .j ava:144)
at org.jahia.admin.users.ManageGroups.<init>(ManageGroups.java:121)
at  
org.jahia.bin.JahiaAdministration.userRequestDispatcher(JahiaAdminis 
t ra tion.java:388)
at    
org.jahia.bin.JahiaAdministration.service(JahiaAdministration.java:  
245)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
and also

2005-01-25 10:05:33,064 WARN   
usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI   
warning
javax.naming.NoInitialContextException: Need to specify class name   
in environment or system property, or as an applet parameter, or in  
 an application resource file: java.naming.factory.initial
at  
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java: 
 652)
at   
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:  
256)
at  
javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.ja 
v a: 293)
at  
javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(I 
n it ialDirContext.java:98)
at  
javax.naming.directory.InitialDirContext.search(InitialDirContext.ja 
v a: 251)
at  
org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.getUsers 
( Ja hiaUserManagerLDAPProvider.java:1492)
at  
org.jahia.services.usermanager.JahiaUserManagerLDAPProvider.lookupUs 
e rF romDN(JahiaUserManagerLDAPProvider.java:898)
at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.getGrou 
p Me mbers(JahiaGroupManagerLDAPProvider.java:1327)
at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.ldapToJ 
a hi aGroup(JahiaGroupManagerLDAPProvider.java:1008)
at  
org.jahia.services.usermanager.JahiaGroupManagerLDAPProvider.searchG 
r ou ps(JahiaGroupManagerLDAPProvider.java:636)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at  
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl 
. ja va:79)
at  
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce 
s so rImpl.java(Compiled Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at  
org.jahia.services.usermanager.JahiaGroupManagerRoutingService.route 
C al l(JahiaGroupManagerRoutingService.java(Compiled Code))
at  
org.jahia.services.usermanager.JahiaGroupManagerRoutingService.searc 
h Gr oups(JahiaGroupManagerRoutingService.java:762)
at  
org.jahia.data.viewhelper.principal.PrincipalViewHelper.getGroupSear 
c hR esult(PrincipalViewHelper.java:385)
at  
org.jahia.admin.users.ManageGroups.displayGroupList(ManageGroups.jav 
a : 255)
at  
org.jahia.admin.users.ManageGroups.userRequestDispatcher(ManageGroup 
s .j ava:144)
at org.jahia.admin.users.ManageGroups.<init>(ManageGroups.java:121)
at  
org.jahia.bin.JahiaAdministration.userRequestDispatcher(JahiaAdminis 
t ra tion.java:388)
at    
org.jahia.bin.JahiaAdministration.service(JahiaAdministration.java:  
245)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

----- Original Message ----- From: "Thomas Draier"  
<[EMAIL PROTECTED]>
To: <dev_list@jahia.org>
Sent: Monday, January 24, 2005 7:06 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405  
upgrade


hi pascal,
i've made the change on the JAHIA-4-0-BRANCH and created a patch  
for
this version, but you can also apply it on the JAHIA_4_0_5.   
strangely
the patch is already applied on JahiaGroupManagerLDAPProvider - you
only need to change JahiaUserManagerLDAPProvider. then try to set   
the
parameter users.ldap.refferal to "follow" instead of the default
"ignore" in your property file.
thomas





Le 24 janv. 05, � 18:43, Pascal a �crit :
I'll try that, but could you point me to the correct version of the
sourcefiles I should start with when applying the suggested fix?
I'm guessing these are the right versions, but I'm not sure
http://cvspub.jahia.org/cgi-bin/cvsweb.cgi/jahia/src/java/org/ 
jahia/
services/usermanager/Attic/JahiaGroupManagerLDAPProvider.java?
only_with_tag=JAHIA_4_0_5
http://cvspub.jahia.org/cgi-bin/cvsweb.cgi/jahia/src/java/org/ 
jahia/
services/usermanager/Attic/JahiaUserManagerLDAPProvider.java?
only_with_tag=JAHIA_4_0_5

tia
pascal
----- Original Message ----- From: "Thomas Draier"
<[EMAIL PROTECTED]>
To: <dev_list@jahia.org>
Sent: Monday, January 24, 2005 3:29 PM
Subject: Re: lookupUserFromDN to Active Directory fails after 405
upgrade
hi,
this may be related to a referral server problem, as described in
http://www.mail-archive.com/dev_list@jahia.org/msg00235.html . a   
patch
was provided at that time, but it think it's not in 4.0.5, only in  
 the
cvs head - you can try to add the parameter described by anton in   
the
connectToPublicDir method . but the complete stack trace would be
useful for a better understanding of the problem.
thomas

Le 24 janv. 05, � 14:40, Pascal a �crit :
Both in the administration and in the user rights panels for
containers, looking up users in Active Directory yields the   
following
 errors.

Lookup of Active Directory groups works and login to the site  
with  an
Active Directory user is no problem. The new settings in
group-router-config.xml and router-config.xml appear to be   
configured
correctly, including the
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory> setting to   
which
the problem seems related.

usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN - JNDI
warning
javax.naming.PartialResultException. Root exception is
javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext
error, data  52e, v893
<snip>
WARN usermanager.JahiaUserManagerLDAPProvider lookupUserFromDN -   
JNDI
warning
javax.naming.NoInitialContextException: Need to specify class  
name  in
environment or system property, or as an applet parameter, or in  
an
application resource file: java.naming.factory.initial
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.jav 
a :
652)

Any help is appreciated
pascal