LDAP realm bug

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP realm bug

Thomas Ford
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:

 http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389</url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Thomas Ford
Director of Web Application Development
National Foreign Language Center @
The University of Maryland
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Adam Retter

Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <[hidden email]> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:

 http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389</url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Thomas Ford
Sorry that was incomplete.  Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
    <realm id="LDAP">
        <context>
            <authentication>simple</authentication>
            <url>ldap://myldap.mydomain.org:389</url>
            <domain>mydomain.org</domain>
            <search>
                <base>ou=MYORG People,dc=mydomain,dc=org</base>
                <default-username>[hidden email]</default-username>
                <default-password>mypass</default-password>
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <whitelist>
                        <principal>Domain Users</principal>
                    </whitelist>
                </group>
            </search>
        </context>
    </realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________
From: Adam Retter [[hidden email]]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <[hidden email]<mailto:[hidden email]>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:

 http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]<mailto:[hidden email]>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Thomas Ford
Director of Web Application Development
National Foreign Language Center @
The University of Maryland
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Misztur, Chris
i will post my working config tomorrow.

authentication does work, however there were some issues with black/white lists.

i will also be on #exist-db tomorrow if you want to chat (waldo_x).

> On Jul 3, 2014, at 5:57 AM, "Ford, Thomas" <[hidden email]> wrote:
>
> Sorry that was incomplete.  Here is a more complete representation of the markup in: /db/system/security/config.xml
> -----
> <security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
>    <authentication-entry-point>/authentication/login</authentication-entry-point>
> <!--<events></events>-->
>    <realm id="LDAP">
>        <context>
>            <authentication>simple</authentication>
>            <url>ldap://myldap.mydomain.org:389</url>
>            <domain>mydomain.org</domain>
>            <search>
>                <base>ou=MYORG People,dc=mydomain,dc=org</base>
>                <default-username>[hidden email]</default-username>
>                <default-password>mypass</default-password>
>                <account>
>                    <search-filter-prefix>objectClass=user</search-filter-prefix>
>                    <search-attribute key="name">sAMAccountName</search-attribute>
>                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
>                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
>                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
>                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
>                </account>
>                <group>
>                    <search-filter-prefix>objectClass=group</search-filter-prefix>
>                    <search-attribute key="member">member</search-attribute>
>                    <search-attribute key="primaryGroupToken">primaryGroupToken
> </search-attribute>
>                    <search-attribute key="objectSid">objectSid</search-attribute>
>                    <search-attribute key="name">sAMAccountName</search-attribute>
>                    <search-attribute key="dn">distinguishedName</search-attribute>
>                    <whitelist>
>                        <principal>Domain Users</principal>
>                    </whitelist>
>                </group>
>            </search>
>        </context>
>    </realm>
>
> </security-manager>
>
> -----
>
> Thomas W. Ford
> Assistant Director of Web Application Development
> Ext# 5-9731
> ________________________________
> From: Adam Retter [[hidden email]]
> Sent: Wednesday, July 02, 2014 10:22 AM
> To: Ford, Thomas
> Cc: [hidden email]
> Subject: Re: [Exist-open] LDAP realm bug
>
>
> Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.
>
> On 2 Jul 2014 15:18, "Ford, Thomas" <[hidden email]<mailto:[hidden email]>> wrote:
> I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:
>
> http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm
>
> .. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>
> However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
> extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
> ----
> if (url == null) {
> throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
> }
> ----
> However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?
>
> /db/system/security/config.xml
> <security-manager>
> ...
> <realm id="LDAP">
> <authentication>
> <url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
> ...
>
> Please advise,
> Thanks,
> Tom
>
>
> Thomas W. Ford
> Assistant Director of Web Application Development
> National Foreign Language Center
> Univ. of Maryland, College Park, MD
>
>
>
> The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> [hidden email]<mailto:[hidden email]>
> https://lists.sourceforge.net/lists/listinfo/exist-open
>
>
> The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Misztur, Chris
In reply to this post by Thomas Ford
In my domain users log in as such: domain\username
However through exist they login as: [hidden email]

Here is my config :

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="26" last-group-id="11" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
        <context>
            <authentication>simple</authentication>
            <use-ssl>false</use-ssl>
<!--<principal-pattern></principal-pattern>-->
            <url>ldap://domain-controller.my-domain.com:389</url>
            <domain>my-domain.com</domain>
            <search>
                <base>DC=my-domain,DC=com</base>
<!--<default-username></default-username>-->
<!--<default-password></default-password>-->
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <search-attribute key="memberOf">memberOf</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
                </group>
            </search>
<!--<transformation></transformation>-->
        </context>
    </realm>
<!--<events></events>-->
</security-manager>



-----Original Message-----
From: Ford, Thomas [mailto:[hidden email]]
Sent: Thursday, July 03, 2014 5:57 AM
To: Adam Retter
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug

Sorry that was incomplete.  Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
    <realm id="LDAP">
        <context>
            <authentication>simple</authentication>
            <url>ldap://myldap.mydomain.org:389</url>
            <domain>mydomain.org</domain>
            <search>
                <base>ou=MYORG People,dc=mydomain,dc=org</base>
                <default-username>[hidden email]</default-username>
                <default-password>mypass</default-password>
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <whitelist>
                        <principal>Domain Users</principal>
                    </whitelist>
                </group>
            </search>
        </context>
    </realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________
From: Adam Retter [[hidden email]]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <[hidden email]<mailto:[hidden email]>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:

 http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]<mailto:[hidden email]>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Thomas Ford
Thanks for your response.   I adjusted my config slightly as follows.. and restarted exist, but got the same error message: "An LDAP URL must be specified of the form ldap://:" .  I have tested the ldap url independently of eXist and the url does work.   I tried a few variations of this but nothing seems to work... it's always the same message.  If it is indeed a config error and not a bug, it would be useful to have a more meaningful error message.


<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
        <context>
            <authentication>simple</authentication>
            <use-ssl>false</use-ssl>
            <url>ldap://ldap.mydomain.org:389</url>
            <domain>mydomain.org</domain>
            <search>
                <base>DC=mydomain,DC=org</base>
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <search-attribute key="memberOf">memberOf</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                </group>
            </search>
        </context>
    </realm>
</security-manager>



Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________________
From: Misztur, Chris [[hidden email]]
Sent: Monday, July 07, 2014 8:36 AM
To: Ford, Thomas; Adam Retter
Cc: [hidden email]
Subject: RE: [Exist-open] LDAP realm bug

In my domain users log in as such: domain\username
However through exist they login as: [hidden email]

Here is my config :

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="26" last-group-id="11" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
        <context>
            <authentication>simple</authentication>
            <use-ssl>false</use-ssl>
<!--<principal-pattern></principal-pattern>-->
            <url>ldap://domain-controller.my-domain.com:389</url>
            <domain>my-domain.com</domain>
            <search>
                <base>DC=my-domain,DC=com</base>
<!--<default-username></default-username>-->
<!--<default-password></default-password>-->
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <search-attribute key="memberOf">memberOf</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
                </group>
            </search>
<!--<transformation></transformation>-->
        </context>
    </realm>
<!--<events></events>-->
</security-manager>



-----Original Message-----
From: Ford, Thomas [mailto:[hidden email]]
Sent: Thursday, July 03, 2014 5:57 AM
To: Adam Retter
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug

Sorry that was incomplete.  Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
    <realm id="LDAP">
        <context>
            <authentication>simple</authentication>
            <url>ldap://myldap.mydomain.org:389</url>
            <domain>mydomain.org</domain>
            <search>
                <base>ou=MYORG People,dc=mydomain,dc=org</base>
                <default-username>[hidden email]</default-username>
                <default-password>mypass</default-password>
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <whitelist>
                        <principal>Domain Users</principal>
                    </whitelist>
                </group>
            </search>
        </context>
    </realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________
From: Adam Retter [[hidden email]]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <[hidden email]<mailto:[hidden email]>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:

 http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]<mailto:[hidden email]>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Thomas Ford
Director of Web Application Development
National Foreign Language Center @
The University of Maryland
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Misztur, Chris
Can you turn on debug logging and show the failure stack?
I know that Dmitiry's changes to get this to work for me were post 2.1...


Can you try adding principal-pattern element into context element with a specific user OU?

<context>
            <principal-pattern>cn={0},OU=Users,OU=your-domain,DC=your-domain,DC=com</principal-pattern>
...



-----Original Message-----
From: Ford, Thomas [mailto:[hidden email]]
Sent: Monday, July 07, 2014 9:03 AM
To: Misztur, Chris; Adam Retter
Cc: [hidden email]
Subject: RE: [Exist-open] LDAP realm bug

Thanks for your response.   I adjusted my config slightly as follows.. and restarted exist, but got the same error message: "An LDAP URL must be specified of the form ldap://:" .  I have tested the ldap url independently of eXist and the url does work.   I tried a few variations of this but nothing seems to work... it's always the same message.  If it is indeed a config error and not a bug, it would be useful to have a more meaningful error message.


<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
        <context>
            <authentication>simple</authentication>
            <use-ssl>false</use-ssl>
            <url>ldap://ldap.mydomain.org:389</url>
            <domain>mydomain.org</domain>
            <search>
                <base>DC=mydomain,DC=org</base>
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <search-attribute key="memberOf">memberOf</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                </group>
            </search>
        </context>
    </realm>
</security-manager>



Thomas W. Ford
Assistant Director of Web Application Development Ext# 5-9731 ________________________________________
From: Misztur, Chris [[hidden email]]
Sent: Monday, July 07, 2014 8:36 AM
To: Ford, Thomas; Adam Retter
Cc: [hidden email]
Subject: RE: [Exist-open] LDAP realm bug

In my domain users log in as such: domain\username However through exist they login as: [hidden email]

Here is my config :

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="26" last-group-id="11" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
        <context>
            <authentication>simple</authentication>
            <use-ssl>false</use-ssl>
<!--<principal-pattern></principal-pattern>-->
            <url>ldap://domain-controller.my-domain.com:389</url>
            <domain>my-domain.com</domain>
            <search>
                <base>DC=my-domain,DC=com</base> <!--<default-username></default-username>-->
<!--<default-password></default-password>-->
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <search-attribute key="memberOf">memberOf</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
                </group>
            </search>
<!--<transformation></transformation>-->
        </context>
    </realm>
<!--<events></events>-->
</security-manager>



-----Original Message-----
From: Ford, Thomas [mailto:[hidden email]]
Sent: Thursday, July 03, 2014 5:57 AM
To: Adam Retter
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug

Sorry that was incomplete.  Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
    <authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
    <realm id="LDAP">
        <context>
            <authentication>simple</authentication>
            <url>ldap://myldap.mydomain.org:389</url>
            <domain>mydomain.org</domain>
            <search>
                <base>ou=MYORG People,dc=mydomain,dc=org</base>
                <default-username>[hidden email]</default-username>
                <default-password>mypass</default-password>
                <account>
                    <search-filter-prefix>objectClass=user</search-filter-prefix>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
                    <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
                </account>
                <group>
                    <search-filter-prefix>objectClass=group</search-filter-prefix>
                    <search-attribute key="member">member</search-attribute>
                    <search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
                    <search-attribute key="objectSid">objectSid</search-attribute>
                    <search-attribute key="name">sAMAccountName</search-attribute>
                    <search-attribute key="dn">distinguishedName</search-attribute>
                    <whitelist>
                        <principal>Domain Users</principal>
                    </whitelist>
                </group>
            </search>
        </context>
    </realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development Ext# 5-9731 ________________________________
From: Adam Retter [[hidden email]]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <[hidden email]<mailto:[hidden email]>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version.   We very much need the LDAP feature to work but it does not appear to be working yet.  I've followed the instructions here:

 http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure.   I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:"  .   I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved.   I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>"); }
----
However, I have defined the connection url exactly as described in the documentation.  So, I am inclined to think this is a bug.  Perhaps the value of the url element is not getting assigned to the property in the java class?  Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development National Foreign Language Center Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________
Exist-open mailing list
[hidden email]<mailto:[hidden email]>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

RemiKoutcherawy
In reply to this post by Thomas Ford
Hi
> [...] I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>
> However, it did not offer any working solution and did not appear to have been resolved.
I got a working solution, attached is a module and a test.

Debugging step by step in Eclipse, I realized the xml config file was
not parsed correctly.
I almost crafted a pull request in Java, but realized I cannot test
against ActiveDirectory.
My concern was OpenLdap not ActiveDirectory, and I reverted to a more
basic solution.

Inspired from
https://github.com/eXist-db/exist/blob/develop/extensions/modules/src/org/exist/xquery/modules/jndi/jndiExample.xql
I just need to activate jndi in :
  - exist-2.1/conf.xml
  - extensions/build.properties
  - installer/conf.xml

To test I installed openldap-2.4.39 with a basic ldap config
cn=me,ou=people,dc=localhost
With a parameter.xml file to easily switch to another ldap server.
I let the util:log-system-out in the attached files, may be useful to
see how it works,
but to keep things readable hard-coded the ldap values here, instead of
joining parameter file.

HTH

Remi



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open

ldap1.xqm (4K) Download Attachment
ldap1.xql (693 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Misztur, Chris
D,

did the bug fixes you did for my case make it into 2.1.6?

> On Jul 7, 2014, at 4:30 PM, "Rémi Koutchérawy" <[hidden email]> wrote:
>
> Hi
>> [...] I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>>
>> However, it did not offer any working solution and did not appear to have been resolved.
> I got a working solution, attached is a module and a test.
>
> Debugging step by step in Eclipse, I realized the xml config file was not parsed correctly.
> I almost crafted a pull request in Java, but realized I cannot test against ActiveDirectory.
> My concern was OpenLdap not ActiveDirectory, and I reverted to a more basic solution.
>
> Inspired from
> https://github.com/eXist-db/exist/blob/develop/extensions/modules/src/org/exist/xquery/modules/jndi/jndiExample.xql
> I just need to activate jndi in :
> - exist-2.1/conf.xml
> - extensions/build.properties
> - installer/conf.xml
>
> To test I installed openldap-2.4.39 with a basic ldap config cn=me,ou=people,dc=localhost
> With a parameter.xml file to easily switch to another ldap server.
> I let the util:log-system-out in the attached files, may be useful to see how it works,
> but to keep things readable hard-coded the ldap values here, instead of joining parameter file.
>
> HTH
>
> Remi
>
>
> <ldap1.xqm>
> <ldap1.xql>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Thomas Ford
Rémi, thanks.  I may give that a try as well.

Dmitriy, regarding your fix, did it make it into 2.2RC1?  I just downloaded this latest version and configured the ldap context and got the same error as described previously.  I checked the exist.log and found this error:

2014-07-08 10:13:22,056 [AWT-EventQueue-0] ERROR (Configurator.java [configure]:244) - class "org.exist.security.realm.TransformationContext"'s signer information does not match signer information of other classes in the same package
java.lang.SecurityException: class "org.exist.security.realm.TransformationContext"'s signer information does not match signer information of other classes in the same package
        at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
        at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        at java.lang.ClassLoader.defineClass1(Native Method)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        at java.lang.Class.getDeclaredFields0(Native Method)
        at java.lang.Class.privateGetDeclaredFields(Class.java:2397)
        at java.lang.Class.getDeclaredFields(Class.java:1806)
        at org.exist.config.Configurator.getConfigurationAnnotatedFields(Configurator.java:99)
        at org.exist.config.Configurator.configureByCurrent(Configurator.java:257)
        at org.exist.config.Configurator.configure(Configurator.java:242)
        at org.exist.security.realm.ldap.LdapContextFactory.<init>(LdapContextFactory.java:83)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at org.exist.config.Configurator.create(Configurator.java:602)
        at org.exist.config.Configurator.configureByCurrent(Configurator.java:340)
        at org.exist.config.Configurator.configure(Configurator.java:242)
        at org.exist.security.AbstractRealm.<init>(AbstractRealm.java:76)
        at org.exist.security.realm.ldap.LDAPRealm.<init>(LDAPRealm.java:81)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at org.exist.config.Configurator.create(Configurator.java:597)
        at org.exist.config.Configurator.create(Configurator.java:579)
        at org.exist.config.Configurator.configureByCurrent(Configurator.java:535)
        at org.exist.config.Configurator.configure(Configurator.java:242)
        at org.exist.security.internal.SecurityManagerImpl.attach(SecurityManagerImpl.java:214)
        at org.exist.storage.BrokerPool.initialize(BrokerPool.java:945)
        at org.exist.storage.BrokerPool.<init>(BrokerPool.java:722)
        at org.exist.storage.BrokerPool.configure(BrokerPool.java:248)
        at org.exist.storage.BrokerPool.configure(BrokerPool.java:224)
        at org.exist.jetty.JettyStart.run(JettyStart.java:163)
        at org.exist.launcher.Launcher$7.actionPerformed(Launcher.java:217)
        at java.awt.MenuItem.processActionEvent(MenuItem.java:669)
        at java.awt.MenuItem.processEvent(MenuItem.java:628)
        at java.awt.MenuComponent.dispatchEventImpl(MenuComponent.java:351)
        at java.awt.MenuComponent.dispatchEvent(MenuComponent.java:339)
        at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:738)
        at java.awt.EventQueue.access$200(EventQueue.java:103)
        at java.awt.EventQueue$3.run(EventQueue.java:694)
        at java.awt.EventQueue$3.run(EventQueue.java:692)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
        at java.awt.EventQueue$4.run(EventQueue.java:708)
        at java.awt.EventQueue$4.run(EventQueue.java:706)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
        at java.awt.EventQueue.dispatchEvent(EventQueue.java:705)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:242)
        at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:161)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:150)
        at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:146)
        at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:138)
        at java.awt.EventDispatchThread.run(EventDispatchThread.java:91)


Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________________
From: Misztur, Chris [[hidden email]]
Sent: Tuesday, July 08, 2014 8:30 AM
To: Rémi Koutchérawy; Dmitriy Shabanov
Cc: [hidden email]; Ford, Thomas
Subject: Re: [Exist-open] LDAP realm bug

D,

did the bug fixes you did for my case make it into 2.1.6?

> On Jul 7, 2014, at 4:30 PM, "Rémi Koutchérawy" <[hidden email]> wrote:
>
> Hi
>> [...] I saw that there was a post related to this here:  http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>>
>> However, it did not offer any working solution and did not appear to have been resolved.
> I got a working solution, attached is a module and a test.
>
> Debugging step by step in Eclipse, I realized the xml config file was not parsed correctly.
> I almost crafted a pull request in Java, but realized I cannot test against ActiveDirectory.
> My concern was OpenLdap not ActiveDirectory, and I reverted to a more basic solution.
>
> Inspired from
> https://github.com/eXist-db/exist/blob/develop/extensions/modules/src/org/exist/xquery/modules/jndi/jndiExample.xql
> I just need to activate jndi in :
> - exist-2.1/conf.xml
> - extensions/build.properties
> - installer/conf.xml
>
> To test I installed openldap-2.4.39 with a basic ldap config cn=me,ou=people,dc=localhost
> With a parameter.xml file to easily switch to another ldap server.
> I let the util:log-system-out in the attached files, may be useful to see how it works,
> but to keep things readable hard-coded the ldap values here, instead of joining parameter file.
>
> HTH
>
> Remi
>
>
> <ldap1.xqm>
> <ldap1.xql>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Thomas Ford
Director of Web Application Development
National Foreign Language Center @
The University of Maryland
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Dmitriy Shabanov
On Tue, Jul 8, 2014 at 6:27 PM, Ford, Thomas <[hidden email]> wrote:
Rémi, thanks.  I may give that a try as well.

Dmitriy, regarding your fix, did it make it into 2.2RC1?  I just downloaded this latest version and configured the ldap context and got the same error as described previously.  I checked the exist.log and found this error:

2014-07-08 10:13:22,056 [AWT-EventQueue-0] ERROR (Configurator.java [configure]:244) - class "org.exist.security.realm.TransformationContext"'s signer information does not match signer information of other classes in the same package
java.lang.SecurityException: class "org.exist.security.realm.TransformationContext"'s signer information does not match signer information of other classes in the same package

Where it you install it?  I can say for sure only that trunk have fix.


--
Dmitriy Shabanov

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

lstant
I'm having the same problem with an eXist 2.2 install which I can't upgrade to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

lstant
In reply to this post by Dmitriy Shabanov
I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672302.html
Sent from the exist-open mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

Loren Cahlander
In reply to this post by lstant
I do not know if this is relevant, but I had a problem with LDAP before.  The jarfiles needed to be signed:


Edit build\scripts\jarsigner.xml

add

<target name="jnlp-sign-extensions" description="Sign all extension jar files in lib/extensions."
    depends="jnlp-prepare,jnlp-keygen">
    
    <signjar alias="${keystore.alias}" storepass="${keystore.password}"
        keystore="${keystore.file}">
        <fileset dir="lib/extensions">
            <include name="*.jar"/>
        </fileset>
    </signjar>
</target>

change

    <!-- All tasks, in the best sequence -->
    <target name="jnlp-all"
        depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core"
            description="Create keystore file and sign all EXIST and CORE jar files."/>

to

    <!-- All tasks, in the best sequence -->
    <target name="jnlp-all"
        depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core,jnlp-sign-extensions"
            description="Create keystore file and sign all EXIST and CORE jar files."/>

change

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
        description="Unsign all jar files.">
    <taskdef name="unsignjar" 
             classname="nl.ow.dilemma.ant.jar.UnsignJarTask" 
             classpath="${asocat-exist.jar}"/>
    <unsignjar>
        <fileset dir=".">
            <include name="exist*.jar"/>
            <include name="start.jar"/>
        </fileset>
        <fileset dir="lib/core">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/extensions">
            <include name="exist-netedit.jar"/>
        </fileset>
        <fileset dir="lib/optional">
            <include name="commons-codec-*.jar"/>
            <include name="commons-httpclient-*.jar"/>
        </fileset>
    </unsignjar>
</target>

to

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
        description="Unsign all jar files.">
    <taskdef name="unsignjar" 
             classname="nl.ow.dilemma.ant.jar.UnsignJarTask" 
             classpath="${asocat-exist.jar}"/>
    <unsignjar>
        <fileset dir=".">
            <include name="exist*.jar"/>
            <include name="start.jar"/>
        </fileset>
        <fileset dir="lib/core">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/extensions">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/optional">
            <include name="commons-codec-*.jar"/>
            <include name="commons-httpclient-*.jar"/>
        </fileset>
    </unsignjar>
</target>

run

build.bat jnlp-unsign-all
build.bat jnlp-all
                

This properly signs the jar files so that eXist-db can authenticate through LDAP.




On Jun 10, 2017, at 1:48 PM, lstant <[hidden email]> wrote:

I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
Sent from the exist-open mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

lstant

Thanks for this, the resigning said it worked without error, although the dashboard splash image is now broken (will investigate).

If I try and login now, I just get a wrong user or pass error, and the log reads:

 

2017-06-13 11:42:54,397 [qtp5250656-32] ERROR (XMLDBAuthenticate.java [eval]:153) - Unable to authenticate user: ls00181 @ jar:file:/C:/eXist-db-3.2/lib/extensions/exist-modules.jar!/org/exist/xquery/modules/persistentlogin/login.xql [119:24]
org.exist.security.AuthenticationException: Account [ls00181] not found
 at org.exist.security.internal.SecurityManagerImpl.authenticate(SecurityManagerImpl.java:460) ~[exist.jar:3.2.0]
 at org.exist.xquery.functions.xmldb.XMLDBAuthenticate.eval(XMLDBAuthenticate.java:151) [exist.jar:3.2.0]
 at org.exist.xquery.BasicFunction.eval(BasicFunction.java:74) [exist.jar:3.2.0]
 at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:41) [exist.jar:3.2.0]
 at (...)

 

It looks as though it isn't checking LDAP and just the internal authentication. The build.properties file has AD and LDAP realms enabled and I have been restarting exist after changes. Any thoughts?

 


From: Loren Cahlander <[hidden email]>
Sent: 11 June 2017 20:42:02
To: Stant L Mr (PG/R - Elec Electronic Eng)
Cc: Loren Cahlander; [hidden email]
Subject: Re: [Exist-open] LDAP realm bug
 
I do not know if this is relevant, but I had a problem with LDAP before.  The jarfiles needed to be signed:


Edit build\scripts\jarsigner.xml

add

<target name="jnlp-sign-extensions" description="Sign all extension jar files in lib/extensions."
    depends="jnlp-prepare,jnlp-keygen">
    
    <signjar alias="${keystore.alias}" storepass="${keystore.password}"
        keystore="${keystore.file}">
        <fileset dir="lib/extensions">
            <include name="*.jar"/>
        </fileset>
    </signjar>
</target>

change

    <!-- All tasks, in the best sequence -->
    <target name="jnlp-all"
        depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core"
            description="Create keystore file and sign all EXIST and CORE jar files."/>

to

    <!-- All tasks, in the best sequence -->
    <target name="jnlp-all"
        depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core,jnlp-sign-extensions"
            description="Create keystore file and sign all EXIST and CORE jar files."/>

change

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
        description="Unsign all jar files.">
    <taskdef name="unsignjar" 
             classname="nl.ow.dilemma.ant.jar.UnsignJarTask" 
             classpath="${asocat-exist.jar}"/>
    <unsignjar>
        <fileset dir=".">
            <include name="exist*.jar"/>
            <include name="start.jar"/>
        </fileset>
        <fileset dir="lib/core">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/extensions">
            <include name="exist-netedit.jar"/>
        </fileset>
        <fileset dir="lib/optional">
            <include name="commons-codec-*.jar"/>
            <include name="commons-httpclient-*.jar"/>
        </fileset>
    </unsignjar>
</target>

to

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
        description="Unsign all jar files.">
    <taskdef name="unsignjar" 
             classname="nl.ow.dilemma.ant.jar.UnsignJarTask" 
             classpath="${asocat-exist.jar}"/>
    <unsignjar>
        <fileset dir=".">
            <include name="exist*.jar"/>
            <include name="start.jar"/>
        </fileset>
        <fileset dir="lib/core">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/extensions">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/optional">
            <include name="commons-codec-*.jar"/>
            <include name="commons-httpclient-*.jar"/>
        </fileset>
    </unsignjar>
</target>

run

build.bat jnlp-unsign-all
build.bat jnlp-all
                

This properly signs the jar files so that eXist-db can authenticate through LDAP.




On Jun 10, 2017, at 1:48 PM, lstant <[hidden email]> wrote:

I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
Sent from the exist-open mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm bug

lstant

My bad, it is working (if I change url to something wrong it errors before the XMLDBAuthenticate lines). It would be nice perhaps to have a log entry to say if different realms failed, at an appropriate verbosity level.


From: Stant L Mr (PG/R - Elec Electronic Eng)
Sent: 13 June 2017 11:51:20
To: Loren Cahlander
Cc: [hidden email]
Subject: Re: [Exist-open] LDAP realm bug
 

Thanks for this, the resigning said it worked without error, although the dashboard splash image is now broken (will investigate).

If I try and login now, I just get a wrong user or pass error, and the log reads:

 

2017-06-13 11:42:54,397 [qtp5250656-32] ERROR (XMLDBAuthenticate.java [eval]:153) - Unable to authenticate user: ls00181 @ jar:file:/C:/eXist-db-3.2/lib/extensions/exist-modules.jar!/org/exist/xquery/modules/persistentlogin/login.xql [119:24]
org.exist.security.AuthenticationException: Account [ls00181] not found
 at org.exist.security.internal.SecurityManagerImpl.authenticate(SecurityManagerImpl.java:460) ~[exist.jar:3.2.0]
 at org.exist.xquery.functions.xmldb.XMLDBAuthenticate.eval(XMLDBAuthenticate.java:151) [exist.jar:3.2.0]
 at org.exist.xquery.BasicFunction.eval(BasicFunction.java:74) [exist.jar:3.2.0]
 at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:41) [exist.jar:3.2.0]
 at (...)

 

It looks as though it isn't checking LDAP and just the internal authentication. The build.properties file has AD and LDAP realms enabled and I have been restarting exist after changes. Any thoughts?

 


From: Loren Cahlander <[hidden email]>
Sent: 11 June 2017 20:42:02
To: Stant L Mr (PG/R - Elec Electronic Eng)
Cc: Loren Cahlander; [hidden email]
Subject: Re: [Exist-open] LDAP realm bug
 
I do not know if this is relevant, but I had a problem with LDAP before.  The jarfiles needed to be signed:


Edit build\scripts\jarsigner.xml

add

<target name="jnlp-sign-extensions" description="Sign all extension jar files in lib/extensions."
    depends="jnlp-prepare,jnlp-keygen">
    
    <signjar alias="${keystore.alias}" storepass="${keystore.password}"
        keystore="${keystore.file}">
        <fileset dir="lib/extensions">
            <include name="*.jar"/>
        </fileset>
    </signjar>
</target>

change

    <!-- All tasks, in the best sequence -->
    <target name="jnlp-all"
        depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core"
            description="Create keystore file and sign all EXIST and CORE jar files."/>

to

    <!-- All tasks, in the best sequence -->
    <target name="jnlp-all"
        depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core,jnlp-sign-extensions"
            description="Create keystore file and sign all EXIST and CORE jar files."/>

change

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
        description="Unsign all jar files.">
    <taskdef name="unsignjar" 
             classname="nl.ow.dilemma.ant.jar.UnsignJarTask" 
             classpath="${asocat-exist.jar}"/>
    <unsignjar>
        <fileset dir=".">
            <include name="exist*.jar"/>
            <include name="start.jar"/>
        </fileset>
        <fileset dir="lib/core">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/extensions">
            <include name="exist-netedit.jar"/>
        </fileset>
        <fileset dir="lib/optional">
            <include name="commons-codec-*.jar"/>
            <include name="commons-httpclient-*.jar"/>
        </fileset>
    </unsignjar>
</target>

to

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
        description="Unsign all jar files.">
    <taskdef name="unsignjar" 
             classname="nl.ow.dilemma.ant.jar.UnsignJarTask" 
             classpath="${asocat-exist.jar}"/>
    <unsignjar>
        <fileset dir=".">
            <include name="exist*.jar"/>
            <include name="start.jar"/>
        </fileset>
        <fileset dir="lib/core">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/extensions">
            <include name="*.jar"/>
        </fileset>
        <fileset dir="lib/optional">
            <include name="commons-codec-*.jar"/>
            <include name="commons-httpclient-*.jar"/>
        </fileset>
    </unsignjar>
</target>

run

build.bat jnlp-unsign-all
build.bat jnlp-all
                

This properly signs the jar files so that eXist-db can authenticate through LDAP.




On Jun 10, 2017, at 1:48 PM, lstant <[hidden email]> wrote:

I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
Sent from the exist-open mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open