Home.... | log in.... | Pub my question! | Sign-up....

Java-index >> Web & Directory Servers >> Web Servers

WS7 LDAP Active Directory

I'm having an issue setting up (just searching for) users and groups in the ACL controls.

When I do a generic wild card search "*" or search for a specific user I get the following error.

ADMIN3132: Error while communicating to the LDAP server: ldap://server.domain.edu:389/dc=xxx,dc=domain,dc=edu

I was able to create the configuration, so I assume the user bind information is okay. I am also able to bind and view Active Directory information using JXplorer on the server.

Here is the information in the server.xml file.

<auth-db>

<name>AuthDBName</name>

<url>ldap://server.domain.edu:389/dc%3dxxx,dc%3ddomain,dc%3dedu</url>

<name>bindpw</name>

<value>XXhlXTLyiXNo</value>

</property>

<name>binddn</name>

<value>addomain\userid</value>

</property>

</auth-db>

Any insights?

[1096 byte] By [bartmcpa] at [2007-11-27 8:28:55]

«« Efficiently identify modified values in JTable
»» Detect hardware error string

# 1

Do you mean searching through the admin?In 7.0 the admin has a limitation/bug that it doesn't observe these configuration parameters, so it can't search the MSAD server even when the server itself can authenticate against it. It should be fixed in an upcoming release.

jyria at 2007-7-12 20:19:03 >

top of Java-index,Web & Directory Servers,Web Servers...

# 2

Correct.

If I try to configure an ACE to Allow "Only the following in the authentication database" and search for an ID it comes back with that error. Searching for groups has the same result.

Is there an estimate for when the next release that fixes this will be out?

Thanks

Bart

bartmcpa at 2007-7-12 20:19:03 >

# 3

I did some more editing today of the configuration.

I added a specific OU to the Base DN, so now the ldap url is now:

ldap://server.domain.edu:389/ou%3dsome%20name,dc%3dxxx,dc%3ddomain,dc%3dedu

The error message has gone away, but I cannot return any information from Active Directory.

I hope this helps and a fix will be released soon. Any ETA for the fix would be helpful, so I know how to proceed with this current project.

Also, is this a specific issue with Active Directory or a general LDAP issue with WS7?

Thanks,

Bart

bartmcpa at 2007-7-12 20:19:03 >

# 4

I updated the web server to WS 7 Update 1 and still cannot get a good response from Active Directory. Not sure if the AD fixes listed in the release notes are what was referred to a couple of posts earlier, but I'm not closer to getting AD authentication working in WS 7.

I know my AD information is good, because I can get results returned back to the server using ldapsearch -h adserver.domain.edu -p 389 -b "dc=addomain,dc=domain,dc=edu" -D "myID" "(cn=myID)"

from a command prompt. The LDAP setup screen also complains if I use a wrong password.

I'd really like to make this work, so I don't have to buy a 3rd party product (RSA Cleartrust) to secure static content pages/folders.

This is the log information seen when I try to test an ACL that uses the AD LDAP setup.

[25/Jun/2007:15:34:17] fine (10335): acl user: match on user = (anyone)

[25/Jun/2007:15:34:17] config (10335): digest authentication request on a non-digestauth capable database.

[25/Jun/2007:15:34:17] security (10335):

[NSACL4330] HTTP5094: while trying to get attribute "user"

This is what is seen in the logs when I try to search for a specific user when creating an ACL.

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, ntrans-j2ee reports: mapped uri "/admingui/newACE" in context "/admingui" to resource "AdminGUIServlet"

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: context=[StandardEngine[com.sun.web-1].StandardHost[admin-server].StandardConte xt[/admingui]] contextPath=[/admingui] wrapper=[StandardEngine[com.sun.web-1].StandardHost[admin-server].StandardConte xt[/admingui].StandardWrapper[AdminGUIServlet]] servletPath=[/admingui] pathInfo=[/newACE]

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Security checking request POST /admingui/admingui/newACE

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: We have cached auth type FORM for principal webadmin

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports:Matched constraint 'SecurityConstraint[admingui]' against POST /admingui/newACE

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Calling hasUserDataPermission()

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports:User data constraint has no restrictions

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Calling authenticate()

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Already authenticated 'webadmin'

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Calling accessControl()

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports:Checking roles webadmin

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Successfully passed all security constraints

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: servletPath=/jsp/newACE.jsp, pathInfo=null, queryString=null, name=null

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: Path Based Forward

[25/Jun/2007:15:42:22] fine (10401): for host 555.555.2.64 trying to POST /admingui/admingui/newACE, service-j2ee reports: JspEngine --> [/jsp/newACE.jsp] ServletPath: [/jsp/newACE.jsp] PathInfo: [null] RealPath: [/usr/local/webserver7/lib/webapps/admingui/jsp/newACE.jsp] RequestURI: [/admingui/jsp/newACE.jsp] QueryString: [null] RequestParams: [ newACE.newACEPS.addRemoveGroups.RemoveAllButton.DisabledHiddenField=true newACE.newACEPS.groupAttribute=name newACE.newACEPS.read.jato_boolean=false newACE.newACEPS.list.jato_boolean=false newACE.newACEPS.execute.DisabledHiddenField=true newACE.newACEPS.addRemoveGroups.AvailableTextField= jato.pageSession= newACE.newACEPS.info.jato_boolean=false newACE.newACEPS.addRemoveGroups.AddAllButton.TitleEnabledHiddenField= newACE.newACEPS.list.ValueDisabledHiddenField=false newACE.newACEPS.addRemoveUsers.AddButton.DisabledHiddenField=false config.security.acl.newACE.emptyUSrGrpList=Please enter a comma separated list of user IDs or group names config.security.acl.newACE.noUSrGrpSelected=There are no users or groups selected. newACE.newACEPS.read.ValueDisabledHiddenField=false newACE.newACEPS.rights=all newACE.newACEPS.addRemoveUsers.AddAllButton.TitleEnabledHiddenField= newACE.newACEPS.execute.jato_boolean=false newACE.newACEPS.delete.ValueDisabledHiddenField=false newACE.newACEPS.addRemoveGroups.RemoveButton.DisabledHiddenField=true newACE.newACEPS.groupSearchString=* jato.defaultCommand=defaultCommandChild newACE.newACEPS.addRemoveUsers.AddAllButton.DisabledHiddenField=true newACE.newACEPS.addRemoveGroups.RemoveAllButton.TitleDisabledHiddenField=(disab led) newACE.newACEPS.write.DisabledHiddenField=true newACE.newACEPS.dns.ValueDisabledHiddenField= newACE.newACEPS.write.jato_boolean=false newACE.newACEPS.addRemoveGroups.SelectedTextField= helplink=gbomu.html newACE.newACEPS.addRemoveUsers.RemoveButton.DisabledHiddenField=true newACE.newACEPS.addRemoveUsers.RemoveAllButton.TitleDisabledHiddenField=(disabl ed) newACE.newACEPS.execute.ValueDisabledHiddenField=false newACE.newACEPS.ip.ValueDisabledHiddenField= newACE.newACEPS.userSearchString=*myID* newACE.newACEPS.addRemoveGroups.RemoveAllButton.TitleEnabledHiddenField= newACE.newACEPS.addRemoveUsers.AddAllButton.TitleDisabledHiddenField=(disabled) newACE.newACEPS.users=auth newACE.hidden-db-type=ldap newACE.newACEPS.ip.DisabledHiddenField=true newACE.newACEPS.info.DisabledHiddenField=true newACE.newACEPS.action=allow newACE.newACEPS.write.ValueDisabledHiddenField=false newACE.newACEPS.userSearchAttribute=uid newACE.newACEPS.addRemoveUsers.RemoveAllButton.TitleEnabledHiddenField= newACE.newACEPS.addRemoveUsers.RemoveAllButton.DisabledHiddenField=true newACE.newACEPS.delete.jato_boolean=false newACE.newACEPS.delete.DisabledHiddenField=true newACE.newACEPS.list.DisabledHiddenField=true newACE.newACEPS.addRemoveUsers.SelectedTextField= newACE.newACEPS.dns.DisabledHiddenField=true newACE.newACEPS.host=anyplace newACE.newACEPS.addRemoveGroups.AvailableListBox=ignoreMe newACE.hidden-db-name=CSUNET newACE.newACEPS.info.ValueDisabledHiddenField=false newACE.newACEPS.userSearchButton=Search newACE.newACEPS.addRemoveGroups.AddButton.DisabledHiddenField=true newACE.newACEPS.addRemoveUsers.AvailableListBox=ignoreMe newACE.newACEPS.addRemoveGroups.AddAllButton.TitleDisabledHiddenField=(disabled ) newACE.newACEPS.read.DisabledHiddenField=true newACE.hidden-row-id=1 newACE.newACEPS.addRemoveUsers.AvailableTextField= newACE.newACEPS.continue=true newACE.newACEPS.addRemoveGroups.AddAllButton.DisabledHiddenField=true newACE.newACEPS.continue.jato_boolean=false ]

Thanks for looking and helping!

bartmcpa at 2007-7-12 20:19:03 >

# 5

Although admin may not work but Sun Java System Web Server 7.0 will work with MSAD. Refer Jyri's blogs http://blogs.sun.com/jyrivirkki/entry/using_web_server_7_with

mva at 2007-7-12 20:19:03 >

# 6

Thanks for the insight! I am now able to map samaccountname to the uid."Search Filter" isn't the most intuitive name for the action performed by the field. :)

bartmcpa at 2007-7-12 20:19:03 >

# 7

As a workaround, you can also use the Admin GUI "Customize the ACE" feature (the link will be there for each each ACE entry in the "Access Control Entries" table in the ACL dialog). "Customize the ACE" dialog will let you specify the users/groups manually e.g:

(user = "<user1>,<user2>" or group="<grp1>,<grp2>")

Hope this helps.

Thanks,

Amit

amit-suna at 2007-7-12 20:19:03 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

WS7 LDAP Active Directory

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified