Liferay and export users into LDAP - ldap

I would like to enable the export of the users from Liferay into my OpenLDAP server.
So I enabled the ceckbox on the configuration page and I set the parameters in the LDAP export.
Now, when I try to create a user in Liferay I get:
Login is temporarily unavailable.
any suggestions?
this is the bt in java console:
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - object
class: value #1 invalid per syntax]; remaining name 'cn=myname,dc=myTest,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3054)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:397)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:354)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:596)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:1
83)
at javax.naming.InitialContext.bind(InitialContext.java:404)
at com.liferay.portal.security.ldap.PortalLDAPExporterImpl.addUser(PortalLDAPExporterIm
pl.java:360)
at com.liferay.portal.security.ldap.PortalLDAPExporterImpl.exportToLDAP(PortalLDAPExpor
terImpl.java:252)
at com.liferay.portal.security.ldap.PortalLDAPExporterUtil.exportToLDAP(PortalLDAPExpor
terUtil.java:62)
at com.liferay.portal.model.UserListener.exportToLDAP(UserListener.java:96)
at com.liferay.portal.model.UserListener.onAfterUpdate(UserListener.java:72)
... 91 more

Either you have wrong configuration, or you're stuck on a Liferay - LDAP bug.
Here's the list of unresolved issues.
Please provide us an English error message next time, because all I see in your screenshot is... an error message.

If you're using Liferay 6.1 Community there are a few unresolved LDAP related bugs in that version. I faced a number of problems and ultimately it worked by
Disbaling LDAP export in the LDAP wizard.
Creating a custom hook which is triggered at user login, creation or any other change to the user object. The hook problematically through Java JNDI look up library exports users into the external AD through LDAP. You can find the hook related code here: http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/
Feel free to ask if anyone's got any questions.

Related

Authorization by ActivePivot

When I try to navigate at http://localhost:8080/content/rest/v4/files/ui/version?recursive=-1&metadata=false I have an error 404 (file not found).
While debugging I can see ActivePivot tries to define is my account granted for /ui/version.
It happens based on hibernate query:
SELECT DISTINCT ent FROM AuditableCSEntry ent JOIN FETCH ent.startAction startAct WHERE path=:path AND ent.endAction IS NULL
So I suspect the authorization should be configured. But I could not find any mentions that. Does anyone hear about configuration steps for AP authorization?
http://localhost:8080/content/rest/v4/files/ targets the endpoint listing files stored in the Content Service.
The file ui/version is a file used by ActiveUI to detect how it is setup. It is initialized by ActiveUI itself, upon the first connection of an admin user.
This initialization process is described in the online documentation.
Basically, having an admin user connect to your ActiveUI application should be enough.

AEM 6.3 Page Properties tabs are broken for author user

I am having an issue only in Prod AEM 6.3 author instance. We have our application extending wcm core v1.
When user is logged in a content-author; and opens page properties; Only Basic, Advanced, Thumbnail tabs are accessible.
Selecting other tabs like; Cloud Services; Personalization; Permissions; Live Copy, donot open the tab. Rather stays with already opened tab only.
This is happening only in my production author instance. When I delete my local repository; start a fresh vanilla instance and deploy my code, this issue is not happening.
At certain point, our production author broke. Couldnt conclude it is code, since same code works fine in vanilla instance.
Has anyone faced similar issue? Is there any lead to troubleshoot this issue? All tabs works when logged in as admin. Fails only as author.
Looks like this issue is faced by few others. So posting my finding as answer as well.
This was indeed permission issue. OTB Author group did not have permission to /etc/cloudservices. So opening page properties was throwing error:
11.09.2018 10:24:48.597 ERROR [199.243.161.18 [1536675888296] GET /mnt/overlay/wcm/core/content/sites/properties.html HTTP/1.1]
org.apache.sling.engine.impl.SlingRequestProcessorImpl service:
Uncaught SlingException java.lang.NullPointerException: null at
org.apache.jsp.libs.cq.cloudserviceconfigs.components.configurations.configurations_jsp
I was stuck since I didnt know exact path. Trail n error, figured the missing path and granted permission to resolve.
Bonus Interesting Permission issue: Author group donot have permission to /config/ nodes.
So the RTE plugins were not loading for us coz path was like this:
After lot of digging, found this issue. Fix was to rename /config/ to /configuration/ and add property configPath=configuration to the parent node.

I installed WSO2 AM(API Manager) 1.10.0 and used the user-mgt.xml from working AM 1.9.0, but now I cannot login to carbon admin UI

I installed WSO2 AM(API Manager) 1.10.0 and used the user-mgt.xml from working AM 1.9.0, but now I cannot login to carbon admin UI.
API Manager is configured with LDAP read only primary user store.
Additionally API Manager is configured to work with default H2. But I think this is not a reason.
If I configure API Manager with a standard user store (without any changes to user-mgt.xml, i.e. without adding readOnlyLdap config and removing default JDBC UserStoreManager), login to admin-dashboard works OK.
I got the warning message from wso2carbon.log:
TID: [-1234] [] [2016-07-03 05:55:54,731] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2016-07-03 05:55:54,730+0000] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
I made the changes as suggested per I am unable to login to admin-dashboard application in WSO2 API manager , unfortunately that solution did not work for me.
Basically I installed brand new WSO2 am 1.10.0, with default settings, all works fine, until I changed user-mtg.xml to enable LDAP, I cannot login to carbon/admin UI anymore. So LDAP does not work out of the box with wso2 am 1.10.0? I followed the instructions related to LDAP set up, but it just did not work.
The strange thing is, LDAP works with am 1.9.0. So any difference in setting up LDAP between version 1.10.0 and 1.9.0?
UPDATE:
For the moment, I gave up integarting LDAP with wso2 am 1.10.0. I moved to SAML2. But keep the question open in case someone has worked out of this with a solution, or this might help others. Thanks.
What is the value of the GetAllRolesOfUserEnabled property under AuthorizationManager in user-mgt.xml?
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
That property is not part of the 1.9 config and in 1.10 the default config has this set to false and we were seeing similar login issues. Setting this to true resolved this issue for us.
Joe
I can provide following hints.
Since you haven't mentioned about the master-datasources.xml, I doubt the following. Do you have a external userstore database used in 1.9.0? If so, have you pointed 1.10.0 to the same database?
Log doesn't clearly say whether it failed due to authentication or authorization error. To find this out, you need to enable debug logs for the package org.wso2.carbon.user.core. This can be done in the repository/conf/log4j.properties file and needs a restart. Then, when your next login attemp fails, it will show you more details.

SquidGuard Patch (LDAP parsing error)

I have been trying deal with LDAP for my Kerberos Authentication. I have successfully run Kerberos Authentication for Squid and SquidGuard using LDAP (AD). It's working well aside from the user filter function.
squidGuard.log shows the error:
Added LDAP source: internal%5csquidusertest
I have bump on this articlet: http://gotoanswer.stanford.edu/?q=SquidGuard+-+Ldap+doesnt+filter+users
But the hyperlink is no longer working as when you try going to the the main login page, it won't give the ability to register (page is not loading).
I wonder if someone has the copy of that patch.
Thanks in advance.
As I check the compiled package for Debian Wheezy, I can see that the package for squidguard already includes the patch. It might be something on the configuration of my squidguard file.

JAAS - isUserInRole returns false for all roles in Tomcat

Here is the issue,
The JAAS realm connects to the database fine, the user name and password match, the session is authenticated. HOWEVER, none of the roles seem to be getting into the Principal. Tomcat's isInUserRole returns false for every role, and tomcat security doesn't see them either.
Here is the realm configuration in the Server.xml
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="TomcatTimedLogin"
userClassName="com.tagish.auth.TypedPrincipal"
roleClassNames="org.ovasp.java.jaas.RolePrincipal" />
Here is the login.config
TomcatTimedLogin
{
org.owasp.java.jaas.TomcatTimedLogin required
useDS=true
dsJNDI="jdbc/resourceName"
dbDriver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
dbURL="jdbc:sqlserver://server\\DBSERVER;databaseName=DBName"
dbUser="username"
dbPassword="password"
debug=true
loginTable="loginTable"
clippingLevel="3"
interval="10"
loginQuery="SELECT UserID,Password FROM Users WHERE LogonUserName=? AND RetirementDate is null"
rolesQuery="SELECT Role.RoleDescription FROM User_Role,Role WHERE User_Role.UserID=? AND User_Role.RoleID=Role.RoleID";
};
And in catalina.properties I refer to the configuration like this
java.security.auth.login.config=file:///C:/config/login.config
When start the application I do get the following message in the Debug output, not sure why as all classes should be accessible by the server
SEVERE: Class org.ovasp.java.jaas.RolePrincipal not found! Class not added.
Any help would be appreciated. I have already read post after post and tutorial after tutorial, and those who do have this problem, don't have solution posted.
Btw, I am using Tomcat 5.5, not my choice, legacy code, you know how it is! I also using the OWASP login module (OWASPJaasLoginModule.jar). This jar file is located in the server/lib directory.
Okay... I solved it myself... again, VERY STUPID! If this was my code I would be mad at myself, but it is not, and after 4 days of screwing around with this app, I am close to fed up. The problem was that the CLASS is not
org.ovasp.java.jaas.RolePrincipal
its
org.owasp.java.jaas.RolePrincipal
STUPID!!!