Discussion:
[Exist-open] LDAP realm bug
Ford, Thomas
2014-07-02 14:17:24 UTC
Permalink
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version. We very much need the LDAP feature to work but it does not appear to be working yet. I've followed the instructions here:

http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure. I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:" . I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved. I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation. So, I am inclined to think this is a bug. Perhaps the value of the url element is not getting assigned to the property in the java class? Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389</url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
Adam Retter
2014-07-02 14:22:24 UTC
Permalink
Your url element is inside your authentication element. Which it should not
be, please check your xml against the example in the documentation again.
On 2 Jul 2014 15:18, "Ford, Thomas" <***@nflc.umd.edu> wrote:

> I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS
> version. We very much need the LDAP feature to work but it does not
> appear to be working yet. I've followed the instructions here:
>
>
> http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm
>
> .. modifying the url, domain, and base to match our Active Directory url,
> domain, and OU structure. I restarted, and the first error I got was: "An
> LDAP URL must be specified of the form ldap://:" . I saw that there was
> a post related to this here:
> http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>
> However, it did not offer any working solution and did not appear to have
> been resolved. I even found the Java class where this exception is thrown:
>
> extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
> ----
> if (url == null) {
> throw new IllegalStateException("An LDAP URL must be specified of the form
> ldap://<hostname>:<port>");
> }
> ----
> However, I have defined the connection url exactly as described in the
> documentation. So, I am inclined to think this is a bug. Perhaps the
> value of the url element is not getting assigned to the property in the
> java class? Has anyone else got this working?
>
> /db/system/security/config.xml
> <security-manager>
> ...
> <realm id="LDAP">
> <authentication>
> <url>ldap://myldap.domain.org:389</url>
> ...
>
> Please advise,
> Thanks,
> Tom
>
>
> Thomas W. Ford
> Assistant Director of Web Application Development
> National Foreign Language Center
> Univ. of Maryland, College Park, MD
>
>
>
> The information contained in this e-mail message, including attachments,
> is confidential and/or privileged information and is intended only for the
> use of the person(s) or entity to which it is addressed. Unauthorized
> dissemination, distribution, or copying of this information is strictly
> prohibited. If you received this e-mail in error, please notify the sender
> and delete this message and any attachments.
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> Exist-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/exist-open
>
Ford, Thomas
2014-07-03 10:56:39 UTC
Permalink
Sorry that was incomplete. Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP">
<context>
<authentication>simple</authentication>
<url>ldap://myldap.mydomain.org:389</url>
<domain>mydomain.org</domain>
<search>
<base>ou=MYORG People,dc=mydomain,dc=org</base>
<default-username>***@nflc.org</default-username>
<default-password>mypass</default-password>
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="name">sAMAccountName</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<whitelist>
<principal>Domain Users</principal>
</whitelist>
</group>
</search>
</context>
</realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________
From: Adam Retter [***@exist-db.org]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <***@nflc.umd.edu<mailto:***@nflc.umd.edu>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version. We very much need the LDAP feature to work but it does not appear to be working yet. I've followed the instructions here:

http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure. I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:" . I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved. I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation. So, I am inclined to think this is a bug. Perhaps the value of the url element is not getting assigned to the property in the java class? Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net<mailto:Exist-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
Misztur, Chris
2014-07-06 14:53:08 UTC
Permalink
i will post my working config tomorrow.

authentication does work, however there were some issues with black/white lists.

i will also be on #exist-db tomorrow if you want to chat (waldo_x).

> On Jul 3, 2014, at 5:57 AM, "Ford, Thomas" <***@nflc.umd.edu> wrote:
>
> Sorry that was incomplete. Here is a more complete representation of the markup in: /db/system/security/config.xml
> -----
> <security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
> <authentication-entry-point>/authentication/login</authentication-entry-point>
> <!--<events></events>-->
> <realm id="LDAP">
> <context>
> <authentication>simple</authentication>
> <url>ldap://myldap.mydomain.org:389</url>
> <domain>mydomain.org</domain>
> <search>
> <base>ou=MYORG People,dc=mydomain,dc=org</base>
> <default-username>***@nflc.org</default-username>
> <default-password>mypass</default-password>
> <account>
> <search-filter-prefix>objectClass=user</search-filter-prefix>
> <search-attribute key="name">sAMAccountName</search-attribute>
> <metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
> <metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
> <metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
> <metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
> </account>
> <group>
> <search-filter-prefix>objectClass=group</search-filter-prefix>
> <search-attribute key="member">member</search-attribute>
> <search-attribute key="primaryGroupToken">primaryGroupToken
> </search-attribute>
> <search-attribute key="objectSid">objectSid</search-attribute>
> <search-attribute key="name">sAMAccountName</search-attribute>
> <search-attribute key="dn">distinguishedName</search-attribute>
> <whitelist>
> <principal>Domain Users</principal>
> </whitelist>
> </group>
> </search>
> </context>
> </realm>
>
> </security-manager>
>
> -----
>
> Thomas W. Ford
> Assistant Director of Web Application Development
> Ext# 5-9731
> ________________________________
> From: Adam Retter [***@exist-db.org]
> Sent: Wednesday, July 02, 2014 10:22 AM
> To: Ford, Thomas
> Cc: exist-***@lists.sourceforge.net
> Subject: Re: [Exist-open] LDAP realm bug
>
>
> Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.
>
> On 2 Jul 2014 15:18, "Ford, Thomas" <***@nflc.umd.edu<mailto:***@nflc.umd.edu>> wrote:
> I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version. We very much need the LDAP feature to work but it does not appear to be working yet. I've followed the instructions here:
>
> http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm
>
> .. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure. I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:" . I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>
> However, it did not offer any working solution and did not appear to have been resolved. I even found the Java class where this exception is thrown:
> extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
> ----
> if (url == null) {
> throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
> }
> ----
> However, I have defined the connection url exactly as described in the documentation. So, I am inclined to think this is a bug. Perhaps the value of the url element is not getting assigned to the property in the java class? Has anyone else got this working?
>
> /db/system/security/config.xml
> <security-manager>
> ...
> <realm id="LDAP">
> <authentication>
> <url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
> ...
>
> Please advise,
> Thanks,
> Tom
>
>
> Thomas W. Ford
> Assistant Director of Web Application Development
> National Foreign Language Center
> Univ. of Maryland, College Park, MD
>
>
>
> The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> Exist-***@lists.sourceforge.net<mailto:Exist-***@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/exist-open
>
>
> The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> Exist-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail
Misztur, Chris
2014-07-07 12:36:09 UTC
Permalink
In my domain users log in as such: domain\username
However through exist they login as: ***@my-domain.com

Here is my config :

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="26" last-group-id="11" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
<context>
<authentication>simple</authentication>
<use-ssl>false</use-ssl>
<!--<principal-pattern></principal-pattern>-->
<url>ldap://domain-controller.my-domain.com:389</url>
<domain>my-domain.com</domain>
<search>
<base>DC=my-domain,DC=com</base>
<!--<default-username></default-username>-->
<!--<default-password></default-password>-->
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<search-attribute key="memberOf">memberOf</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
</group>
</search>
<!--<transformation></transformation>-->
</context>
</realm>
<!--<events></events>-->
</security-manager>



-----Original Message-----
From: Ford, Thomas [mailto:***@nflc.umd.edu]
Sent: Thursday, July 03, 2014 5:57 AM
To: Adam Retter
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug

Sorry that was incomplete. Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP">
<context>
<authentication>simple</authentication>
<url>ldap://myldap.mydomain.org:389</url>
<domain>mydomain.org</domain>
<search>
<base>ou=MYORG People,dc=mydomain,dc=org</base>
<default-username>***@nflc.org</default-username>
<default-password>mypass</default-password>
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="name">sAMAccountName</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<whitelist>
<principal>Domain Users</principal>
</whitelist>
</group>
</search>
</context>
</realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________
From: Adam Retter [***@exist-db.org]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <***@nflc.umd.edu<mailto:***@nflc.umd.edu>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version. We very much need the LDAP feature to work but it does not appear to be working yet. I've followed the instructions here:

http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure. I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:" . I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved. I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation. So, I am inclined to think this is a bug. Perhaps the value of the url element is not getting assigned to the property in the java class? Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net<mailto:Exist-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail
Ford, Thomas
2014-07-07 14:03:19 UTC
Permalink
Thanks for your response. I adjusted my config slightly as follows.. and restarted exist, but got the same error message: "An LDAP URL must be specified of the form ldap://:" . I have tested the ldap url independently of eXist and the url does work. I tried a few variations of this but nothing seems to work... it's always the same message. If it is indeed a config error and not a bug, it would be useful to have a more meaningful error message.


<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
<context>
<authentication>simple</authentication>
<use-ssl>false</use-ssl>
<url>ldap://ldap.mydomain.org:389</url>
<domain>mydomain.org</domain>
<search>
<base>DC=mydomain,DC=org</base>
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<search-attribute key="memberOf">memberOf</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
</group>
</search>
</context>
</realm>
</security-manager>



Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________________
From: Misztur, Chris [***@macleanfogg.com]
Sent: Monday, July 07, 2014 8:36 AM
To: Ford, Thomas; Adam Retter
Cc: exist-***@lists.sourceforge.net
Subject: RE: [Exist-open] LDAP realm bug

In my domain users log in as such: domain\username
However through exist they login as: ***@my-domain.com

Here is my config :

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="26" last-group-id="11" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
<context>
<authentication>simple</authentication>
<use-ssl>false</use-ssl>
<!--<principal-pattern></principal-pattern>-->
<url>ldap://domain-controller.my-domain.com:389</url>
<domain>my-domain.com</domain>
<search>
<base>DC=my-domain,DC=com</base>
<!--<default-username></default-username>-->
<!--<default-password></default-password>-->
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<search-attribute key="memberOf">memberOf</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
</group>
</search>
<!--<transformation></transformation>-->
</context>
</realm>
<!--<events></events>-->
</security-manager>



-----Original Message-----
From: Ford, Thomas [mailto:***@nflc.umd.edu]
Sent: Thursday, July 03, 2014 5:57 AM
To: Adam Retter
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug

Sorry that was incomplete. Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP">
<context>
<authentication>simple</authentication>
<url>ldap://myldap.mydomain.org:389</url>
<domain>mydomain.org</domain>
<search>
<base>ou=MYORG People,dc=mydomain,dc=org</base>
<default-username>***@nflc.org</default-username>
<default-password>mypass</default-password>
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="name">sAMAccountName</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<whitelist>
<principal>Domain Users</principal>
</whitelist>
</group>
</search>
</context>
</realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________
From: Adam Retter [***@exist-db.org]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <***@nflc.umd.edu<mailto:***@nflc.umd.edu>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version. We very much need the LDAP feature to work but it does not appear to be working yet. I've followed the instructions here:

http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure. I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:" . I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved. I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
}
----
However, I have defined the connection url exactly as described in the documentation. So, I am inclined to think this is a bug. Perhaps the value of the url element is not getting assigned to the property in the java class? Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development
National Foreign Language Center
Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net<mailto:Exist-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
Misztur, Chris
2014-07-07 19:44:06 UTC
Permalink
Can you turn on debug logging and show the failure stack?
I know that Dmitiry's changes to get this to work for me were post 2.1...


Can you try adding principal-pattern element into context element with a specific user OU?

<context>
<principal-pattern>cn={0},OU=Users,OU=your-domain,DC=your-domain,DC=com</principal-pattern>
...



-----Original Message-----
From: Ford, Thomas [mailto:***@nflc.umd.edu]
Sent: Monday, July 07, 2014 9:03 AM
To: Misztur, Chris; Adam Retter
Cc: exist-***@lists.sourceforge.net
Subject: RE: [Exist-open] LDAP realm bug

Thanks for your response. I adjusted my config slightly as follows.. and restarted exist, but got the same error message: "An LDAP URL must be specified of the form ldap://:" . I have tested the ldap url independently of eXist and the url does work. I tried a few variations of this but nothing seems to work... it's always the same message. If it is indeed a config error and not a bug, it would be useful to have a more meaningful error message.


<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
<context>
<authentication>simple</authentication>
<use-ssl>false</use-ssl>
<url>ldap://ldap.mydomain.org:389</url>
<domain>mydomain.org</domain>
<search>
<base>DC=mydomain,DC=org</base>
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<search-attribute key="memberOf">memberOf</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
</group>
</search>
</context>
</realm>
</security-manager>



Thomas W. Ford
Assistant Director of Web Application Development Ext# 5-9731 ________________________________________
From: Misztur, Chris [***@macleanfogg.com]
Sent: Monday, July 07, 2014 8:36 AM
To: Ford, Thomas; Adam Retter
Cc: exist-***@lists.sourceforge.net
Subject: RE: [Exist-open] LDAP realm bug

In my domain users log in as such: domain\username However through exist they login as: ***@my-domain.com

Here is my config :

<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="26" last-group-id="11" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
<context>
<authentication>simple</authentication>
<use-ssl>false</use-ssl>
<!--<principal-pattern></principal-pattern>-->
<url>ldap://domain-controller.my-domain.com:389</url>
<domain>my-domain.com</domain>
<search>
<base>DC=my-domain,DC=com</base> <!--<default-username></default-username>-->
<!--<default-password></default-password>-->
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<search-attribute key="memberOf">memberOf</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<!--<whitelist></whitelist>-->
<!--<blacklist></blacklist>-->
</group>
</search>
<!--<transformation></transformation>-->
</context>
</realm>
<!--<events></events>-->
</security-manager>



-----Original Message-----
From: Ford, Thomas [mailto:***@nflc.umd.edu]
Sent: Thursday, July 03, 2014 5:57 AM
To: Adam Retter
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug

Sorry that was incomplete. Here is a more complete representation of the markup in: /db/system/security/config.xml
-----
<security-manager xmlns="http://exist-db.org/Configuration" last-account-id="12" last-group-id="14" version="2.0">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP">
<context>
<authentication>simple</authentication>
<url>ldap://myldap.mydomain.org:389</url>
<domain>mydomain.org</domain>
<search>
<base>ou=MYORG People,dc=mydomain,dc=org</base>
<default-username>***@nflc.org</default-username>
<default-password>mypass</default-password>
<account>
<search-filter-prefix>objectClass=user</search-filter-prefix>
<search-attribute key="name">sAMAccountName</search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken
</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<whitelist>
<principal>Domain Users</principal>
</whitelist>
</group>
</search>
</context>
</realm>

</security-manager>

-----

Thomas W. Ford
Assistant Director of Web Application Development Ext# 5-9731 ________________________________
From: Adam Retter [***@exist-db.org]
Sent: Wednesday, July 02, 2014 10:22 AM
To: Ford, Thomas
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug


Your url element is inside your authentication element. Which it should not be, please check your xml against the example in the documentation again.

On 2 Jul 2014 15:18, "Ford, Thomas" <***@nflc.umd.edu<mailto:***@nflc.umd.edu>> wrote:
I am trying to migrate our eXist-db v1.4.3 system to the latest 2.1.6 LTS version. We very much need the LDAP feature to work but it does not appear to be working yet. I've followed the instructions here:

http://exist-db.org/exist/apps/doc/security.xml?q=security%20changes&field=all&id=D2.2.4#ldap-realm

.. modifying the url, domain, and base to match our Active Directory url, domain, and OU structure. I restarted, and the first error I got was: "An LDAP URL must be specified of the form ldap://:" . I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348

However, it did not offer any working solution and did not appear to have been resolved. I even found the Java class where this exception is thrown:
extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
----
if (url == null) {
throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>"); }
----
However, I have defined the connection url exactly as described in the documentation. So, I am inclined to think this is a bug. Perhaps the value of the url element is not getting assigned to the property in the java class? Has anyone else got this working?

/db/system/security/config.xml
<security-manager>
...
<realm id="LDAP">
<authentication>
<url>ldap://myldap.domain.org:389<http://myldap.domain.org:389></url>
...

Please advise,
Thanks,
Tom


Thomas W. Ford
Assistant Director of Web Application Development National Foreign Language Center Univ. of Maryland, College Park, MD



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net<mailto:Exist-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/exist-open


The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________
Exist-open mailing list
Exist-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail
Rémi Koutchérawy
2014-07-07 21:27:47 UTC
Permalink
Hi
> [...] I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>
> However, it did not offer any working solution and did not appear to have been resolved.
I got a working solution, attached is a module and a test.

Debugging step by step in Eclipse, I realized the xml config file was
not parsed correctly.
I almost crafted a pull request in Java, but realized I cannot test
against ActiveDirectory.
My concern was OpenLdap not ActiveDirectory, and I reverted to a more
basic solution.

Inspired from
https://github.com/eXist-db/exist/blob/develop/extensions/modules/src/org/exist/xquery/modules/jndi/jndiExample.xql
I just need to activate jndi in :
- exist-2.1/conf.xml
- extensions/build.properties
- installer/conf.xml

To test I installed openldap-2.4.39 with a basic ldap config
cn=me,ou=people,dc=localhost
With a parameter.xml file to easily switch to another ldap server.
I let the util:log-system-out in the attached files, may be useful to
see how it works,
but to keep things readable hard-coded the ldap values here, instead of
joining parameter file.

HTH

Remi
Misztur, Chris
2014-07-08 12:30:12 UTC
Permalink
D,

did the bug fixes you did for my case make it into 2.1.6?

> On Jul 7, 2014, at 4:30 PM, "Rémi Koutchérawy" <***@gmail.com> wrote:
>
> Hi
>> [...] I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>>
>> However, it did not offer any working solution and did not appear to have been resolved.
> I got a working solution, attached is a module and a test.
>
> Debugging step by step in Eclipse, I realized the xml config file was not parsed correctly.
> I almost crafted a pull request in Java, but realized I cannot test against ActiveDirectory.
> My concern was OpenLdap not ActiveDirectory, and I reverted to a more basic solution.
>
> Inspired from
> https://github.com/eXist-db/exist/blob/develop/extensions/modules/src/org/exist/xquery/modules/jndi/jndiExample.xql
> I just need to activate jndi in :
> - exist-2.1/conf.xml
> - extensions/build.properties
> - installer/conf.xml
>
> To test I installed openldap-2.4.39 with a basic ldap config cn=me,ou=people,dc=localhost
> With a parameter.xml file to easily switch to another ldap server.
> I let the util:log-system-out in the attached files, may be useful to see how it works,
> but to keep things readable hard-coded the ldap values here, instead of joining parameter file.
>
> HTH
>
> Remi
>
>
> <ldap1.xqm>
> <ldap1.xql>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> Exist-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail
Ford, Thomas
2014-07-08 14:27:47 UTC
Permalink
Rémi, thanks. I may give that a try as well.

Dmitriy, regarding your fix, did it make it into 2.2RC1? I just downloaded this latest version and configured the ldap context and got the same error as described previously. I checked the exist.log and found this error:

2014-07-08 10:13:22,056 [AWT-EventQueue-0] ERROR (Configurator.java [configure]:244) - class "org.exist.security.realm.TransformationContext"'s signer information does not match signer information of other classes in the same package
java.lang.SecurityException: class "org.exist.security.realm.TransformationContext"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:952)
at java.lang.ClassLoader.preDefineClass(ClassLoader.java:666)
at java.lang.ClassLoader.defineClass(ClassLoader.java:794)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at java.lang.Class.getDeclaredFields0(Native Method)
at java.lang.Class.privateGetDeclaredFields(Class.java:2397)
at java.lang.Class.getDeclaredFields(Class.java:1806)
at org.exist.config.Configurator.getConfigurationAnnotatedFields(Configurator.java:99)
at org.exist.config.Configurator.configureByCurrent(Configurator.java:257)
at org.exist.config.Configurator.configure(Configurator.java:242)
at org.exist.security.realm.ldap.LdapContextFactory.<init>(LdapContextFactory.java:83)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.exist.config.Configurator.create(Configurator.java:602)
at org.exist.config.Configurator.configureByCurrent(Configurator.java:340)
at org.exist.config.Configurator.configure(Configurator.java:242)
at org.exist.security.AbstractRealm.<init>(AbstractRealm.java:76)
at org.exist.security.realm.ldap.LDAPRealm.<init>(LDAPRealm.java:81)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.exist.config.Configurator.create(Configurator.java:597)
at org.exist.config.Configurator.create(Configurator.java:579)
at org.exist.config.Configurator.configureByCurrent(Configurator.java:535)
at org.exist.config.Configurator.configure(Configurator.java:242)
at org.exist.security.internal.SecurityManagerImpl.attach(SecurityManagerImpl.java:214)
at org.exist.storage.BrokerPool.initialize(BrokerPool.java:945)
at org.exist.storage.BrokerPool.<init>(BrokerPool.java:722)
at org.exist.storage.BrokerPool.configure(BrokerPool.java:248)
at org.exist.storage.BrokerPool.configure(BrokerPool.java:224)
at org.exist.jetty.JettyStart.run(JettyStart.java:163)
at org.exist.launcher.Launcher$7.actionPerformed(Launcher.java:217)
at java.awt.MenuItem.processActionEvent(MenuItem.java:669)
at java.awt.MenuItem.processEvent(MenuItem.java:628)
at java.awt.MenuComponent.dispatchEventImpl(MenuComponent.java:351)
at java.awt.MenuComponent.dispatchEvent(MenuComponent.java:339)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:738)
at java.awt.EventQueue.access$200(EventQueue.java:103)
at java.awt.EventQueue$3.run(EventQueue.java:694)
at java.awt.EventQueue$3.run(EventQueue.java:692)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:708)
at java.awt.EventQueue$4.run(EventQueue.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:705)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:242)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:161)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:150)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:146)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:138)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:91)


Thomas W. Ford
Assistant Director of Web Application Development
Ext# 5-9731
________________________________________
From: Misztur, Chris [***@macleanfogg.com]
Sent: Tuesday, July 08, 2014 8:30 AM
To: Rémi Koutchérawy; Dmitriy Shabanov
Cc: exist-***@lists.sourceforge.net; Ford, Thomas
Subject: Re: [Exist-open] LDAP realm bug

D,

did the bug fixes you did for my case make it into 2.1.6?

> On Jul 7, 2014, at 4:30 PM, "Rémi Koutchérawy" <***@gmail.com> wrote:
>
> Hi
>> [...] I saw that there was a post related to this here: http://exist.2174344.n4.nabble.com/Help-to-configure-LDAP-td4663342.html#a4663348
>>
>> However, it did not offer any working solution and did not appear to have been resolved.
> I got a working solution, attached is a module and a test.
>
> Debugging step by step in Eclipse, I realized the xml config file was not parsed correctly.
> I almost crafted a pull request in Java, but realized I cannot test against ActiveDirectory.
> My concern was OpenLdap not ActiveDirectory, and I reverted to a more basic solution.
>
> Inspired from
> https://github.com/eXist-db/exist/blob/develop/extensions/modules/src/org/exist/xquery/modules/jndi/jndiExample.xql
> I just need to activate jndi in :
> - exist-2.1/conf.xml
> - extensions/build.properties
> - installer/conf.xml
>
> To test I installed openldap-2.4.39 with a basic ldap config cn=me,ou=people,dc=localhost
> With a parameter.xml file to easily switch to another ldap server.
> I let the util:log-system-out in the attached files, may be useful to see how it works,
> but to keep things readable hard-coded the ldap values here, instead of joining parameter file.
>
> HTH
>
> Remi
>
>
> <ldap1.xqm>
> <ldap1.xql>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Exist-open mailing list
> Exist-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/exist-open

________________________________

The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

Please consider the environment before printing this e-mail



The information contained in this e-mail message, including attachments, is confidential and/or privileged information and is intended only for the use of the person(s) or entity to which it is addressed. Unauthorized dissemination, distribution, or copying of this information is strictly prohibited. If you received this e-mail in error, please notify the sender and delete this message and any attachments.
Dmitriy Shabanov
2014-07-08 15:17:41 UTC
Permalink
On Tue, Jul 8, 2014 at 6:27 PM, Ford, Thomas <***@nflc.umd.edu> wrote:

> Rémi, thanks. I may give that a try as well.
>
> Dmitriy, regarding your fix, did it make it into 2.2RC1? I just
> downloaded this latest version and configured the ldap context and got the
> same error as described previously. I checked the exist.log and found this
> error:
>
> 2014-07-08 10:13:22,056 [AWT-EventQueue-0] ERROR (Configurator.java
> [configure]:244) - class "org.exist.security.realm.TransformationContext"'s
> signer information does not match signer information of other classes in
> the same package
> java.lang.SecurityException: class
> "org.exist.security.realm.TransformationContext"'s signer information does
> not match signer information of other classes in the same package
>

Where it you install it? I can say for sure only that trunk have fix.


--
Dmitriy Shabanov
lstant
2017-06-10 18:02:20 UTC
Permalink
I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672302.html
Sent from the exist-open mailing list archive at Nabble.com.
lstant
2017-06-10 17:48:04 UTC
Permalink
I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
Sent from the exist-open mailing list archive at Nabble.com.
Loren Cahlander
2017-06-11 19:42:02 UTC
Permalink
I do not know if this is relevant, but I had a problem with LDAP before. The jarfiles needed to be signed:


Edit build\scripts\jarsigner.xml

add

<target name="jnlp-sign-extensions" description="Sign all extension jar files in lib/extensions."
depends="jnlp-prepare,jnlp-keygen">

<signjar alias="${keystore.alias}" storepass="${keystore.password}"
keystore="${keystore.file}">
<fileset dir="lib/extensions">
<include name="*.jar"/>
</fileset>
</signjar>
</target>
change

<!-- All tasks, in the best sequence -->
<target name="jnlp-all"
depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core"
description="Create keystore file and sign all EXIST and CORE jar files."/>
to

<!-- All tasks, in the best sequence -->
<target name="jnlp-all"
depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core,jnlp-sign-extensions"
description="Create keystore file and sign all EXIST and CORE jar files."/>
change

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
description="Unsign all jar files.">
<taskdef name="unsignjar"
classname="nl.ow.dilemma.ant.jar.UnsignJarTask"
classpath="${asocat-exist.jar}"/>
<unsignjar>
<fileset dir=".">
<include name="exist*.jar"/>
<include name="start.jar"/>
</fileset>
<fileset dir="lib/core">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/extensions">
<include name="exist-netedit.jar"/>
</fileset>
<fileset dir="lib/optional">
<include name="commons-codec-*.jar"/>
<include name="commons-httpclient-*.jar"/>
</fileset>
</unsignjar>
</target>
to

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
description="Unsign all jar files.">
<taskdef name="unsignjar"
classname="nl.ow.dilemma.ant.jar.UnsignJarTask"
classpath="${asocat-exist.jar}"/>
<unsignjar>
<fileset dir=".">
<include name="exist*.jar"/>
<include name="start.jar"/>
</fileset>
<fileset dir="lib/core">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/extensions">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/optional">
<include name="commons-codec-*.jar"/>
<include name="commons-httpclient-*.jar"/>
</fileset>
</unsignjar>
</target>
run

build.bat jnlp-unsign-all
build.bat jnlp-all

This properly signs the jar files so that eXist-db can authenticate through LDAP.




> On Jun 10, 2017, at 1:48 PM, lstant <***@surrey.ac.uk> wrote:
>
> I'm having the same problem with an eXist 2.2 install which I can't upgrade
> to 3 at the moment.
> Is there a fix? I don't see any resolution on this thread or others.
>
> Laurence
>
>
>
> --
> View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
> Sent from the exist-open mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Exist-open mailing list
> Exist-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/exist-open
l***@surrey.ac.uk
2017-06-13 10:51:20 UTC
Permalink
Thanks for this, the resigning said it worked without error, although the dashboard splash image is now broken (will investigate).

If I try and login now, I just get a wrong user or pass error, and the log reads:



2017-06-13 11:42:54,397 [qtp5250656-32] ERROR (XMLDBAuthenticate.java [eval]:153) - Unable to authenticate user: ls00181 @ jar:file:/C:/eXist-db-3.2/lib/extensions/exist-modules.jar!/org/exist/xquery/modules/persistentlogin/login.xql [119:24]
org.exist.security.AuthenticationException: Account [ls00181] not found
at org.exist.security.internal.SecurityManagerImpl.authenticate(SecurityManagerImpl.java:460) ~[exist.jar:3.2.0]
at org.exist.xquery.functions.xmldb.XMLDBAuthenticate.eval(XMLDBAuthenticate.java:151) [exist.jar:3.2.0]
at org.exist.xquery.BasicFunction.eval(BasicFunction.java:74) [exist.jar:3.2.0]
at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:41) [exist.jar:3.2.0]
at (...)



It looks as though it isn't checking LDAP and just the internal authentication. The build.properties file has AD and LDAP realms enabled and I have been restarting exist after changes. Any thoughts?



________________________________
From: Loren Cahlander <***@gmail.com>
Sent: 11 June 2017 20:42:02
To: Stant L Mr (PG/R - Elec Electronic Eng)
Cc: Loren Cahlander; exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug

I do not know if this is relevant, but I had a problem with LDAP before. The jarfiles needed to be signed:


Edit build\scripts\jarsigner.xml

add

<target name="jnlp-sign-extensions" description="Sign all extension jar files in lib/extensions."
depends="jnlp-prepare,jnlp-keygen">

<signjar alias="${keystore.alias}" storepass="${keystore.password}"
keystore="${keystore.file}">
<fileset dir="lib/extensions">
<include name="*.jar"/>
</fileset>
</signjar>
</target>

change

<!-- All tasks, in the best sequence -->
<target name="jnlp-all"
depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core"
description="Create keystore file and sign all EXIST and CORE jar files."/>

to

<!-- All tasks, in the best sequence -->
<target name="jnlp-all"
depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core,jnlp-sign-extensions"
description="Create keystore file and sign all EXIST and CORE jar files."/>

change

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
description="Unsign all jar files.">
<taskdef name="unsignjar"
classname="nl.ow.dilemma.ant.jar.UnsignJarTask"
classpath="${asocat-exist.jar}"/>
<unsignjar>
<fileset dir=".">
<include name="exist*.jar"/>
<include name="start.jar"/>
</fileset>
<fileset dir="lib/core">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/extensions">
<include name="exist-netedit.jar"/>
</fileset>
<fileset dir="lib/optional">
<include name="commons-codec-*.jar"/>
<include name="commons-httpclient-*.jar"/>
</fileset>
</unsignjar>
</target>

to

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
description="Unsign all jar files.">
<taskdef name="unsignjar"
classname="nl.ow.dilemma.ant.jar.UnsignJarTask"
classpath="${asocat-exist.jar}"/>
<unsignjar>
<fileset dir=".">
<include name="exist*.jar"/>
<include name="start.jar"/>
</fileset>
<fileset dir="lib/core">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/extensions">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/optional">
<include name="commons-codec-*.jar"/>
<include name="commons-httpclient-*.jar"/>
</fileset>
</unsignjar>
</target>

run

build.bat jnlp-unsign-all
build.bat jnlp-all


This properly signs the jar files so that eXist-db can authenticate through LDAP.



On Jun 10, 2017, at 1:48 PM, lstant <***@surrey.ac.uk<mailto:***@surrey.ac.uk>> wrote:

I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
Sent from the exist-open mailing list archive at Nabble.com<http://Nabble.com>.
l***@surrey.ac.uk
2017-06-13 10:58:20 UTC
Permalink
My bad, it is working (if I change url to something wrong it errors before the XMLDBAuthenticate lines). It would be nice perhaps to have a log entry to say if different realms failed, at an appropriate verbosity level.

________________________________
From: Stant L Mr (PG/R - Elec Electronic Eng)
Sent: 13 June 2017 11:51:20
To: Loren Cahlander
Cc: exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug


Thanks for this, the resigning said it worked without error, although the dashboard splash image is now broken (will investigate).

If I try and login now, I just get a wrong user or pass error, and the log reads:



2017-06-13 11:42:54,397 [qtp5250656-32] ERROR (XMLDBAuthenticate.java [eval]:153) - Unable to authenticate user: ls00181 @ jar:file:/C:/eXist-db-3.2/lib/extensions/exist-modules.jar!/org/exist/xquery/modules/persistentlogin/login.xql [119:24]
org.exist.security.AuthenticationException: Account [ls00181] not found
at org.exist.security.internal.SecurityManagerImpl.authenticate(SecurityManagerImpl.java:460) ~[exist.jar:3.2.0]
at org.exist.xquery.functions.xmldb.XMLDBAuthenticate.eval(XMLDBAuthenticate.java:151) [exist.jar:3.2.0]
at org.exist.xquery.BasicFunction.eval(BasicFunction.java:74) [exist.jar:3.2.0]
at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:41) [exist.jar:3.2.0]
at (...)



It looks as though it isn't checking LDAP and just the internal authentication. The build.properties file has AD and LDAP realms enabled and I have been restarting exist after changes. Any thoughts?



________________________________
From: Loren Cahlander <***@gmail.com>
Sent: 11 June 2017 20:42:02
To: Stant L Mr (PG/R - Elec Electronic Eng)
Cc: Loren Cahlander; exist-***@lists.sourceforge.net
Subject: Re: [Exist-open] LDAP realm bug

I do not know if this is relevant, but I had a problem with LDAP before. The jarfiles needed to be signed:


Edit build\scripts\jarsigner.xml

add

<target name="jnlp-sign-extensions" description="Sign all extension jar files in lib/extensions."
depends="jnlp-prepare,jnlp-keygen">

<signjar alias="${keystore.alias}" storepass="${keystore.password}"
keystore="${keystore.file}">
<fileset dir="lib/extensions">
<include name="*.jar"/>
</fileset>
</signjar>
</target>

change

<!-- All tasks, in the best sequence -->
<target name="jnlp-all"
depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core"
description="Create keystore file and sign all EXIST and CORE jar files."/>

to

<!-- All tasks, in the best sequence -->
<target name="jnlp-all"
depends="jnlp-prepare,jnlp-keygen,jnlp-sign-exist,jnlp-sign-core,jnlp-sign-extensions"
description="Create keystore file and sign all EXIST and CORE jar files."/>

change

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
description="Unsign all jar files.">
<taskdef name="unsignjar"
classname="nl.ow.dilemma.ant.jar.UnsignJarTask"
classpath="${asocat-exist.jar}"/>
<unsignjar>
<fileset dir=".">
<include name="exist*.jar"/>
<include name="start.jar"/>
</fileset>
<fileset dir="lib/core">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/extensions">
<include name="exist-netedit.jar"/>
</fileset>
<fileset dir="lib/optional">
<include name="commons-codec-*.jar"/>
<include name="commons-httpclient-*.jar"/>
</fileset>
</unsignjar>
</target>

to

<!-- Special task for unsigning jar files -->
<target name="jnlp-unsign-all"
description="Unsign all jar files.">
<taskdef name="unsignjar"
classname="nl.ow.dilemma.ant.jar.UnsignJarTask"
classpath="${asocat-exist.jar}"/>
<unsignjar>
<fileset dir=".">
<include name="exist*.jar"/>
<include name="start.jar"/>
</fileset>
<fileset dir="lib/core">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/extensions">
<include name="*.jar"/>
</fileset>
<fileset dir="lib/optional">
<include name="commons-codec-*.jar"/>
<include name="commons-httpclient-*.jar"/>
</fileset>
</unsignjar>
</target>

run

build.bat jnlp-unsign-all
build.bat jnlp-all


This properly signs the jar files so that eXist-db can authenticate through LDAP.



On Jun 10, 2017, at 1:48 PM, lstant <***@surrey.ac.uk<mailto:***@surrey.ac.uk>> wrote:

I'm having the same problem with an eXist 2.2 install which I can't upgrade
to 3 at the moment.
Is there a fix? I don't see any resolution on this thread or others.

Laurence



--
View this message in context: http://exist.2174344.n4.nabble.com/LDAP-realm-bug-tp4664932p4672301.html
Sent from the exist-open mailing list archive at Nabble.com<http://Nabble.com>.
Loading...