Forums

Home » Liferay Portal » English » 6. Portal Framework

RSS (Opens New Window)

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Lekan Omotayo
LDAP Integration: Failed login
February 3, 2011 9:23 AM
Answer

Lekan Omotayo

Rank: New Member

Posts: 11

Join Date: February 2, 2011

Recent Posts

Hi All,

I am new to LifeRAY. I am trying to setup LifeRay authentication using LDAP (Microsoft Active Directory).

See my settings below:
Authentication Search Filter = (sAMAccountName=@screen_name@)
Screen Name = sAMAccountName
Password = userPassword
Email Address = mail
Full Name = name
First Name = givenName
Last Name = sn
Job Title = title
Group = department

I checked the import enabled button as well as the Import on Startup Enabled button. I also checked the export enabled button.


However, whenever I try to login with an LDAP user, it throws the error below:

 1
 217:12:35,657 ERROR PollerServlet:279 - Invalid credentials for company id 1 and user id La7TCzEn94Q=
 317:12:35,657  WARN PortalImpl:3112 - Current URL /poller/send generates exception: null
 417:12:47,782 ERROR UserImpl:109 - com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 10402
 5com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 10402
 6    at com.liferay.portal.service.persistence.ContactPersistenceImpl.findByPrimaryKey(ContactPersistenceImpl.java:292)
 7    at com.liferay.portal.service.impl.ContactLocalServiceImpl.getContact(ContactLocalServiceImpl.java:40)
 8
 9    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
10    at $Proxy17.getContact(Unknown Source)
11    at com.liferay.portal.service.ContactLocalServiceUtil.getContact(ContactLocalServiceUtil.java:83)
12    at com.liferay.portal.model.impl.UserImpl.getContact(UserImpl.java:104)
13    at com.liferay.portal.security.ldap.PortalLDAPUtil.importLDAPUser(PortalLDAPUtil.java:923)
14
15
1617:12:47,798 ERROR PortalLDAPUtil:966 - Error updating user with screen name firstname.lastname and email address user@email.com
17java.lang.NullPointerException
18    at java.util.Calendar.setTime(Calendar.java:1037)
19    at com.liferay.portal.security.ldap.PortalLDAPUtil.importLDAPUser(PortalLDAPUtil.java:927)
20    at com.liferay.portal.security.auth.LDAPAuth.authenticate(LDAPAuth.java:204)
21    at com.liferay.portal.security.auth.LDAPAuth.authenticateByScreenName(LDAPAuth.java:95)
22    at com.liferay.portal.security.auth.AuthPipeline._authenticate(AuthPipeline.java:153)
23    at com.liferay.portal.security.auth.AuthPipeline.authenticateByScreenName(AuthPipeline.java:56)
24    at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticate(UserLocalServiceImpl.java:2549)
25
26    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
27    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
28    at $Proxy71.authenticateByScreenName(Unknown Source)
29    at com.liferay.portal.service.UserLocalServiceUtil.authenticateByScreenName(UserLocalServiceUtil.java:173)
30    at com.liferay.portlet.login.util.LoginUtil.login(LoginUtil.java:163)
31    at com.liferay.portlet.login.action.LoginAction.login(LoginAction.java:145)
32
33
34    at java.lang.Thread.run(Thread.java:595)
3517:12:47,891 ERROR PortalLDAPUtil:255 - javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
36]; remaining name 'CN=Firstname Lastname,OU=Unit,OU=Company Users,DC=CompanyDomain,DC=com'
37javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
38]; remaining name 'CN=Firstname Lastname,OU=Unit,OU=Compnay Users,DC=CompnayDomain,DC=com'
39    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3002)
40    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2940)
41    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2746)
42    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1446)
Flag
Juan Gonzalez
RE: LDAP Integration: Failed login
February 3, 2011 9:51 AM
Answer

Juan Gonzalez

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1235

Join Date: October 28, 2008

Recent Posts

Lekan Omotayo:

at java.lang.Thread.run(Thread.java:595)
17:12:47,891 ERROR PortalLDAPUtil:255 - javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'CN=Firstname Lastname,OU=Unit,OU=Company Users,DC=CompanyDomain,DC=com'
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'CN=Firstname Lastname,OU=Unit,OU=Compnay Users,DC=CompnayDomain,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3002)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2940)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1446)


Just see the logs properly. The user hasn't got permissions to access that DN in LDAP.

And perhaps you should set the authentication field by screen name.
Flag
Lekan Omotayo
RE: LDAP Integration: Failed login
February 4, 2011 12:10 AM
Answer

Lekan Omotayo

Rank: New Member

Posts: 11

Join Date: February 2, 2011

Recent Posts

Juan Gonzalez P:
Lekan Omotayo:

at java.lang.Thread.run(Thread.java:595)
17:12:47,891 ERROR PortalLDAPUtil:255 - javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'CN=Firstname Lastname,OU=Unit,OU=Company Users,DC=CompanyDomain,DC=com'
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'CN=Firstname Lastname,OU=Unit,OU=Compnay Users,DC=CompnayDomain,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3002)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2940)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1446)


Just see the logs properly. The user hasn't got permissions to access that DN in LDAP.

And perhaps you should set the authentication field by screen name.


I 'd already set it to authenticate by screen name.

I eventually unchecked the export enabled button and when I tried to log in, it says:

 1
 208:03:18,835 ERROR UserImpl:109 - com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 10206
 3com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 10206
 4    at com.liferay.portal.service.persistence.ContactPersistenceImpl.findByPrimaryKey(ContactPersistenceImpl.java:292)
 5    at com.liferay.portal.service.impl.ContactLocalServiceImpl.getContact(ContactLocalServiceImpl.java:40)
 6    at sun.reflect.GeneratedMethodAccessor159.invoke(Unknown Source)
 7    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 8    at java.lang.reflect.Method.invoke(Method.java:585)
 9    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
10    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
11    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
12    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
13    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
14    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
15    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
16    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
17    at $Proxy17.getContact(Unknown Source)
18    at com.liferay.portal.service.ContactLocalServiceUtil.getContact(ContactLocalServiceUtil.java:83)
19    at com.liferay.portal.model.impl.UserImpl.getContact(UserImpl.java:104)
20    at com.liferay.portal.security.ldap.PortalLDAPUtil.importLDAPUser(PortalLDAPUtil.java:923)
21    at com.liferay.portal.security.auth.LDAPAuth.authenticate(LDAPAuth.java:204)
22    at com.liferay.portal.security.auth.LDAPAuth.authenticateByScreenName(LDAPAuth.java:95)
23    at com.liferay.portal.security.auth.AuthPipeline._authenticate(AuthPipeline.java:153)
24    at com.liferay.portal.security.auth.AuthPipeline.authenticateByScreenName(AuthPipeline.java:56)
25    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
26    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
27    at java.lang.Thread.run(Thread.java:595)
2808:03:18,850 ERROR PortalLDAPUtil:966 - Error updating user with screen name first.lastname and email address email@mail.com
29java.lang.NullPointerException
30    at java.util.Calendar.setTime(Calendar.java:1037)
31    at com.liferay.portal.security.ldap.PortalLDAPUtil.importLDAPUser(PortalLDAPUtil.java:927)
32    at com.liferay.portal.security.auth.LDAPAuth.authenticate(LDAPAuth.java:204)
33    at com.liferay.portal.security.auth.LDAPAuth.authenticateByScreenName(LDAPAuth.java:95)
34............
Flag
Apoorva Prakash
RE: LDAP Integration: Failed login
February 7, 2011 10:40 PM
Answer

Apoorva Prakash

Rank: Liferay Master

Posts: 594

Join Date: June 15, 2010

Recent Posts

Hello Lekan Omotayo,

Check your settings in control panel, match with the following:
(However I've done this with Apache DS)...




Hope this will help...

Thanks and Regards...
Flag
ice sword
RE: LDAP Integration: Failed login
June 8, 2011 3:10 AM
Answer

ice sword

Rank: New Member

Posts: 7

Join Date: January 23, 2011

Recent Posts

Apoorva Prakash:
Hello Lekan Omotayo,

Check your settings in control panel, match with the following:
(However I've done this with Apache DS)...




Hope this will help...

Thanks and Regards...



hi Apoorva Prakash

i'm using microsoft ad for ldap server and now i can log in liferay by using a user that not exist in liferay but exist in ldap server,but i got an error when i used test to log in

09:19:15,741 ERROR [LDAPAuth:164] Failed to bind to the LDAP server javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C09030F, comment: AcceptSecurityContext error


could you help me again? thanks a lot
Flag
tinu c p
RE: LDAP Integration: Failed login
June 8, 2011 3:18 AM
Answer

tinu c p

Rank: Junior Member

Posts: 56

Join Date: January 7, 2010

Recent Posts

You not able to sign in with test user i.e not in LDAP coz in your LDAP configuration in control panel you have checked Required option untick it to be able to sign in liferay.

Thanks,
AP
Flag
Apoorva Prakash
RE: LDAP Integration: Failed login
June 8, 2011 3:50 AM
Answer

Apoorva Prakash

Rank: Liferay Master

Posts: 594

Join Date: June 15, 2010

Recent Posts

Hello Ice Sword,
As you've checked login required, the liferay is not letting you login.
Try unchecking it.

Hope this will help.
Thanks regards and happy coding...
Flag
ice sword
RE: LDAP Integration: Failed login
June 8, 2011 4:36 AM
Answer

ice sword

Rank: New Member

Posts: 7

Join Date: January 23, 2011

Recent Posts

hi Apoorva Prakash and tinu c p

this is my liferay ldap configuration

Enabled:checked
Required:checked
------------------------
Import/Export

Import Enabled:unchecked
Export Enabled:checked


i used test to sign in successfully,but i got an error:

09:19:15,741 ERROR [LDAPAuth:164] Failed to bind to the LDAP server javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C09030F, comment: AcceptSecurityContext error


and now i changed the configuration


Enabled:checked
Required:unchecked
------------------------
Import/Export

Import Enabled:unchecked
Export Enabled:checked


but i got the same error

so could you give me some suggestion? thanks a lot
Flag
Apoorva Prakash
RE: LDAP Integration: Failed login
June 8, 2011 4:47 AM
Answer

Apoorva Prakash

Rank: Liferay Master

Posts: 594

Join Date: June 15, 2010

Recent Posts

Hey buddy,
I haven't done with MS-AD, but I have small idea about this problem. I can't point problem exactly, You've to dig in further.
In DN, it accepts following
useraccountname@corp.xxx.com (where useraccountname is the login ID and XXX is the domain your AD runs in)
Two more points
1. to the extent I know, LDAP authentication is skipped if the user is omni admin.
2. your password may not be saved in plain text. It was hashed but looks like plain...
So, may be this can solve your issue.

Hope this will help.
Thanks and Regards. emoticon
Flag
ice sword
RE: LDAP Integration: Failed login
June 8, 2011 5:14 AM
Answer

ice sword

Rank: New Member

Posts: 7

Join Date: January 23, 2011

Recent Posts

hi Apoorva Prakash and tinu c p

this is my liferay ldap configuration

Enabled:checked
Required:checked
------------------------
Import/Export

Import Enabled:unchecked
Export Enabled:checked


Apoorva Prakash:
Hey buddy,
I haven't done with MS-AD, but I have small idea about this problem. I can't point problem exactly, You've to dig in further.
In DN, it accepts following
useraccountname@corp.xxx.com (where useraccountname is the login ID and XXX is the domain your AD runs in)
Two more points
1. to the extent I know, LDAP authentication is skipped if the user is omni admin.
2. your password may not be saved in plain text. It was hashed but looks like plain...
So, may be this can solve your issue.

Hope this will help.
Thanks and Regards. emoticon


hey Apoorva Prakash

if i used a user that exist in ldap server,it will sign in successfully,even if i create a new user in ldap server,i also can sign in successfully;
but if i created a new user in liferay ,it can be synchronized to ldap server automatically.when i used this user to sign in liferay,i got the error.

09:19:15,741 ERROR [LDAPAuth:164] Failed to bind to the LDAP server javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C09030F, comment: AcceptSecurityContext error


i compared the user that synchronized from liferay to the user existed in ldap server and got some differences

the user in ldap server

cn bg1
instanceType 4
nTSecurityDescriptor
objectCategory CN=Person,CN=Schema,CN=Configuration,DC=icesword,DC=cn
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
accountExpires 9223372036854775807
badPasswordTime 0
badPwdCount 0
codePage 0
countryCode 0
displayName bg1
distinguishedName CN=bg1,OU=BGS,OU=SDEP,DC=icesword,DC=cn
givenName bg1
lastLogoff 0
lastLogon 0
logonCount 0
mail bg1@lif.com
name bg1
objectGUID (non string data)
objectSid (non string data)
primaryGroupID 513
pwdLastSet 129519878289160091
sAMAccountName bg1
sAMAccountType 805306368
sn bg1
userAccountControl 512
userPrincipalName bg1@icesword.cn
uSNChanged 49307
uSNCreated 49211
whenChanged 20110608091400.0Z
whenCreated 20110608062348.0Z


the user synchronized from liferay

cn liferaynewuser
instanceType 4
nTSecurityDescriptor
objectCategory CN=Person,CN=Schema,CN=Configuration,DC=icesword,DC=cn
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
accountExpires 9223372036854775807
badPasswordTime 129520074161454830
badPwdCount 1
codePage 0
countryCode 0
distinguishedName CN=liferaynewuser,OU=SDEP,DC=icesword,DC=cn
givenName liferaynewuser
lastLogoff 0
lastLogon 0
logonCount 0
mail liferaynewuser@sdep.cn
name liferaynewuser
objectGUID (non string data)
objectSid (non string data)
primaryGroupID 513
pwdLastSet 129520016024903292
sAMAccountName $O31000-Q5BDQTD35CAV
sAMAccountType 805306368
sn liferaynewuser
userAccountControl 66080
userPassword (non string data)
userPrincipalName liferaynewuser@icesword.cn
uSNChanged 49383
uSNCreated 49348
whenChanged 20110608115507.0Z
whenCreated 20110608093759.0Z


Is it means that i have some wrong configurations in liferay to deal with when a user created in liferay and synchronized to ldap server?

thanks a lot
Flag
Apoorva Prakash
RE: LDAP Integration: Failed login
October 18, 2011 11:00 PM
Answer

Apoorva Prakash

Rank: Liferay Master

Posts: 594

Join Date: June 15, 2010

Recent Posts

Always welcome mate... emoticon
Flag