Build Forge LDAP integration login error
Hello,
I'm trying to setup LDAP integration for Build Forge 7.1.1.4. I'm getting an error when logging in with a user in the domain. Can anyone help with this? I have entered the following details under Administration -> LDAP When I test the connection of this domain in Build Forge it connects OK. When I try to login to Build Forge with a user from this domain I get the following error: Build Forge Error Access is denied to the BuildForge console. Error authenticating: com.buildforge.services.common.api.APIException - API: Authentication Error. Please click here to try the same type of login again, or click here to force a form login (user ID/password). And in the app server (we're using WebSphere) log: 00000025 SSOManager I Authenticating user 'dev/cdevine' for UI access. 00000025 LdapSession W Exception during LdapSession.findMultiple(DC=dev,DC=corptst,DC=abc,DC=com, (sAMAccountName=cdevine)) : javax.naming.CommunicationException: connection closed ; Remaining name: 'DC=dev,DC=corptst,DC=abc,DC=com' 00000025 LdapSession W Exception during LdapSession.findMultiple(DC=dev,DC=corptst,DC=abc,DC=com, (sAMAccountName=cdevine)) : javax.naming.NamingException: ; Remaining name: 'DC=dev,DC=corptst,DC=abc,DC=com' 00000025 AuthContext W Login failed - no LDAP record 00000025 SSOManager W An exception occurred authenticating user 'dev/cdevine'. The message is: 'API: Authentication Error.'. com.buildforge.services.common.api.APIException: API: Authentication Error. at com.buildforge.services.server.api.AuthContext.loginLdap(AuthContext.java:892) at com.buildforge.services.server.api.AuthContext.loginBase(AuthContext.java:787) at com.buildforge.services.server.api.AuthContext.login(AuthContext.java:687) at com.buildforge.services.server.sso.SSOManager.authenticate(SSOManager.java:288) at com.buildforge.services.server.web.AuthServlet.authenticate(AuthServlet.java:59) at com.buildforge.services.server.web.AuthServlet.doPost(AuthServlet.java:161) at com.buildforge.services.server.web.AuthServlet.service(AuthServlet.java:171) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1583) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:870) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:475) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:175) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:863) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:182) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384) at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1772) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550) I've used a command line tool called AdFind (http://www.joeware.net/freetools/tools/adfind/index.htm) on the Build Forge server to perform a search using the details above and it can find the user in samaccountname: ADFind.exe -u "CN=Service Account AU\, ABCD RAM WAS DM Svc,OU=AU,OU=Service Accounts,OU=ABC Security Objects,DC=dev,DC=corptst,DC=abc,DC=com" -simple -up * -b DC=dev,DC=corptst,DC=abc,DC=com -f "(samaccountname=cdevine)" Where -u is the Userid for authentication -up * prompts for a password for the user ID specified with -u -simple is a simple bind -b is the base DN to search from -f is the filter |
16 answers
Make sure every time you edit the LDAP settings you re-enter the Bind Password. The LDAP error indicates a bind issue and that is either a bad bind id/pass which appears not to be the case, or the bind password is blank which is a common issue and needs to be fixed in Build Forge. The UI should not blank out the bind password if it's already been entered. I need to check if this has been fixed already. Also, the LDAP session is cached so you must restart Build Forge every time you change the LDAP settings. While a pain for configuration, it's a good thing for the runtime performance. Let me know if one of these do not resolve your issue. Regards, Pete |
|
|
Hi,
What values to I place in the BF ldap domain please? What limitations is it please? Any other thoughts please? Ta Mark |
I'm also having problems with LDAP authentication.
I'm using RHEL stock OpenLDAP 2.3.XX as backend, so I don't have the "memberof" overlay available ... this kind of setup works perfectly for WebSphere and Tomcat since they lookup the group and then drill-through via the (unique)Member attributes. But when I perform a tcpdump on the ldap connection, BuildForge only looks up (and finds) the user (even multiple times), and never a search for the group itself is performed. |
Hello,
I'm trying to setup LDAP integration for Build Forge 7.1.2.1. It works ok, but the problem appears when we try to add an authorized group. I'm getting an error when logging in with a user who belongs this group. Can anyone help with this? we've tried it after restart bfserver and we had the same error. this is the Catalina's output error: Throwable occurred: com.buildforge.services.common.api.APIException: API: Authentication Error. at com.buildforge.services.server.api.AuthContext.checkAuthorizedGroupDN(AuthContext.java:839) at com.buildforge.services.server.api.AuthContext.loginLdap(AuthContext.java:918) at com.buildforge.services.server.api.AuthContext.loginBase(AuthContext.java:784) at com.buildforge.services.server.api.AuthContext.login(AuthContext.java:696) at com.buildforge.services.server.sso.SSOManager.authenticate(SSOManager.java:294) at com.buildforge.services.server.web.AuthServlet.authenticate(AuthServlet.java:59) at com.buildforge.services.server.web.AuthServlet.doPost(AuthServlet.java:162) at com.buildforge.services.server.web.AuthServlet.service(AuthServlet.java:172) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:736) This is the Aut. group DN: cn=desarrolloWebUsuariosRBF,ou=desarrolloweb,ou=servicios,dc=mutua,dc=es This group use an attribute call uniqueMember where users are defined. An user DN: uid=TELEMAKO,ou=personales,ou=usuarios,dc=mutua,dc=es Others Admin DN: uid=buildforge,ou=especiales,ou=usuarios,dc=mutua,dc=es Bind User Account: Yes Map Access Groups: No Protocol: LDAP Search Base: dc=mutua,dc=es Authorized Group DN: cn=desarrolloWebUsuariosRBF,ou=desarrolloweb,ou=servicios,dc=mutua,dc=es Unique Identifier: uid=% thanks, Sergio |
|
The LDAP group comparisons are case-sensitive. You must enter them exactly as the LDAP server returns them. The best way to determine this is to enable the following trace, authenticate, and then see what groups your user is a member of and use the exact group returned for the authorized DN and any other AccessGroup DNs.
Trace spec: com.buildforge.services.server.ldap.level=ALL Regards, Pete Hello, |
|
Hi Peter,
thanks for your response I declared the variable into /server/tomcat/common/classes/logging.properties file (hope it would be the right place to declare it) So the Catalina log respond: Apr 18, 2011 12:16:06 PM com.buildforge.services.server.sso.SSOManager authenticate INFO: CRRBF1414I: Authenticating user 'MUTUA/rrono0s' for UI access. Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession findMultiple FINE: Searching for searchBase: dc=mutua,dc=es, filter: uid=rrono0s, control: javax.naming.directory.SearchControls@1cdc1cdc Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession findMultiple FINE: Found elements? com.sun.jndi.ldap.LdapSearchEnumeration@3f163f16 Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getUserDN FINE: User login maps to DN Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession findMultiple FINE: Searching for searchBase: dc=mutua,dc=es, filter: uid=rrono0s, control: javax.naming.directory.SearchControls@61df61df Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession findMultiple FINE: Found elements? com.sun.jndi.ldap.LdapSearchEnumeration@77917791 Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getUserDN FINE: User login maps to DN Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUser FINE: Group name: memberof Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUserDN FINE: Group search base: Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUserDN FINE: Group attribute filter: Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUserDN FINE: Null/empty search base or attribute filter Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUser FINE: Groups found: null Apr 18, 2011 12:16:06 PM com.buildforge.services.server.api.AuthContext checkAuthorizedGroupDN WARNING: Login failed - User 'rrono0s' is not in the Authorized Group DN for Domain 'MUTUA' Apr 18, 2011 12:16:06 PM com.buildforge.services.server.sso.SSOManager authenticate WARNING: CRRBF1417I: An exception occurred authenticating user 'MUTUA/rrono0s'. The message is: 'API: Authentication Error.'. Throwable occurred: com.buildforge.services.common.api.APIException: API: Authentication Error. at com.buildforge.services.server.api.AuthContext.checkAuthorizedGroupDN(AuthContext.java:839) at com.buildforge.services.server.api.AuthContext.loginLdap(AuthContext.java:918) at com.buildforge.services.server.api.AuthContext.loginBase(AuthContext.java:784) at com.buildforge.services.server.api.AuthContext.login(AuthContext.java:696) at com.buildforge.services.server.sso.SSOManager.authenticate(SSOManager.java:294) at com.buildforge.services.server.web.AuthServlet.authenticate(AuthServlet.java:59) at com.buildforge.services.server.web.AuthServlet.doPost(AuthServlet.java:162) at com.buildforge.services.server.web.AuthServlet.service(AuthServlet.java:172) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:736) I don't find any trace respect to the group. But it find the user () I execute a query into JXplorer (using the Admin user declared into bf) and it find my user into the Aut. Group (desarrolloWebUsuariosRBF): uniquemember=*rrono0s* It list all user groups including the authorized one. Any suggestion? Thanks in advance |
|
I don't think you have the LDAP group search base configured properly. It says it's empty. Can you display what you have for your LDAP configuration?
Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUser FINE: Group name: memberof Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUserDN FINE: Group search base: Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUserDN FINE: Group attribute filter: Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUserDN FINE: Null/empty search base or attribute filter Apr 18, 2011 12:16:06 PM com.buildforge.services.server.ldap.LdapSession getGroupDNsForUser FINE: Groups found: null |
|
Yes, it is empty. I'm not have Map Access Group set to yes
Name: Mutua Admin DN: uid=buildforge,ou=especiales,ou=usuarios,dc=mutua,dc=es Map Access Groups: No Host:directorio.mutua.es:389 Password: Verified: Bind User Account:yes Protocol:LDAP Display Name:cn Distinguished Name:dn Group Name:memberof (default value) Mail Name:mail Authorized Group DN: cn=desarrolloWebUsuariosRBF,ou=desarrolloweb,ou=servicios,dc=mutua,dc=es Search Base: dc=mutua,dc=es Unique Identifier: Groups Search Base: not used Groups Unique Identifier: not used user's DN: uid=RRONO0S,ou=personales,ou=usuarios,dc=mutua,dc=es Greetings |
|
You cannot specify an "Authorized Group DN" unless you are retrieving groups from the lookup. Leave that field empty until you have the group lookup configured properly.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.