2 Replies Latest reply: Apr 10, 2013 10:42 AM by user10750497 RSS

    OpenLDAP authentication provider with CA LDAP server

    user10750497
      Hi,

      I am trying to get authentication to work using an OpenLDAP AP connecting to CA LDAP server (formerly eTrust LDAP server). I am at the point where the bind is successful, the user account is authenticated in LDAP, but I am unable to retrieve the group information.

      Here is the error for the group lookup:

      ####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <[Security:090278]Error listing member groups myACID>


      This is the final error, presumably because the group lookup failed:

      ####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User myACID denied
           at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
           at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
           at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
           at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
           at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
           at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
           at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)



      The CA LDAP server is pointed to a Top Secret database, so the attribute names are atypical as far as directory services objects are concerned. I've tried modifying the group and static group information to search both groups and profiles, but both fail. I've also tried omitting the static group information, and specifying dynamic group info, but that failed as well.


      Here is the search it is running:

      (&(memberOf=tssacid=myACID,tssadmingrp=acids,host=ourdevsysid,o=our.ORG)(objectclass=tssprofile))

      Here the is the group based DN: tssadmingrp=profiles,host=ourdevsysid,o=our.org

      The group search scope is subtree. I tried unlimited, and a limited of 2 levels.

      If I execute the filtered search using a third party tool (JXplorer), I receive this error:

      javax.naming.NamingException: [LDAP: error code 80 - LDP2900E Unknown attribute, , in filter string]; remaining name 'tssadmingrp=profiles,host=ourdevsysid,o=our.org'
           at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3085)
           at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
           at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
           at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
           at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
           at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
           at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
           at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
           at com.ca.commons.jndi.JNDIOps.rawSearch(JNDIOps.java:1192)
           at com.ca.commons.jndi.JNDIOps.rawSearchSubTree(JNDIOps.java:1039)
           at com.ca.commons.naming.DXOps.rawSearchSubTree(DXOps.java:343)
           at com.ca.commons.jndi.JNDIOps.searchSubTree(JNDIOps.java:1030)
           at com.ca.directory.jxplorer.broker.JNDIDataBroker.unthreadedSearch(JNDIDataBroker.java:772)
           at com.ca.directory.jxplorer.broker.DataBroker.doSearchQuery(DataBroker.java:485)
           at com.ca.directory.jxplorer.broker.DataBroker.processRequest(DataBroker.java:253)
           at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:376)
           at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
           at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
           at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
           at java.lang.Thread.run(Thread.java:662)

      When I execute that same search in JXplorer directly on one of the profile objects (e.g. tssprofile=@oneofourprofiles,tssadmingrp=profiles,host=a12sysid,o=tgslc.org), it runs successfully.

      Here is an old post. Seems the op encountered the same problem I did.

      authentication provider for CA eTrust LDAP server

      Anyone work with these technologies in a past life?

      Thanks,
      Rob