4 Replies Latest reply: Jun 18, 2008 4:11 AM by 510542 RSS

    OpenLDAP and Oracle Identity Service Problem

    shadowknight
      I have followed the Oracle BPEL Process Manager Administrator Guide 10.1.3.1.0 for Configuring an Identity Service for a Third party LDAP Server and I have chosen openLDAP as a Proof of Concept, but I have received the following error after doing the configuration and trying to search for users in bpel.

      PCException(): err is 10555

      Caught exception while handling request: BPEL-10555

      Identity Service Configuration error.
      Identity Service Configuration file has error.
      BPEL-10555

      Identity Service Configuration error.
      Identity Service Configuration file has error.
      -------------------------------------------------------------------------------------
      Here is my sample configuration file

      <?xml version = '1.0' encoding = 'UTF-8'?>
      <ISConfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
      <configurations>
      <configuration realmName="mysoftware">
      <provider providerType="LDAP" name="openLDAP">
      <connection url="ldap://172.25.61.179:389"
      binddn="cn=Manager,dc=my-domain,dc=com"
      password="mRPrY0FPwTs=" encrypted="true">
      <pool initsize="2" maxsize="25" prefsize="10" timeout="300000"/>
      </connection>
      <userControls>
      <property name="nameattribute" value="uid"/>
      <property name="objectclass" value="inetOrgPerson"/>
      <search searchbase="ou=users,dc=mysoftware,dc=my-domain,dc=com"
      scope="subtree" maxSizeLimit="1000"
      maxTimeLimit="120000"/>
      </userControls>
      <roleControls>
      <property name="nameattribute" value="cn"/>
      <property name="objectclass" value="groupOfUniqueNames"/>
      <property name="membershipsearchscope" value="onelevel"/>
      <property name="memberattribute" value="uniqueMember"/>
      <search searchbase="ou=groups,dc=mysoftware,dc=my-domain,dc=com"
      scope="onelevel" maxSizeLimit="1000"
      maxTimeLimit="120000"/>
      </roleControls>
      </provider>
      </configuration>
      </configurations>
      </ISConfiguration>
      -------------------------------------------------------------------------------------------

      This error message is not much to go on, anyone has any ideas, Thanks
        • 1. Re: OpenLDAP and Oracle Identity Service Problem
          564913
          Hi,

          Did you ever solve the problem? I'm also trying to configure the identity service to go against ldap.

          My isconfig.xml is:

          <?xml version = '1.0' encoding = 'UTF-8'?>
          <ISConfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig">
          <configurations>
          <configuration realmName="umesimge-int.es">
          <provider providerType="LDAP" name="Active Directory" service="Identity">
          <connection url="ldap://192.168.9.182:389" binddn="CN=eai,OU=apps,DC=umesimge-int,DC=es" password="u7jZ/JCP2VUqnYt1uPZFjw==" encrypted="true">
          <pool initsize="2" maxsize="25" prefsize="10" timeout="60"/>
          </connection>
          <userControls>
          <property name="nameattribute" value="cn"/>
          <property name="objectclass" value="user"/>
          <search searchbase="CN=users,DC=umesimge-int,DC=es" scope="subtree" maxSizeLimit="1000" maxTimeLimit="120"/>
          </userControls>
          <roleControls>
          <property name="nameattribute" value="cn"/>
          <property name="objectclass" value="group"/>
          <property name="membershipsearchscope" value="onelevel"/>
          <property name="memberattribute" value="member"/>
          <search searchbase="CN=users,DC=umesimge-int,DC=es" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
          </roleControls>
          </provider>
          </configuration>
          </configurations>
          </ISConfiguration>

          And the LDAP error that I'm getting is:

          <2008-06-17 14:43:59,765> <ERROR> <oracle.bpel.services.workflow> <::> Fallo de autenticación del servicio de identidad.
          Fallo de autenticación del servicio de identidad.
          Compruebe la pila de errores y corrija la causa del error. Póngase en contacto con los Servicios de Soporte Oracle si no se puede corregir el error.

          ORABPEL-10528

          Fallo de autenticación del servicio de identidad.
          Fallo de autenticación del servicio de identidad.
          Compruebe la pila de errores y corrija la causa del error. Póngase en contacto con los Servicios de Soporte Oracle si no se puede corregir el error.

               at oracle.tip.pc.services.identity.common.LDAPUtil.getJNDIContext(LDAPUtil.java:168)
               at oracle.tip.pc.services.identity.common.AbstractLDAPProvider.getContext(AbstractLDAPProvider.java:587)
               at oracle.tip.pc.services.identity.common.AbstractLDAPProvider.lookupUserDN(AbstractLDAPProvider.java:389)
               at oracle.tip.pc.services.identity.ldap.LDAPProvider.authenticateUser(LDAPProvider.java:791)
               at oracle.tip.pc.services.identity.ldap.LDAPAuthenticationService.authenticateUser(LDAPAuthenticationService.java:86)
               at oracle.tip.pc.services.identity.ldap.LDAPIdentityService.authenticateUser(LDAPIdentityService.java:395)
               at oracle.bpel.services.workflow.verification.impl.VerificationService.authenticateUser(VerificationService.java:318)
               at oracle.bpel.services.workflow.query.impl.TaskQueryService.authenticate(TaskQueryService.java:138)
               at worklistapp.servlets.Login.handleRequest(Login.java:101)
               at worklistapp.servlets.BaseServlet.doPost(BaseServlet.java:162)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
               at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
               at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
               at java.security.AccessController.doPrivileged(Native Method)
               at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
               at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
               at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:623)
               at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
               at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
               at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
               at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
               at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
               at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
               at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
               at java.lang.Thread.run(Thread.java:595)
          Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
               at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
               at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
               at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
               at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
               at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
               at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
               at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
               at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
               at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
               at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
               at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
               at javax.naming.InitialContext.init(InitialContext.java:223)
               at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
               at oracle.tip.pc.services.identity.common.LDAPUtil.getJNDIContext(LDAPUtil.java:159)
               ... 25 more

          It seems like my configuration is wrong. Any hints?

          Thanks in advance,
          Zaloa
          • 2. Re: OpenLDAP and Oracle Identity Service Problem
            510542
            At point of execution are you getting this error? Is the worklist API throwing the error when you are trying to authenicate? The user must be added to the LDAP with the same credentails.

            Regards,
            M.Rajesh
            • 3. Re: OpenLDAP and Oracle Identity Service Problem
              564913
              Yes, I'm getting the error at execution time and the user I'm using for the log in is already in LDAP. That's why I don't understand the error.

              I put a sniffer in the LDAP machine and port to see what is LDAP getting and I think the password has a = sign at the end which is making the authentication fail.

              The issue is that in this part of the config file:

              <connection url="ldap://192.168.9.182:389" binddn="eai@umesimge-int.es" password="EaRxA9dSRGM=" encrypted="true">
              <pool initsize="2" maxsize="25" prefsize="10" timeout="60"/>
              </connection>

              I tried setting encrypted to false, but when I restart soa suite, it changes to true and the password gets encrypted. Is there any way to deactivate this option? I want the pass to be clear, so I know I have the right user and pass.

              Thanks again!
              Zaloa
              • 4. Re: OpenLDAP and Oracle Identity Service Problem
                510542
                You can write a simple java application to check the LDAP connectivity with the credentails provided. Also you can verify by changing the security providers for applications to use the third party LDAP server and verify the connectivity.

                Regards,
                M.Rajesh