Login via AD with specific group in OU via SSL plus multiple AD servers

Hi,

probably related to http://youtrack.jetbrains.com/issue/JT-5150 .

Version: 2017.1

1] default setup with dynamic binding - OK, if URL is pointed inside OU, users are extracted from OU: ou=OU,dc=sub,dc=domain,dc=com
2] default setup with dynamic binding - FALSE (error attached), if URL is pointed on domain root with filter: dc=sub,dc=domain,dc=com; filter (&(sAMAccountName=%u)(objectClass=person)(memberOf=cn=svc_youtrack_group,ou=OU,dc=sub,dc=domain,dc=com))
3] default setup with dynamic binding - FALSE (no user found), if URL is pointed on ou with specific group with filter: ou=OU,dc=sub,dc=domain,dc=com; filter (&(sAMAccountName=%u)(objectClass=person)(memberOf=cn=svc_youtrack_group,ou=OU,dc=sub,dc=domain,dc=com))

Both auth modules are via SSL (port 636), there is no way to search AD without SSL on port 389 - encryption required.

ad2]
[2017-02-07 12:32:19,816] Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: dc.sub.domain.com:389 [Root exception is java.lang.IllegalStateException: SSLFactory is not set in current context]]
[2017-02-07 12:32:19,816]     at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
[2017-02-07 12:32:19,817]     at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
[2017-02-07 12:32:19,817]     at jetbrains.jetpass.auth.module.ldap.dnq.client.LdapClientImpl$NamingEnumerationCloseable.hasMore(LdapClientImpl.kt)
[2017-02-07 12:32:19,817]     at jetbrains.jetpass.auth.module.ldap.dnq.client.LdapClientImpl$LdapAuthenticator$authenticate$$inlined$use$lambda$1.invoke(LdapClientImpl.kt:55)
[2017-02-07 12:32:19,817]     at jetbrains.jetpass.auth.module.ldap.dnq.client.LdapClientImpl$LdapAuthenticator$authenticate$$inlined$use$lambda$1.invoke(LdapClientImpl.kt:38)
[2017-02-07 12:32:19,817]     at jetbrains.jetpass.auth.module.ldap.dnq.client.LdapClientImpl$LdapAuthenticator.withNamingExceptionHandling(LdapClientImpl.kt:158)
[2017-02-07 12:32:19,817]     ... 86 more
[2017-02-07 12:32:19,817] Caused by: javax.naming.CommunicationException: dc.sub.domain.com:389 [Root exception is java.lang.IllegalStateException: SSLFactory is not set in current context]
[2017-02-07 12:32:19,817]     at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96)
[2017-02-07 12:32:19,817]     at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
[2017-02-07 12:32:19,818]     at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
[2017-02-07 12:32:19,818]     at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
[2017-02-07 12:32:19,818]     ... 91 more
[2017-02-07 12:32:19,818] Caused by: java.lang.IllegalStateException: SSLFactory is not set in current context
[2017-02-07 12:32:19,818]     at jetbrains.jetpass.auth.module.ldap.dnq.client.LDAPSSLContextFactoryHolder.getDefault(LDAPSSLContextFactoryHolder.java:42)
[2017-02-07 12:32:19,818]     at sun.reflect.GeneratedMethodAccessor778.invoke(Unknown Source)
[2017-02-07 12:32:19,818]     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2017-02-07 12:32:19,818]     at java.lang.reflect.Method.invoke(Method.java:498)
[2017-02-07 12:32:19,818]     at com.sun.jndi.ldap.Connection.createSocket(Connection.java:284)
[2017-02-07 12:32:19,818]     at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
[2017-02-07 12:32:19,819]     at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
[2017-02-07 12:32:19,819]     at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
[2017-02-07 12:32:19,819]     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
[2017-02-07 12:32:19,819]     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
[2017-02-07 12:32:19,819]     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
[2017-02-07 12:32:19,819]     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
[2017-02-07 12:32:19,819]     at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
[2017-02-07 12:32:19,819]     at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
[2017-02-07 12:32:19,819]     at javax.naming.spi.NamingManager.processURL(NamingManager.java:381)
[2017-02-07 12:32:19,819]     at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361)
[2017-02-07 12:32:19,820]     at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333)
[2017-02-07 12:32:19,820]     at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119)
[2017-02-07 12:32:19,820]     ... 94 more

ad3]
[2017-02-07 12:32:48,614] 12:32:48,613 WARN  [apClientImpl$LdapAuthenticator] No user was found by query [(&(sAMAccountName=username)(objectClass=person)(memberOf=cn=svc_youtrack_group))]
[2017-02-07 12:34:33,146] 12:34:33,142 WARN  [apClientImpl$LdapAuthenticator] No user was found by query [(&(sAMAccountName=username)(objectClass=person)(memberOf=cn=svc_youtrack_group,ou=OU,dc=sub,dc=domain,dc=com))]


Point 2] is working with LDAPExplorer, but it fails, point 3] fails with LDAPExplorer, but there is not any java error, just warning about no user was found.

Will those be solved in 2017.2?

And what about multiple AD servers for one auth module? Because this...cant be disabled via gui for frontal login page:

You can also log in with your credentials for XX or YY or ZZ or etc

Thanks.

0
1 comment
Official comment

Hi Prohaszka, thanks for reaching out and sorry for the delay.
We believe your issues might be connected to this known issue: https://youtrack.jetbrains.com/issue/JPS-5113 It is already fixed, so you need to wait for the build with the fix to be released, please watch the updates. In the meantime we can suggest to use the connection without SSL, is it possible? If it's not possible, we can provide you with a pre-release build, so please let us know.

As for your question
> And what about multiple AD servers for one auth module? Because this...cant be disabled via gui for frontal login page:
At the moment we don't have it in out plans, unfortunately.

Please sign in to leave a comment.