LDAP Integration Problem
We're trying to use LDAPS authentication with YouTrack Enterprise Edition. We are using Novell with the following URL.
URL: LDAPS://LDAP_SERVER:636/o=ORG_HERE
Doing that without using any of the advanced options results in an invalid DN error.
I've discovered that it works if I fill in the transform and query boxes with the following values.
Transform: cn=$login$,ou=AD,ou=HV,o=ORG_HERE
Query = (uid=$login$)
However, that transform is not going to work for all of our users. Most users will not belong to the AD ou. Some may not even belong to HV. Is there anyway to just search from the organization ESB and then use the full DN for the user found?
Please sign in to leave a comment.
After doing some research I'm starting to get the impression that your LDAP module cannot be used with a tree that was designed for multiple locations. Since our tree is structured in a way that supports multiple locations, there's no way I can code my full DN into the transform box since someone in another location will not have that DN. Our setup looks like this.
O = COMPANY_NAME
|
-------------------------------------------------------------------------------------------------------
| | |
ou = Location_1 ou=Location_2 ou=Location_3
| | |
--------------------------- ---------------------------- -------------------------------------
| | |
ou = Users ou = AD ou = Users
Is there any way this can be accomplished? Is there a way to replace the default implementation? I see you guys have a query that is being used, but it's after the bind has taken place and you're using it to get user information. I'd love to use that query to actually find the user by uid and then get the full DN based off the resultset returned. That would work.
I'm guessing by the lack of a reply on the forum, support e-mail, and the issue tracker means this is not possible. I thought I would have at least received a yes or no from someone at JetBrains since we already have a license.
Hello Shane,
sorry for delay in answering.
Currently our main LDAP integration developer is on vacations, but he will back in day or two.
We'll investigate this problem andlet youy know.
--
Sergey Andreev
QA Engineer
JetBrains, Inc
http://www.jetbrains.com
"Develop with pleasure!"
Thanks Sergey.
Sergey,
Do you know if the primary LDAP developer is back in the office? If he is, do you have any idea when he'll get a chance to look at this?
Thanks,
Shane
I'm looking at it.
By the way, will the following work?
No, that doesn't work. It's not able to bind.
Please, provide the "Test connection" result and exception in logs, if any. I don't get why URL: LDAPS://LDAP_SERVER:636/o=ORG_HERE with transform ORG_HERE\$login$, for example, won't work. Bind (login) is executed just fine even without any working tree provided!
Alright. Tried doing the test with the transform specified and I got the following exception in the log.
javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at jetbrains.charisma.ldap.main.LdapAuthenticationModule.ldapLogin(LdapAuthenticationModule.java:125)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.test(TestLdapSettingsDialog_HtmlTemplateComponent.java:494)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.access$000(TestLdapSettingsDialog_HtmlTemplateComponent.java:36)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent$1.invoke(TestLdapSettingsDialog_HtmlTemplateComponent.java:66)
at jetbrains.mps.webr.runtime.templateComponent.TemplateEventHandler.handle(TemplateEventHandler.java:32)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.doNewHandleEvent(TemplateComponent.java:725)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:680)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleEvent(TemplateComponent.java:651)
at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEventImpl(TemplateActionController.java:112)
at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEvent(TemplateActionController.java:101)
at jetbrains.mps.webr.runtime.requestProcessor.EventRequestProcessor.processRequest(EventRequestProcessor.java:71)
at jetbrains.mps.webr.runtime.servlet.MainServlet.processRequest(MainServlet.java:193)
at jetbrains.mps.webr.runtime.servlet.MainServlet.doGet(MainServlet.java:88)
at jetbrains.mps.webr.runtime.servlet.MainServlet.doPost(MainServlet.java:162)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at jetbrains.mps.webr.runtime.filter.QueryParameterFilter.doFilter(QueryParameterFilter.java:25)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:78)
at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
at java.lang.Thread.run(Unknown Source)
These settings result in:
javax.naming.AuthenticationException: [LDAP: error code 49 - NDS error: failed authentication (-669)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at jetbrains.charisma.ldap.main.LdapAuthenticationModule.ldapLogin(LdapAuthenticationModule.java:125)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.test(TestLdapSettingsDialog_HtmlTemplateComponent.java:494)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.access$000(TestLdapSettingsDialog_HtmlTemplateComponent.java:36)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent$1.invoke(TestLdapSettingsDialog_HtmlTemplateComponent.java:66)
at jetbrains.mps.webr.runtime.templateComponent.TemplateEventHandler.handle(TemplateEventHandler.java:32)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.doNewHandleEvent(TemplateComponent.java:725)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:680)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleEvent(TemplateComponent.java:651)
at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEventImpl(TemplateActionController.java:112)
at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEvent(TemplateActionController.java:101)
at jetbrains.mps.webr.runtime.requestProcessor.EventRequestProcessor.processRequest(EventRequestProcessor.java:71)
at jetbrains.mps.webr.runtime.servlet.MainServlet.processRequest(MainServlet.java:193)
at jetbrains.mps.webr.runtime.servlet.MainServlet.doGet(MainServlet.java:88)
at jetbrains.mps.webr.runtime.servlet.MainServlet.doPost(MainServlet.java:162)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at jetbrains.mps.webr.runtime.filter.QueryParameterFilter.doFilter(QueryParameterFilter.java:25)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:78)
at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
at java.lang.Thread.run(Unknown Source)
Try removing "o=ORG_HERE" from URL. Exception is still object of interest.
Those were wrong.
Ok. Here are the settings I have.
URL: LDAPS://ldap_server:636/
Transfer: ORG\$login$
Query: (uid=$login$)
This results in:
javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at jetbrains.charisma.ldap.main.LdapAuthenticationModule.ldapLogin(LdapAuthenticationModule.java:125)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.test(TestLdapSettingsDialog_HtmlTemplateComponent.java:494)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.access$000(TestLdapSettingsDialog_HtmlTemplateComponent.java:36)
at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent$1.invoke(TestLdapSettingsDialog_HtmlTemplateComponent.java:66)
at jetbrains.mps.webr.runtime.templateComponent.TemplateEventHandler.handle(TemplateEventHandler.java:32)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.doNewHandleEvent(TemplateComponent.java:725)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:680)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)
at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleEvent(TemplateComponent.java:651)
at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEventImpl(TemplateActionController.java:112)
at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEvent(TemplateActionController.java:101)
at jetbrains.mps.webr.runtime.requestProcessor.EventRequestProcessor.processRequest(EventRequestProcessor.java:71)
at jetbrains.mps.webr.runtime.servlet.MainServlet.processRequest(MainServlet.java:193)
at jetbrains.mps.webr.runtime.servlet.MainServlet.doGet(MainServlet.java:88)
at jetbrains.mps.webr.runtime.servlet.MainServlet.doPost(MainServlet.java:162)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at jetbrains.mps.webr.runtime.filter.QueryParameterFilter.doFilter(QueryParameterFilter.java:25)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:78)
at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
at java.lang.Thread.run(Unknown Source)
By the way, is your LDAP server somehow secured? Have you followed those instructions for LDAPS? http://confluence.jetbrains.net/display/YTD2/LDAP+Integration
Yes, I have. If I specify the full DN for my account, login works just fine. It just won't work for people in other OUs (which is almost everyone).
I still don't get why user fails to log in even if URL is without any subpaths specified. Login must be OK, but the search should fail. I have configured my sample installation as follows: URL: ldap://server:389/, Transform: DOMAIN\$login$, Query: <empty>. Login is successful. Maybe I shoud install Novell to create such setup for it, but it will take some time.
For what it's worth, our internal ldap component (C#) that we've created searches the subtree before it attempts to bind. If pulls back one user, then it will grab the DN and use it to bind. I'm not sure how that would perform for organizations with large trees, but it works well for us. If we could use an implementation like that then we would be all set.
Yeah, the Novell stuff is a bit different. For example, I can't keep the query empty because eDirectory doesn't understand sAMAccountName.
Right, but for my AD server bind works with DOMAIN\User.Name, without specifying full DN of logged in user.
I guess it's just a difference between eDirectory and AD. All of the examples Novell provides shows the need to provide a full DN.
I can confirm that AD does not require a fully qualitified DN to bind, while eDirectory does.
This is the root cause of our problems. I will try to figure something out, but not immediately.