LDAP Integration Problem

We're trying to use LDAPS authentication with YouTrack Enterprise Edition. We are using Novell with the following URL.

URL: LDAPS://LDAP_SERVER:636/o=ORG_HERE

Doing that without using any of the advanced options results in an invalid DN error.

I've discovered that it works if I fill in the transform and query boxes with the following values.

Transform: cn=$login$,ou=AD,ou=HV,o=ORG_HERE

Query = (uid=$login$)

However, that transform is not going to work for all of our users. Most users will not belong to the AD ou. Some may not even belong to HV. Is there anyway to just search from the organization ESB and then use the full DN for the user found?

0
23 comments
Avatar
Permanently deleted user

After doing some research I'm starting to get the impression that your LDAP module cannot be used with a tree that was designed for multiple locations. Since our tree is structured in a way that supports multiple locations, there's no way I can code my full DN into the transform box since someone in another location will not have that DN. Our setup looks like this.

                                                                 O = COMPANY_NAME

                                                                                |

                              -------------------------------------------------------------------------------------------------------

                              |                                                  |                                                    |

                         ou = Location_1                         ou=Location_2                              ou=Location_3

                              |                                                 |                                                      |

               ---------------------------                             ----------------------------                         -------------------------------------

               |                          |                                     |

          ou = Users             ou = AD                         ou = Users

Is there any way this can be accomplished? Is there a way to replace the default implementation? I see you guys have a query that is being used, but it's after the bind has taken place and you're using it to get user information. I'd love to use that query to actually find the user by uid and then get the full DN based off the resultset returned. That would work.

0
Avatar
Permanently deleted user

I'm guessing by the lack of a reply on the forum, support e-mail, and the issue tracker means this is not possible. I thought I would have at least received a yes or no from someone at JetBrains since we already have a license.

0
Avatar
Permanently deleted user

Hello Shane,

sorry for delay in answering.

Currently our main LDAP integration developer is on vacations, but he will back in day or two.

We'll investigate this problem andlet youy know.

--

Sergey Andreev

QA Engineer

JetBrains, Inc

http://www.jetbrains.com

"Develop with pleasure!"

0
Avatar
Permanently deleted user

Thanks Sergey.

0
Avatar
Permanently deleted user

Sergey,

Do you know if the primary LDAP developer is back in the office? If he is, do you have any idea when he'll get a chance to look at this?

Thanks,

Shane

0

I'm looking at it.

0

By the way, will the following work?

URL: LDAPS://LDAP_SERVER:636/o=ORG_HERE

Transform: cn=$login$,o=ORG_HERE

Query = (uid=$login$)

0
Avatar
Permanently deleted user

No, that doesn't work. It's not able to bind.

0

Please, provide the "Test connection" result and exception in logs, if any. I don't get why URL: LDAPS://LDAP_SERVER:636/o=ORG_HERE with transform ORG_HERE\$login$, for example, won't work. Bind (login) is executed just fine even without any working tree provided!

0
Avatar
Permanently deleted user

Alright. Tried doing the test with the transform specified and I got the following exception in the log.

javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.<init>(Unknown Source)

at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

at jetbrains.charisma.ldap.main.LdapAuthenticationModule.ldapLogin(LdapAuthenticationModule.java:125)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.test(TestLdapSettingsDialog_HtmlTemplateComponent.java:494)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.access$000(TestLdapSettingsDialog_HtmlTemplateComponent.java:36)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent$1.invoke(TestLdapSettingsDialog_HtmlTemplateComponent.java:66)

at jetbrains.mps.webr.runtime.templateComponent.TemplateEventHandler.handle(TemplateEventHandler.java:32)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.doNewHandleEvent(TemplateComponent.java:725)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:680)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleEvent(TemplateComponent.java:651)

at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEventImpl(TemplateActionController.java:112)

at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEvent(TemplateActionController.java:101)

at jetbrains.mps.webr.runtime.requestProcessor.EventRequestProcessor.processRequest(EventRequestProcessor.java:71)

at jetbrains.mps.webr.runtime.servlet.MainServlet.processRequest(MainServlet.java:193)

at jetbrains.mps.webr.runtime.servlet.MainServlet.doGet(MainServlet.java:88)

at jetbrains.mps.webr.runtime.servlet.MainServlet.doPost(MainServlet.java:162)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at jetbrains.mps.webr.runtime.filter.QueryParameterFilter.doFilter(QueryParameterFilter.java:25)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:78)

at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:131)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)

at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)

at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)

at java.lang.Thread.run(Unknown Source)

0
Avatar
Permanently deleted user

These settings result in:

javax.naming.AuthenticationException: [LDAP: error code 49 - NDS error: failed authentication (-669)]

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.<init>(Unknown Source)

at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

at jetbrains.charisma.ldap.main.LdapAuthenticationModule.ldapLogin(LdapAuthenticationModule.java:125)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.test(TestLdapSettingsDialog_HtmlTemplateComponent.java:494)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.access$000(TestLdapSettingsDialog_HtmlTemplateComponent.java:36)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent$1.invoke(TestLdapSettingsDialog_HtmlTemplateComponent.java:66)

at jetbrains.mps.webr.runtime.templateComponent.TemplateEventHandler.handle(TemplateEventHandler.java:32)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.doNewHandleEvent(TemplateComponent.java:725)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:680)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleEvent(TemplateComponent.java:651)

at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEventImpl(TemplateActionController.java:112)

at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEvent(TemplateActionController.java:101)

at jetbrains.mps.webr.runtime.requestProcessor.EventRequestProcessor.processRequest(EventRequestProcessor.java:71)

at jetbrains.mps.webr.runtime.servlet.MainServlet.processRequest(MainServlet.java:193)

at jetbrains.mps.webr.runtime.servlet.MainServlet.doGet(MainServlet.java:88)

at jetbrains.mps.webr.runtime.servlet.MainServlet.doPost(MainServlet.java:162)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at jetbrains.mps.webr.runtime.filter.QueryParameterFilter.doFilter(QueryParameterFilter.java:25)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:78)

at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:131)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)

at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)

at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)

at java.lang.Thread.run(Unknown Source)

0

Try removing "o=ORG_HERE" from URL. Exception is still object of interest.

0

Those were wrong.

0
Avatar
Permanently deleted user

Ok. Here are the settings I have.

URL: LDAPS://ldap_server:636/

Transfer: ORG\$login$

Query: (uid=$login$)

This results in:

javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.<init>(Unknown Source)

at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

at jetbrains.charisma.ldap.main.LdapAuthenticationModule.ldapLogin(LdapAuthenticationModule.java:125)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.test(TestLdapSettingsDialog_HtmlTemplateComponent.java:494)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent.access$000(TestLdapSettingsDialog_HtmlTemplateComponent.java:36)

at jetbrains.charisma.ldap.ui.TestLdapSettingsDialog_HtmlTemplateComponent$1.invoke(TestLdapSettingsDialog_HtmlTemplateComponent.java:66)

at jetbrains.mps.webr.runtime.templateComponent.TemplateEventHandler.handle(TemplateEventHandler.java:32)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.doNewHandleEvent(TemplateComponent.java:725)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:680)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleByEventHandlers(TemplateComponent.java:678)

at jetbrains.mps.webr.runtime.templateComponent.TemplateComponent.newHandleEvent(TemplateComponent.java:651)

at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEventImpl(TemplateActionController.java:112)

at jetbrains.mps.webr.runtime.templateComponent.TemplateActionController.handleEvent(TemplateActionController.java:101)

at jetbrains.mps.webr.runtime.requestProcessor.EventRequestProcessor.processRequest(EventRequestProcessor.java:71)

at jetbrains.mps.webr.runtime.servlet.MainServlet.processRequest(MainServlet.java:193)

at jetbrains.mps.webr.runtime.servlet.MainServlet.doGet(MainServlet.java:88)

at jetbrains.mps.webr.runtime.servlet.MainServlet.doPost(MainServlet.java:162)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at jetbrains.mps.webr.runtime.filter.QueryParameterFilter.doFilter(QueryParameterFilter.java:25)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:78)

at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:131)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)

at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)

at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)

at java.lang.Thread.run(Unknown Source)

0

By the way, is your LDAP server somehow secured? Have you followed those instructions for LDAPS? http://confluence.jetbrains.net/display/YTD2/LDAP+Integration

0
Avatar
Permanently deleted user

Yes, I have. If I specify the full DN for my account, login works just fine. It just won't work for people in other OUs (which is almost everyone).

0

I still don't get why user fails to log in even if URL is without any subpaths specified. Login must be OK, but the search should fail. I have configured my sample installation as follows: URL: ldap://server:389/, Transform: DOMAIN\$login$, Query: <empty>. Login is successful. Maybe I shoud install Novell to create such setup for it, but it will take some time.

0
Avatar
Permanently deleted user

For what it's worth, our internal ldap component (C#) that we've created searches the subtree before it attempts to bind. If pulls back one user, then it will grab the DN and use it to bind. I'm not sure how that would perform for organizations with large trees, but it works well for us. If we could use an implementation like that then we would be all set.

            SearchRequest request = new SearchRequest("o=ORG","(&(objectClass=Person)(uid=" + username + "))", SearchScope.Subtree,"cn","givenName","mail","Description","telephoneNumber","sn","uid");                         SearchResponse response = (SearchResponse)connection.SendRequest(request);             if(response.Entries.Count < 1)                 throw new Exception("Could not find anyone with the username - " + username);                         if(response.Entries.Count > 1)                 throw new Exception("Found too many people with the same username.");             string fullDn = response.Entries[0].DistinguishedName;

            // bind user stuff here....

            .............             connection.Bind(new NetworkCredential(fullDn, password));

0
Avatar
Permanently deleted user

Yeah, the Novell stuff is a bit different. For example, I can't keep the query empty because eDirectory doesn't understand sAMAccountName.

0

Right, but for my AD server bind works with DOMAIN\User.Name, without specifying full DN of logged in user.

0
Avatar
Permanently deleted user

I guess it's just a difference between eDirectory and AD. All of the examples Novell provides shows the need to provide a full DN.

0
Avatar
Permanently deleted user

I can confirm that AD does not require a fully qualitified DN to bind, while eDirectory does.

0

This is the root cause of our problems. I will try to figure something out, but not immediately.

0

Please sign in to leave a comment.