Adobe Community: LDAP set up with CQ 5.5

Currently Being Moderated

LDAP set up with CQ 5.5

Mar 26, 2012 5:56 AM

These instructions: http://dev.day.com/docs/en/cq/current/core/administering/ldap_authenti cation.html#Switching On LDAP Authentication does not seem to be updated for 5.5, because the file crx-quickstart\server\etc\ldap_login.conf does not exist(even the server directory does not exist). Could any one help?

5618 Views 33 Replies Latest reply: sBurogyne, Feb 18, 2013 12:51 PM

Replies

Currently Being Moderated

1. hypnotec,

Mar 26, 2012 7:11 AM in reply to Murali Vusthipalli

Report

see the user comment at the bottom of said documentation page:

"Upgaded a 5.4 instance to 5.5 and LDAP does not work right away. You need to provide the full path to the ldap_login.conf on the start script."

|
Mark as:
Currently Being Moderated

2. Murali Vusthipalli,

Mar 26, 2012 7:24 AM in reply to hypnotec

Report

Thanks Hypnotec

|
Mark as:
Currently Being Moderated

3. Murali Vusthipalli,

Mar 26, 2012 12:53 PM in reply to Murali Vusthipalli

Report

Also, http://dev.day.com/docs/en/cq/current/core/administering/ldap_authenti cation.html#Increase the logging level for LDAP to DEBUG. I can not find the file:crx-quickstart/server/runtime/0/_crx/WEB-INF/log4j.xml to debug the LDAP issues as server folder does not exist. Could you help me with this?

|
Mark as:
Currently Being Moderated

4. hypnotec,

Mar 26, 2012 12:59 PM in reply to Murali Vusthipalli

Report

again, the documentation is outdated. log levels are managed via the system console (e.g. http://localhost:4502/system/console/configMgr). consult the logging docs: http://dev.day.com/docs/en/cq/current/deploying/configure_logging.html - i think they're reasonably up to date for instance, add a logger for the ldap package.

|
Mark as:
Currently Being Moderated

5. Murali Vusthipalli,

Mar 27, 2012 5:56 AM in reply to hypnotec

Report

Based on the documentation(pasted below), I would need to know the name of the OSGI service for LDAP logging. Could you please help with the right name for this?
specify the OSGi services for which the Logger is to log messages; for example, all of the following:
org.apache.sling
org.apache.felix
com.day

|
Mark as:
Currently Being Moderated

6. Murali Vusthipalli,

Mar 27, 2012 6:00 AM in reply to Murali Vusthipalli

Report

Is this: com.day.crx.security.ldap.LDAPLoginModule the right one?

|
Mark as:
Currently Being Moderated

7. hypnotec,

Mar 27, 2012 6:00 AM in reply to Murali Vusthipalli

Report

it is the java package name of the login module as referenced in your JAAS configuration.

|
Mark as:
Currently Being Moderated

8. Murali Vusthipalli,

Mar 27, 2012 6:06 AM in reply to hypnotec

Report

Thanks for such a quick reply, hypnotec.... really appreciate it!

|
Mark as:
Currently Being Moderated

9. hypnotec,

Mar 27, 2012 6:06 AM in reply to Murali Vusthipalli

Report

yes, or just the package name to have all classes: com.day.crx.security.ldap

|
Mark as:
Currently Being Moderated

10. Murali Vusthipalli,

Mar 27, 2012 11:52 AM in reply to hypnotec

Report

My CQ instance is not coming up after I made changes to repository.xml and ldap_login.conf. Below is the error message that it is showing in error.log. I have configured a new logger for ldap, but it does not seem to have created, is it because CQ is down? Could you please help me? Thanks so much.

Exception in error.log:
27.03.2012 14:05:48.234 *ERROR* [FelixStartLevel] org.apache.jackrabbit.core.RepositoryImpl failed to start Repository: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx javax.jcr.RepositoryException: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx
          at org.apache.jackrabbit.core.DefaultSecurityManager.init(DefaultSecurit yManager.java:178)
          at org.apache.jackrabbit.core.UserPerWorkspaceSecurityManager.init(UserP erWorkspaceSecurityManager.java:107)
          at com.day.crx.core.CRXSecurityManager.init(CRXSecurityManager.java:39)
          at org.apache.jackrabbit.core.RepositoryImpl.initSecurityManager(Reposit oryImpl.java:463)
          at org.apache.jackrabbit.core.RepositoryImpl.<init>(RepositoryImpl.java: 324)
          at com.day.crx.core.CRXRepositoryImpl.<init>(CRXRepositoryImpl.java:283)
          at com.day.crx.core.CRXRepositoryImpl.create(CRXRepositoryImpl.java:258)
          at com.day.crx.core.CRXRepositoryImpl.create(CRXRepositoryImpl.java:243)
          at com.day.crx.sling.server.impl.jmx.ManagedRepository.activate(ManagedR epository.java:164)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          at java.lang.reflect.Method.invoke(Unknown Source)
          at org.apache.felix.scr.impl.helper.BaseMethod.invokeMethod(BaseMethod.j ava:227)
          at org.apache.felix.scr.impl.helper.BaseMethod.access$500(BaseMethod.jav a:38)
          at org.apache.felix.scr.impl.helper.BaseMethod$Resolved.invoke(BaseMetho d.java:591)
          at org.apache.felix.scr.impl.helper.BaseMethod.invoke(BaseMethod.java:47 2)
          at org.apache.felix.scr.impl.helper.ActivateMethod.invoke(ActivateMethod .java:146)
          at org.apache.felix.scr.impl.manager.ImmediateComponentManager.createImp lementationObject(ImmediateComponentManager.java:226)
          at org.apache.felix.scr.impl.manager.ImmediateComponentManager.createCom ponent(ImmediateComponentManager.java:118)
          at org.apache.felix.scr.impl.manager.DelayedComponentManager.createRealC omponent(DelayedComponentManager.java:95)
          at org.apache.felix.scr.impl.manager.AbstractComponentManager$Registered .getService(AbstractComponentManager.java:1296)
          at org.apache.felix.scr.impl.manager.DelayedComponentManager.getService( DelayedComp

|
Mark as:
Currently Being Moderated

11. Ron @ SFU,

Mar 28, 2012 2:49 PM in reply to Murali Vusthipalli

Report

Hi Murali,

The problem is probably due to a misconfiguration in your ldap_login.conf or repository.xml file. Make sure your repository.xml is a valid XML (i.e. all tags, quotes are properly closed). If you're still having problems please post your repositor.xml and ldap_login.conf.

Hope this helps.
Ron

|
Mark as:
Currently Being Moderated

12. Murali Vusthipalli,

Mar 29, 2012 5:12 AM in reply to Ron @ SFU

Report

Hi Ron,

Thanks for your reply. Here are the configuration files. When I use an active directory client tool, it works fine.

ldap_login.conf:
com.day.crx {
   com.day.crx.core.CRXLoginModule sufficient;
   com.day.crx.security.ldap.LDAPLoginModule required
                principal_provider.name="RootDSE"
                principal_provider.class="com.day.crx.security.ldap.principals.LDAPPr incipalProvider"
              host="<MYLDAPHOST>"
              port="389"
              authDn="CN=Murali,OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com"
                authPw="March1234%"
              userRoot="OU=eBT,OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com"
                userIdAttribute="sAMAccountName"
                groupRoot="CN=eBT-IWOV,OU=eBT,OU=User and Group Accounts,DC=us,DC=ad,DC=com"
                groupMembershipAttribute="member"
                autocreate="create"
              autocreate.path="none"
              autocreate.user.cn="rep:fullname"
              autocreate.user.mail="profile/email"
              autocreate.user.sn="profile/familyName"
              autocreate.user.givenName="profile/givenName"
              autocreate.group.cn="rep:fullname";
              autocreate.group.mail="profile/email"
              cache.expiration="7200"
              cache.maxsize="200"
};

repository.xml:
<!DOCTYPE Repository PUBLIC "-//Day Management AG//DTD CRX 2.4//EN"
                            "http://www.day.com/dtd/repository-2.4.dtd">
<Repository>
    
    
    <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
        <param name="path" value="${rep.home}/repository"/>
    </FileSystem>

    
    <DataStore class="com.day.crx.core.data.ClusterDataStore"/>

    
    <Security appName="com.day.crx">
        
        
        <SecurityManager class="com.day.crx.core.CRXSecurityManager">
            
            <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserM anager">
                <param name="usersPath" value="/home/users"/>
                <param name="groupsPath" value="/home/groups"/>
                <param name="defaultDepth" value="1"/>
                <param name="autoExpandTree" value="true"/>
                <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlA ction">
                  <param name="groupPrivilegeNames" value="jcr:read"/>
                  <param name="userPrivilegeNames" value="jcr:all"/>
                </AuthorizableAction>
                
            </UserManager>

            
        </SecurityManager>

        
        <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></Ac cessManager>
        
        
    </Security>

    
    <Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="crx.default" maxIdleTime="5"/>
    
    <Workspace name="${wsp.name}" simpleLocking="true">
        
        <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
            <param name="path" value="${wsp.home}"/>
        </FileSystem>

        
        <PersistenceManager class="com.day.crx.persistence.tar.TarPersistenceManager"/>

        
        <SearchIndex class="com.day.crx.query.lucene.LuceneHandler">
            <param name="path" value="${wsp.home}/index"/>
            <param name="resultFetchSize" value="50"/>
        </SearchIndex>

        
        <WorkspaceSecurity>
            <AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.acl.ACLProvi der">
                <param name="omit-default-permission" value="true"/>
            </AccessControlProvider>
        </WorkspaceSecurity>

        
        <Import>
            <ProtectedItemImporter class="org.apache.jackrabbit.core.xml.AccessControlImporter"/>
            <ProtectedItemImporter class="org.apache.jackrabbit.core.security.user.UserImporter">
                <param name="importBehavior" value="besteffort"/>
            </ProtectedItemImporter>
        </Import>
    </Workspace>

    
    <Versioning rootPath="${rep.home}/version">
        
        <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
            <param name="path" value="${rep.home}/version"/>
        </FileSystem>

        
        <PersistenceManager class="com.day.crx.persistence.tar.TarPersistenceManager"/>

    </Versioning>

    
    <SearchIndex class="com.day.crx.query.lucene.LuceneHandler">
        <param name="path" value="${rep.home}/repository/index"/>
    </SearchIndex>

    
    <Cluster>
        <Journal class="com.day.crx.persistence.tar.TarJournal"/>
    </Cluster>

    
    <Modules>
        
    </Modules>
</Repository>

|
Mark as:
249 posts
Nov 24, 2010

Currently Being Moderated

13. Justin Edelson,

Mar 29, 2012 5:43 AM in reply to Murali Vusthipalli

Report

Murali-
I believe you are missing a semi-colon after cache.maxsize="200" and there's an extra semi-colon after autocreate.group.cn="rep:fullname"

The semi-colon has to go at the end of the options, not in the middle.

I'm a bit surprised that JAAS isn't complaining about this with a meaningful (or even not-so meaningful) error message.

Justin

|
Mark as:
Currently Being Moderated

14. Murali Vusthipalli,

Mar 29, 2012 7:05 AM in reply to Justin Edelson

Report

Thanks Justin. My CQ instance is up and running now. I want to sync a user from LDAP to CQ, so with reference to the document: http://dev.day.com/docs/en/cq/current/core/administering/ldap_authenti cation.html#LDAP User Synchronization, I can't locate LDAP User Synchronization option in CRX explorer. Could you please help?

|
Mark as:
Currently Being Moderated

15. Ron @ SFU,

Mar 29, 2012 9:49 AM in reply to Murali Vusthipalli

Report

Hi Murali,

The documentation is outdated for 5.5. I haven't been able to find that feature in 5.5, but if your CQ instance is properly connected to your LDAP then you should just be able to login with your LDAP credentials. Since you have autocreate="create" within your ldap_login.conf file, it should automatically create/sync that account from LDAP to CQ.

Cheers,
Ron

|
Mark as:
Currently Being Moderated

16. Murali Vusthipalli,

Mar 29, 2012 10:05 AM in reply to Ron @ SFU

Report

Ron, I tried to login using my domain id, password with many different ways(id,name,lastname, firstname), but it does not work. I have also looked at /home/users and /home/groups, it does not have any domain ids there.

|
Mark as:
Currently Being Moderated

17. Ron @ SFU,

Mar 29, 2012 10:10 AM in reply to Murali Vusthipalli

Report

Any errors in the error.log? You may need to enable debug logging for LDAP to get more info. My guess CQ can't find the user in LDAP. The problem might be your values for 'userRoot' in your ldap_login.conf. From looking at your authDn "CN=Murali,OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com", I suspect your userRoot should be ""OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com". Give that a try.

|
Mark as:
Currently Being Moderated

18. Murali Vusthipalli,

Mar 29, 2012 10:19 AM in reply to Ron @ SFU

Report

You are right. After changing the userRoot, it started working. I am able to login using domain id/pwd. But the custom LDAP log file(that I created as mentioned in this thread above) is not created under logs or any where else under crx-quickstart.

|
Mark as:
Currently Being Moderated

19. Murali Vusthipalli,

Mar 29, 2012 10:34 AM in reply to Murali Vusthipalli

Report

That is working now, Ron. The log file path should not contain ".." in the path as in (../logs/ldap.log). Once I changed that to /logs/ldap.log, it started working.

Another question: On my ldap server, I have two locations where CQ users are created. How can I configure two locations in ldap_login.conf?
For ex:
userRoot: OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com and
OU=eBT,OU=ParkRidge,OU=Users Accounts and Groups,DC=us,DC=ad,DC=com

|
Mark as:
Currently Being Moderated

20. Ron @ SFU,

Mar 29, 2012 10:57 AM in reply to Murali Vusthipalli

Report

Glad it hear it's working now. As for different userRoots, not sure if you can use a more top level userRoot (e.g. DC=us,DC=ad,DC=com) with a userFilter. You may need to check with you LDAP admin. But you may be able to just simply setup this other userRoot as a separate LDAP server. Checkout this KB article - http://dev.day.com/content/kb/home/Crx/CrxSystemAdministration/HowToMu ltipleLdapServer.html

|
Mark as:
Currently Being Moderated

21. Murali Vusthipalli,

Mar 29, 2012 11:00 AM in reply to Ron @ SFU

Report

Thank you so much for the help!!

Sure, I will refer that KB article. One more observation is that after I login for the first time using the domain id, the documentation says that it will copy the LDAP groups to CRX. It did not happen even after I login multiple times. LDAP.log file does not show any messages related to that. Could you please help?

|
Mark as:
Currently Being Moderated

22. Ron @ SFU,

Mar 29, 2012 2:48 PM in reply to Murali Vusthipalli

Report

Problem seems to be your groupRoot of "CN=eBT-IWOV,OU=eBT,OU=User and Group Accounts,DC=us,DC=ad,DC=com". I'm assuming your group ID/name is 'eBT-IWOV'. Since the default groupNameAttribute is "cn", try setting your groupRoot to "OU=eBT,OU=User and Group Accounts,DC=us,DC=ad,DC=com". You will need to restart CQ for the changes take affect.

|
Mark as:
Currently Being Moderated

23. Murali Vusthipalli,

Mar 30, 2012 5:28 AM in reply to Ron @ SFU

Report

I have been assigned to multiple groups on active directory and eBT-IWOV is one of them. And OU=eBT,OU=User and Group Accounts,DC=us,DC=ad,DC=com has lot of other groups under it. I am confused on how CQ works with LDAP actually - does it pull all the groups that the logged in user belongs to under the groupRoot? or when a user logs in, will it pull up all the groups under the groupRoot?

I have already tried groupRoot as OU=eBT,OU=User and Group Accounts,DC=us,DC=ad,DC=com, but I don't see any groups created in CQ.

|
Mark as:
Currently Being Moderated

24. Ron @ SFU,

Mar 30, 2012 9:54 AM in reply to Murali Vusthipalli

Report

From my understanding, the way CQ's LDAPUserSync work is that it will import and create the LDAP groups that is under the defined groupRoot that that user is a member of. One problem is that CQ's LDAPUserSync isn't compatible with your LDAP Schema. We had this problem initially because of the way we were storing groups in LDAP.

We were initially storing our group information in an object which has a member of locally defined attributes and stores the members of the group in multi-valued "memberUid" attributes (e.g. Murali). CQ assumes that the value of the member attribute has the form of the fully qualified name (e.g. uid=Murali,OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com). So when it searches for group members it searches for "memberUid=uid=Murali,OU=Users Accounts (UnSorted),DC=us,DC=ad,DC=com" which produces no match.

Now, we have since changed our LDAP schema to match this, however, we are still unhappy with the CQ LDAPUserSync. Problem we have discovered is that when it creates CQ groups pulled from LDAP, it creates the group with the ID using the principal-name which is the full DN in LDAP. For example, it will actually create the LDAP group of eBT-IWOV as /home/groups/C/CN/CN=eBT-IWOV,OU=eBT,OU=User and Group Accounts,DC=us,DC=ad,DC=com (if using <param name="defaultDepth" value="3"/> for the com.day.crx.core.CRXUserManagerImpl in repository.xml). This is a problem for us because it would result in a very flat group hiearchy in the repository, creating 1000's of group records under the same node of /home/groups/C/CN/.

Since CRX2.2 (CQ5.4) the UserManager API has been updated to allow for creating groups with arbitrary groupd IDs (e.g. CN valud of the LDAP group). However, we were disappointed to discover that in 5.5 the LDAPUserSync hasn't been updated yet to make use of new API. So since 5.4, we've been managing groups manually using scripts and we automate the synching vai cron job.

Within the CQ Higher Education group, I don't believe anyone uses the LDAPUserSync for group integration simply because of its limitations.

|
Mark as:
Currently Being Moderated

25. Murali Vusthipalli,

Mar 30, 2012 10:58 AM in reply to Ron @ SFU

Report

Thanks for the such an useful information, Ron. From your experience, it would be great if you suggest an ideal LDAP schema for CQ needs? Do we have to create a special CQ LDAP group and then assign all users to that. And do we need to make sure that these LDAP user ids don't belong to any other LDAP groups?

|
Mark as:
Currently Being Moderated

26. C. Vozar - CITYTECH,

Mar 31, 2012 12:42 PM in reply to Murali Vusthipalli

Report

For new Adobe CQ5.5 users I feel this thread needs a bit of clarity on LDAP integration with CQ. I wrote a blog about the topic: http://www.citytechinc.com/us/en/blog/2012/03/adobe_cq5_5_and_ldap.htm l but will elaborate here.

The changes to LDAP setup between CQ 5.4 and 5.5 are minimal (and mainly just not particularly clear) but the documentation on the support site has yet to reflect it. In CQ 5.5 (a fresh install) you will not get a /crx-quickstart/server/etc/sample_ldap_login.conf file to modify. However, it's still appropriate to use in 5.5 as JAAS configs are a standard for the JVM. Also, beware if you enable JAAS in the quickstart script that comes with 5.5, it has an order of parameters issue and JAAS configs won't parse correctly, you'll need to specify the JAAS config prior to the -jar JVM option.

In short if you are a new CQ user to 5.5 and looking for LDAP integration simply use the sample on the support site but refernce the configuration in the JVM as a command-line option rather than trying to figure out why /server/etc no longer exists.

|
Mark as:
Currently Being Moderated

27. rguggenb,

Sep 12, 2012 2:39 AM in reply to C. Vozar - CITYTECH

Report

Hi,

I'm getting the following error after a login with correct credentials (authentication works):

java.lang.IllegalArgumentException: Invalid token ''
        at org.apache.jackrabbit.api.security.authentication.token.TokenCredenti als.(TokenCredentials.java:42)
        at com.day.crx.security.token.impl.TokenAuthenticationHandler.createCred entials(TokenAuthenticationHandler.java:528)
        at com.day.crx.security.token.impl.TokenAuthenticationHandler.extractCre dentials(TokenAuthenticationHandler.java:345)
        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtract Credentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.e xtractCredentials(AbstractAuthenticationHandlerHolder.java:60)
        Truncated. see log file for complete stacktrace

Any ideas on how to troubleshoot?

|
Mark as:
Currently Being Moderated

28. kstailey,

Nov 15, 2012 8:16 AM in reply to rguggenb

Report

The invalid token error followed by empty single quotes '' is coming out of jackrabbit code that checks if the token is null or an empty string.

    if (token == null || token.length() == 0) {
            throw new IllegalArgumentException("Invalid token '" + token + "'");
    }

The way it works for me:

Log in as an administrator. I use admin
Delete any LDAP created test user account so logging in will be creating the account using LDAP.
Log into the the Felix (Web) Console as admin and keep this window open for the duration of this test.
Log out of CQ but not the Felix (Web) Console. Since the console uses HTTP basic auth you can do this.
Log out all users from CQ.
Use the Felix console CRX Login Tokens display to see that there are no tokens.
Configure CQ to use LDAP and try to log in to the test account that had no CQ account created yet.
The CQ will return error 500 as jackrabbit throws "Invalid token '' "
Your account will be created anyway from the LDAP data.
Use the Felix console CRX Login Tokens display to see that there is no token for your account.
Delete the cookie from your web browser with the host name of your CQ URL and the value "login-token".
Try to login to CQ using your LDAP account again. This time you will get a login token and things will be normal.

Why doesn't the first login attempt get a CRX Login Token?

|
Mark as:
Currently Being Moderated

29. kstailey,

Nov 15, 2012 2:51 PM in reply to kstailey

Report

Also the cookie that comes back on the first LDAP login that creates the QA account has three fields and the second one is not filled in.

The details of a sample cookie from the create followed by the cookie content from the second login:

b7649c06-ad22-4115-8947-773f030f5579::crx.default
b7649c06-ad22-4115-8947-773f030f5579:cbb60011-7526-4282-b89f-b44777def323_f9c7d8a78e20d620:crx.default

The LDAP login that creates the CQ account has a cookie with an empty second colon separated field. Most likely that field would have the CRX Login Token if there was one.

|
Mark as:
Currently Being Moderated

30. kstailey,

Nov 16, 2012 7:03 AM in reply to kstailey

Report

Tokens are stored in the user's home directory jcr node tree.

There is no home directory jcr node tree for an LDAP user that has never logged in. Autocreate mode specifies that the account is created on demand including the home directory.

If the user's LDAP CN is Adams\, Alice
and LDAP sAMAccountName is A-Adams

Then on the first login, autocreate causes these nodes to be created

/home/users/Adams\, Alice/A-Adams
/home/users/Adams\, Alice/A-Adams/profile
/home/users/Adams\, Alice/A-Adams/rep:policy
/home/users/Adams\, Alice/A-Adams/rep:policy/allow

What is not created is:

/home/users/Adams\, Alice/A-Adams/.tokens

I think that the routine that creates the .tokens node is executed prior to the one that creates the parent node of .tokens (in this case /home/users/Adams\, Alice/A-Adams). The result is that it fails to create the .tokens node.

The second LDAP login works, the home directory already exists and the .tokens node is created.

|
Mark as:
Currently Being Moderated

31. vijaynagpal,

Nov 19, 2012 1:30 AM in reply to Murali Vusthipalli

Report

Same problem here. First time login does not work for LDAP user because of blank token. Are there any workarounds/config changes that will help first-time login to succeed?

|
Mark as:
Currently Being Moderated

32. kstailey,

Nov 20, 2012 8:39 AM in reply to vijaynagpal

Report

If your LDAP (AD) user name contains upper case letters you must type them in exactly as they are in LDAP (AD) in order to avoid this error.

|
Mark as:
Currently Being Moderated

33. sBurogyne,

Feb 18, 2013 12:51 PM in reply to Ron @ SFU

Report

Hello Ron,

I have a similar problem, i have doublecheck with my repository.xml, it's exactly the same as Murali posted.. and my ldap_login.conf, i actually name my config file jaas.conf, here is the content of my jaas.conf:

com.day.crx {
             com.day.crx.core.CRXLoginModule sufficient;
          com.day.crx.security.ldap.LDAPLoginModule required
               principal_provider.class="com.day.crx.security.ldap.principals.LDAPPr incipalProvider"
               host="my ldap server"
               port="389"
               secure="false"
                                         authDn="cn=dcp,ou=users,o=com"
                                         authPw="XXXXXX"
               userRoot="ou=users,o=com"
                                         userFilter="(objectclass=user)"
                                         userIdAttribute="cn"
               groupRoot="ou=groups,o=com"
               groupMembershipAttribute="member"
               autocreate="create"
                                         autocreate.user.membership="contributor"
               autocreate.user.mail="profile/email"
               autocreate.user.givenname="profile/givenName"
              autocreate.user.sn="profile/familyName"
              autocreate.path="direct"
              cache.expiration="600"
              cache.maxsize="1000";
};

I tested the config by running the following comment:

java -Djava.security.auth.login.config=c:/cq/author/crx-quickstart/etc/jaas.conf -Xmx1024M -XX:MaxPermSize=256M -jar cq5-author-p4502.jar

I have been look at it for a day now and don't seem to figure out.. I am running CQ5.5 on my localhost. Any help will be great.

Thanks,
Silka B.

|
Mark as: