4 Replies Latest reply on Sep 7, 2012 1:31 PM by TaylorBastien

    How to configure LDAP/JAAS for CRX 2.3 (Granite 12.2.2)?

    TaylorBastien

      Over the last few days, I've burnt untold hours trying to get LDAP configured with CRX 2.3 (Granite 12.2.2 - the version of CRX 2.3 that comes "ADEP"-branded and is bundled with LiveCycle ES3) with no success. Thankfully I'm ahead on my overall schedule, otherwise I'd have put my head through a wall or something. If anybody out there has successfully configured CRX 2.3 to work with LDAP through Active Directory, please tell me how. I've never configured JAAS or LDAP or Active Directory before so there may well be a simple answer to my question (here's hoping there is). It's a great opportunity for someone out there to make a very grateful developer's day.

       

      I've followed the instructions at the main CRX docs page (http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html) and searched the internet for other tips and tricks and nothing seems to work. At one point, I did get DEBUG-level logging to indicate that the ldap_login.config file was being loaded, but that was probably 10 attempted configurations and three clean CRX re-installs ago. I've tried setting up a proxy between CRX and the LDAP server (as indicated on the docs site linked above) and nothing ever came through from CRX.

       

      I'm running on Windows machine and have tried numerous variations on the "-Djava.security.auth.login.config=C:/Adobe/CRX/crx-quickstart/conf/ldap_login.conf" Java command-line argument. Is it forward slashes or back-slashes? Relative or full path? At this point, I'd like to think I've tried every possible variation and at this point I can barely see straight.

       

      Here's my (latest) <Security/> element from repository.xml:


      <Security appName="com.day.crx">

              <!--

                  security manager:

                  class: FQN of class implementing the JackrabbitSecurityManager interface

              -->

              <SecurityManager class="com.day.crx.core.CRXSecurityManager">

                  <WorkspaceAccessManager class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>

                  <UserManager class="com.day.crx.core.CRXUserManagerImpl">

                      <param name="usersPath" value="/home/users"/>

                      <param name="groupsPath" value="/home/groups"/>

                      <param name="defaultDepth" value="1"/>

                  </UserManager>

              </SecurityManager>

              <!--

              access manager:

              class: FQN of class implementing the AccessManager interface

              -->

              <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager>

          </Security>

       

      And the contents of my ldap_login.conf file:

       

      com.day.crx {

          com.day.crx.core.CRXLoginModule sufficient;

          com.day.crx.security.ldap.LDAPLoginModule required

              principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"

              host="<our development Active Directory LDAP server>"

              port="389"

              secure="false"

              authDn="CN=ReadOnly,DC=services,DC=4PTSolutions,DC=local"

              authPw="<somePassword>"

              userRoot="OU=MRA-Users,OU=MRA,DC=services,DC=4PTSolutions,DC=local"

              groupRoot="OU=MRA-Groups,OU=MRA,DC=services,DC=4PTSolutions,DC=local"

              userFilter="(&(objectClass=user)(objectClass=person))"

              userIdAttribute="sAMAccountName"

              groupFilter="(objectClass=group)"

              groupMembershipAttribute="uniquemember"

              autocreate="create"

              autocreate.user.membership="contributor"

              autocreate.user.mail="rep:e-mail"

              autocreate.user.givenname="rep:givenName"

              autocreate.user.sn="rep:familyName"

              autocreate.user.cn="rep:fullname"

              autocreate.group.cn="rep:fullname"

              autocreate.path="direct"

              cache.expiration="7200"

              cache.maxsize="1000";

      };

       

      The current exception looks like this:

       

      05.09.2012 20:23:30.387 *ERROR* [FelixStartLevel] org.apache.jackrabbit.core.RepositoryImpl failed to start Repository: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx javax.jcr.RepositoryException: Neither JAAS nor RepositoryConfig contained a valid configuration for com.day.crx

                at org.apache.jackrabbit.core.DefaultSecurityManager.init(DefaultSecurityManager.java:178)

                at org.apache.jackrabbit.core.UserPerWorkspaceSecurityManager.init(UserPerWorkspaceSecurityM anager.java:107)

                at com.day.crx.core.CRXSecurityManager.init(CRXSecurityManager.java:39)

                at org.apache.jackrabbit.core.RepositoryImpl.initSecurityManager(RepositoryImpl.java:463)

                at org.apache.jackrabbit.core.RepositoryImpl.<init>(RepositoryImpl.java:324)

      [...]

       

      Thanks a lot for any help you can provide.

       

       

      Taylor

        • 1. Re: How to configure LDAP/JAAS for CRX 2.3 (Granite 12.2.2)?
          Sham HC Level 7

          The ldap_login.conf & repository.xml looks fine. Could you please try to run with adding -nofork into startup parameter and verify.

          • 2. Re: How to configure LDAP/JAAS for CRX 2.3 (Granite 12.2.2)?
            TaylorBastien Level 1

            Hi Sham, Thank you for responding.

             

            The -nofork option didn't help. I also made sure that my JVM memory settings are high enough that it doesn't automatically fork the JVM.

             

            Does it matter that quickstart is running in 32-bit mode?

             

            Is the format of the path I'm using for the ldap_login.conf file correct (i.e. full path, slashes in the right direction)? It bothers me that I can't tell whether or not the JVM is picking up my JAAS configuration.

             

            Thanks,

             

             

            Taylor

            • 3. Re: How to configure LDAP/JAAS for CRX 2.3 (Granite 12.2.2)?
              Sham HC Level 7

              From error it is sure the system property of JVM is not picked up.  Try to start the instance from command prompt by following the sample [1]. 

               

              [1] java -Djava.security.auth.login.config=C:\CQ55\author\crx-quickstart\bin\ldap_login.conf -jar cq55-author-4502.jar –nofork

              1 person found this helpful
              • 4. Re: How to configure LDAP/JAAS for CRX 2.3 (Granite 12.2.2)?
                TaylorBastien Level 1

                Thanks a lot for your help, Sham.

                 

                I spent an hour or two with our sysadmin yesterday, and the cause has been found. I'm glad it's over but wasn't very impressed when it turned out that the hostname used in the host entry was the cause. The host name was resolvable (e.g. using ping) but only worked with JAAS after by the top-level child subdomain name was removed.

                 

                i.e. serverx.4ptsolutions.local worked

                     serverx.services.4ptsolutions.local failed

                 

                Both names resolve to the same IP address. Only the first one worked. In fact, it worked instantly on CRX re-start.

                 

                So, the moral is: if you're setting up LDAP and getting this exception and every single thing in your setup is correct, it could be an obscure problem with your jaas configuration that's blowing things up.

                 

                Thanks again.