Support Centre

Find articles, help and advice.

 
Welcome, Guest Login

Support Center

Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

LDAP Authentication

Mathew Allbright Feb 13, 2014 03:48PM UTC

We are in the process of configuring our new BES server so that users authenticate via LDAP, however, we are getting the below in the catalina_log when trying to test that authentication is working. Hence to say, we cannot logon:

Thu Feb 13 14:57:05 GMT 2014 UserAuth : Version : 4.0.0.2
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * Creating an Authenticated Bind to LDAP.
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * *****************************************
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG START bindToLdap()...
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: ldapHost = ldaps://adminldaps.nbsnet.co.uk
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: portNum = 636
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: bindDn = "CN=serviceaccountname,OU=BES,OU=Application Servers,OU=Servers,DC=admin,D
C=nbsnet,DC=co,DC=uk"
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: useSSL = true
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * Bind not created: The following error occured :
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * javax.naming.CommunicationException: simple bind failed: adminldaps.nbsnet.co.uk:636 [Root
exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.securit
y.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: ctx = null
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG END bindToLdap()...
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * *****************************************
# tail -f Catalina_Log
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG START bindToLdap()...
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: ldapHost = ldaps://adminldaps.nbsnet.co.uk
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: portNum = 636
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: bindDn = "CN=serviceaccountname,OU=BES,OU=Application Servers,OU=Servers,DC=admin,DC=nbsnet,DC=co,DC=uk"
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: useSSL = true
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * Bind not created: The following error occured :
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * javax.naming.CommunicationException: simple bind failed: adminldaps.nbsnet.co.uk:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG: ctx = null
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * DEBUG END bindToLdap()...
Thu Feb 13 14:57:05 GMT 2014 UserAuth : * *****************************************
Thu Feb 13 15:01:10 GMT 2014 ppwcuserauth: * User Authentication v4.0.0.0
Thu Feb 13 15:01:10 GMT 2014 ConnectionUtil.dbConnect, v3.5.0.5.
Thu Feb 13 15:01:10 GMT 2014 Fetching DBInfo details...
Thu Feb 13 15:01:10 GMT 2014 DBInfo details are ha, port, user, pass : dvbesw02, 5000, ppadmin, *****.
Thu Feb 13 15:01:10 GMT 2014 ConnectionUtil.dbConnect, dbPort is 5000
Thu Feb 13 15:01:10 GMT 2014 ConnectionUtil.dbConnect, v3.5.0.5. Connecting to Sybase database URL = jdbc:sybase:Tds:dvbesw02:5000/besdb.
Thu Feb 13 15:01:10 GMT 2014 UserAuth : Version : 4.0.0.2
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * Creating an Authenticated Bind to LDAP.
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * *****************************************
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG START bindToLdap()...
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG: ldapHost = ldaps://adminldaps.nbsnet.co.uk
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG: portNum = 636
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG: bindDn = "CN=serviceaccountname,OU=BES,OU=Application Servers,OU=Servers,DC=admin,DC=nbsnet,DC=co,DC=uk"
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG: useSSL = true
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * Bind not created: The following error occured :
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * javax.naming.CommunicationException: simple bind failed: adminldaps.nbsnet.co.uk:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG: ctx = null
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * DEBUG END bindToLdap()...
Thu Feb 13 15:01:10 GMT 2014 UserAuth : * *****************************************

Are you able to help?

Regards



Up 1 rated Down
David Harwood Feb 14, 2014 09:51AM UTC Interlink Software Agent
Hi Mathew,

The error from the log above is down to java being unable to validate the SSL certificate. You need to ensure that the CA is installed in the cacerts for the java running tomcat.

For BES this would generally be the one defined by JAVA_HOME (if set), or the one visible on the system path.

Regards,
David
Up 2 rated Down
Mathew Allbright Feb 14, 2014 11:00AM UTC
Hi

I have added the CA in our keystore (cacerts) and this is working OK. However, although I can now authenticate via LDAP, I get the following message in the BSD as follows:

User not assigned to a group. You could not be logged in because you are not assigned to a group.

As I was a new user, BES has created me as a user but I've not been assigned to the required group (BESadmin).

Also, I have populated the following parameters in the ppUserAuth.cfg as follows:

ShouldCreateUser=true
ShouldUpdateUserGroups=true

I'll attach the Catlina_Log and ppUserAuth.cfg for info.

Any ideas?

A quick response would be much appreciated as looking to nail this today!

Many thanks
Up 2 rated Down
David Harwood Feb 17, 2014 11:10AM UTC Interlink Software Agent
Hi Mathew,

After investigating this issue it seems that this is a bug with the BES LDAP integration. The issue is that BES is expecting the group name to consist of just BESadmin, but instead it’s got the full LDAP name:

CN=BESAdmin,OU=BES,OU=Application Servers,OU=Servers,DC=admin,DC=nbsnet,DC=co,DC=uk

This is incorrect behaviour as the full LDAP name should then resolve down to the group name. To resolve the issue you need to upgrade the UserAuth class. An FTP link to download version 4.0.0.5 of the UserAuth class and install notes are below:

http://ftp.interlinksoftware.com/interlink/BES/LDAP/UserAuth_4.0.0.5.zip

To install:
1. Backup one of the existing versions from the two following locations just in case – both files should be the same
• $PPHOME/eScape/webapps/axis/WEB-INF/classes/userauthmanager
• $PPHOME/eScape/webapps/escapex/WEB-INF/classes/userauthmanager
2. Upload the new version to the following locations:
a) $PPHOME/eScape/webapps/axis/WEB-INF/classes/userauthmanager
b) $PPHOME/eScape/webapps/escapex/WEB-INF/classes/userauthmanager
3. A restart of the webclient via $PPHOME/bin/ppwcStop and ppwcStart is required for the changes to be picked up
4. For the configuration file ppUserAuth.cfg, the following changes are needed:
a) Add a new entry of : GroupSearchAttribute=memberOf
b) Change TheBESGroupAttribute to an attribute in the group e.g. TheBESGroupAttribute=name
5. Save the config, and login using the USER context should now work correctly.

Regards,
David

This question has received the maximum number of answers.

Contact Us

desk.com@interlinksoftware.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete