LDAP login issues in dotcms 2.5.1
101 views
Skip to first unread message
Bart Plasmans
Mar 12, 2014, 7:56:56 AM3/12/14
to dot...@googlegroups.com
Hi,
we are having issues when enabling LDAP on dotCMS 2.5.1.
This is our configuration of the portal-ext.properties file, which worked in previous versions:
# LDAP (LDAP Servers)
# once a user is authenticated, LDAP will query the user and pull a list
# of groups that the user belongs to
# These groups will be created in the CMS on the fly and the CMS user will
# be associated with them.
auth.pipeline.pre=com.dotcms.enterprise.LDAPProxy
auth.impl.ldap.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
# Set SSL if you are using LDAPS or leave blank
auth.impl.ldap.security.authentication=
# set path to keystore with root server cert imported or leave blank
auth.impl.ldap.security.keystore.path=
auth.impl.ldap.host=172.17.1.1
auth.impl.ldap.port=389
# should be full dn of user
auth.impl.ldap.userid=xxxxxx
auth.impl.ldap.password=xxxxxx
auth.impl.ldap.domainlookup=OU=Users,OU=ISAAC,DC=isaac,DC=local
auth.impl.build.groups=true
auth.impl.ldap.build.group.name.filter=^ldap_dotCMS_(.*)
# Prefix the dotcms should strip from group name. Leave blank to not strip any prefix.
auth.impl.ldap.build.group.name.filter.strip=ldap_dotCMS_
#If you set to false any user created from LDAP will not be able to log into the dotCMS if LDAP is not availible.
auth.impl.ldap.syncPassword=true
# The following attributes can be used to match up dotCMS user properties to LDAP Attributes. Uncomment all attributes.
# If you leave the attribute blank then it will not be synced from LDAP.
# NOTE: YOU CANNOT HAVE A GROUP NAME WITH A "=" IN IT
auth.impl.ldap.attrib.user=mail
auth.impl.ldap.attrib.firstName=givenName
auth.impl.ldap.attrib.middleName=middleName
auth.impl.ldap.attrib.lastName=sn
auth.impl.ldap.attrib.nickName=
auth.impl.ldap.attrib.email=mail
auth.impl.ldap.attrib.gender=
auth.impl.ldap.attrib.group=memberOf
When we try to login we get the following error in the log:
[12/03/14 09:11:27:761 CET] INFO enterprise.LDAPImpl: User bart.p...@isaac.nl logged in
[12/03/14 09:11:27:817 CET] INFO enterprise.LDAPImpl: User bart.p...@isaac.nl logged in
[12/03/14 09:11:28:045 CET] INFO enterprise.LDAPImpl: User bart.p...@isaac.nl logged in
[12/03/14 09:11:28:075 CET] WARN util.JDBCExceptionReporter: SQL Error: 0, SQLState: 23505
[12/03/14 09:11:28:075 CET] ERROR util.JDBCExceptionReporter: ERROR: duplicate key value violates unique constraint "users_cms_roles_parent1"
Detail: Key (role_id, user_id)=(742c9eb3-8651-4df4-b1dc-00c8c64aee4f, dotcms.org.2836) already exists.
[12/03/14 09:11:28:076 CET] ERROR impl.SessionImpl: Could not synchronize database state with session
[12/03/14 09:11:28:076 CET] ERROR enterprise.LDAPImpl: Unable to add user dotcms.org.2836 to LDAP User role
com.dotmarketing.exception.DotHibernateException: Unable to save Object to Hibernate Session
at com.dotmarketing.db.HibernateUtil.save(HibernateUtil.java:453)
at com.dotmarketing.business.RoleFactoryImpl.addRoleToUser(RoleFactoryImpl.java:236)
at com.dotmarketing.business.RoleAPIImpl.addRoleToUser(RoleAPIImpl.java:178)
at com.dotcms.enterprise.BaseAuthenticator.b(SourceFile:277)
at com.dotcms.enterprise.BaseAuthenticator.a(SourceFile:170)
at com.dotcms.enterprise.BaseAuthenticator.authenticateByEmailAddress(SourceFile:115)
at com.dotcms.enterprise.LDAPProxy.authenticateByEmailAddress(SourceFile:24)
at com.dotcms.enterprise.AuthPipelineImpl.a(SourceFile:103)
at com.dotcms.enterprise.AuthPipelineImpl.a(SourceFile:45)
at com.dotcms.enterprise.AuthPipeProxy.authenticateByEmailAddress(SourceFile:13)
at com.liferay.portal.ejb.UserManagerImpl._authenticate(UserManagerImpl.java:654)
at com.liferay.portal.ejb.UserManagerImpl.authenticateByEmailAddress(UserManagerImpl.java:101)
at com.liferay.portal.ejb.UserManagerUtil.authenticateByEmailAddress(UserManagerUtil.java:70)
at com.liferay.portal.action.LoginAction._login(LoginAction.java:195)
at com.liferay.portal.action.LoginAction.execute(LoginAction.java:100)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:157)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:415)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:275)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:501)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.filters.secure.SecureFilter.doFilter(SecureFilter.java:135)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.dotmarketing.cms.urlmap.filters.URLMapFilter.doFilter(URLMapFilter.java:85)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.dotmarketing.filters.TimeMachineFilter.doFilter(TimeMachineFilter.java:162)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at nl.isaac.dotcms.duurzamereten.filter.RequestStoringFilter.doFilter(RequestStoringFilter.java:25)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at nl.isaac.dotcms.mobilesite.filter.MobileUserAgentRedirectFilter.doFilter(MobileUserAgentRedirectFilter.java:78)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at nl.isaac.dotcms.plugin.configuration.filter.RequestStoringFilter.doFilter(RequestStoringFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.dotmarketing.filters.CharsetEncodingFilter.doFilter(CharsetEncodingFilter.java:146)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Thread.java:662)
Caused by: net.sf.hibernate.exception.ConstraintViolationException: could not insert: [com.dotmarketing.business.UsersRoles#13555e5d-5182-4125-8d60-0c6f649f1d5c]
at net.sf.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:62)
at net.sf.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:29)
at net.sf.hibernate.persister.AbstractEntityPersister.convert(AbstractEntityPersister.java:1331)
at net.sf.hibernate.persister.EntityPersister.insert(EntityPersister.java:472)
at net.sf.hibernate.persister.EntityPersister.insert(EntityPersister.java:436)
at net.sf.hibernate.impl.ScheduledInsertion.execute(ScheduledInsertion.java:37)
at net.sf.hibernate.impl.SessionImpl.execute(SessionImpl.java:2449)
at net.sf.hibernate.impl.SessionImpl.executeAll(SessionImpl.java:2435)
at net.sf.hibernate.impl.SessionImpl.execute(SessionImpl.java:2392)
at net.sf.hibernate.impl.SessionImpl.flush(SessionImpl.java:2261)
at com.dotmarketing.db.HibernateUtil.save(HibernateUtil.java:451)
... 73 more
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "users_cms_roles_parent1"
Detail: Key (role_id, user_id)=(742c9eb3-8651-4df4-b1dc-00c8c64aee4f, dotcms.org.2836) already exists.
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:334)
at org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:102)
at net.sf.hibernate.impl.NonBatchingBatcher.addToBatch(NonBatchingBatcher.java:22)
at net.sf.hibernate.persister.EntityPersister.insert(EntityPersister.java:462)
... 80 more
[12/03/14 09:11:28:819 CET] INFO business.DotGuavaCacheAdministratorImpl: *** Building Cache : logmappercache, size:10, toDisk:false,Concurrency:32
[12/03/14 09:11:32:813 CET] ERROR business.HostAPIImpl: User dotcms.org.default does not have permission to host:www.severinus.nl
[12/03/14 09:11:34:099 CET] ERROR business.HostAPIImpl: User dotcms.org.default does not have permission to host:www.severinus.nl
(END)
It says I don't have any permissions to the host I'm trying to login to, but if we remove the plugin, I can login just fine.
Can anyone help us out here?
Greetings,
Bart Plasmans
Jason Tesser
Mar 12, 2014, 7:59:05 AM3/12/14
to dot...@googlegroups.com
I think you have a local user in dotcms that is NOT a LDAP user but he matches the userID of the user coming from LDAP
Bart Plasmans
Mar 12, 2014, 8:19:25 AM3/12/14
to dot...@googlegroups.com
Hi Jason,
there is 1 user with my emailaddress, and it has the role "LDAP user" and "CMS Administrator", thats the way it's supposed to be setup, correct?
Bart
Jason Tesser
Mar 12, 2014, 8:24:37 AM3/12/14
to dot...@googlegroups.com
yes for some reason it is not deleting your roles when you log in via LDAP. Make sure you do NOT have LDAP User in LDAP itself.
Bart Plasmans
Mar 12, 2014, 8:36:08 AM3/12/14
to dot...@googlegroups.com
Thank you Jason, I'm going to check our LDAP users to see if it's in there.
Reply all
Reply to author
Forward
0 new messages