LDAP help needed.
276 views
Skip to first unread message
graf....@mayo.edu
Jul 29, 2015, 3:50:35 PM7/29/15
to i2b2 Install Help
I am attempting to enable LDAP authentication for i2b2 signon for one user id, my own. These are my settings:
authentication_method LDAP
connection_url ldap://mfadldap.mfad.mfroot.org:389
search_base dc=mfad,dc=mfroot,dc=org
distinguished_name CN=M094076,OU=Users,OU=MCR,DC=mfad,DC=mfroot,DC=org
security_authentication simple
connection_url ldap://mfadldap.mfad.mfroot.org:389
search_base dc=mfad,dc=mfroot,dc=org
distinguished_name CN=M094076,OU=Users,OU=MCR,DC=mfad,DC=mfroot,DC=org
security_authentication simple
This is the error I am getting back:.
11:36:07,944 ERROR [edu.harvard.i2b2.pm.delegate.ServicesHandler] (Thread-277) [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
11:36:07,944 ERROR [stderr] (Thread-277) java.lang.Exception: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
11:36:07,944 ERROR [stderr] (Thread-277) java.lang.Exception: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
52e = invalid credentials
I have run the values by my LDAP administrator and he says they look good.
If I supply the same values to an LPDA explorer tool I make a good connection.
Why is i2b2 unable to make a connection? How can I further isolate the error?
I eventually want to set the LPDA authentication up on the Hive Global Params.
What value do I set the parameter distinguished_name to? The documentation doesn't explain the difference between "cuser", "dn;", or "uid"
Riyaz Moosa
Jul 29, 2015, 10:56:54 PM7/29/15
to i2b2 Install Help, graf....@mayo.edu
We had to make few changes in securityAuthenticationLDAP.java file apart from below settings on PM table for ldap to work. I have attached a customized copy we are using.. You might want to check that out..
Riyaz
Riyaz
Message has been deleted
TJ Colvin
Aug 5, 2015, 4:18:35 PM8/5/15
to i2b2 Install Help
i2b2 builds a principalName value that it submits to the LDAP server for authentication:
principalName = dn + username + "," + searchBase
Think of distiguished_name as a prefix for your username, and the search_base as the suffix. Based on your values, it looks like:
distinguished_name = 'CN='
search_base = 'OU=Users,OU=MCR,DC=mfad,DC=mfroot,DC=org'
On Wednesday, July 29, 2015 at 2:50:35 PM UTC-5, graf....@mayo.edu wrote:
graf....@mayo.edu
Aug 6, 2015, 11:36:18 AM8/6/15
to i2b2 Install Help
Thanks to Riyaz and TJ for their suggestions and help! I think I finally got LDAP working.
- My first problem was not knowing how the principalName was built based on the supplied parameters. TJ was correct:principalName = distinguished_name + username + "," + search_baseSetting my values to the following was the solution. The i2b2 documentation doesn't even show 'CN=' as an option for distinguished_name.
distinguished_name = 'CN='search_base = 'OU=Users,OU=MCR,DC=mfad,DC=mfroot,DC=org'
- My second problem was enabling LDAP authentication on a global basis rather than on a per person basis. The documentation is again misleading. It shows you using the ADMIN web client and adding those values to the "Manage Hive" - "Global Params" Using the GUI interface, the values get stored in the PM_GLOBAL_PARAMS table. Unfortunately the user authentication code looks for those values in the PM_HIVE_PARAMS table. I had to manually insert all the LDAP parameters into the PM_HIVE_PARAMS table, once that was done LDAP worked correctly on a global basis.
Reply all
Reply to author
Forward
0 new messages