[pwm-general] pwm Active Directory Integration

[Shay]

Hello,

I am attempting to setup pwm for the first time against an Active
Directory. I've followed the Admin Guide and am struggling with the
proper LDAP syntax for ldapProxyDN, pwmAdmin.queryMatch, and
ldapContextlessLoginRoot. I realize I'm probably missing something
very basic that you experts hopefully will be able to identify. The
AD structure looks something like this:

DC=system,DC=mycompany,DC=com
OU=OUParentName01
OU=OUParentName02
CN=MyName

DN=CN=MyName,OU=OUParentName02,OU=OUParentName01,DC=system,DC=mycompany,DC=com

For my ldapProxyDN i've put the following in pwmServlet.properties:
ldapProxyDN=cn=Clinitraq User
Administrator,cn=Users,o=system.mycompany.com

I'm fairly confident that this is the wrong syntax. After starting
Tomcat6 on Ubuntu 9.10, I receive "The PWM configuration is missing or
invalid. Check the error log." The Tomcat log output is as follows:

Apr 30, 2010 9:57:04 PM org.apache.catalina.core.StandardContext
listenerStop
SEVERE: Exception sending context destroyed event to listener instance
of class password.pwm.EventManager
java.lang.NullPointerException

Any guidance you're able to provide would be much appreciated!

Best,
Shay

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

[Jason Rivard]

First off, thanks for reposting... I accidentally marked your first
post as spam and was horrified to discover there is no undo...

For admin DN it's easier to use the UPN format, which I think would be like:

MyN...@system.mycompany.com

It's always painful to figure userDN's in AD; for me anyway.

To catch pwm errors, you need to make sure pwm log level is set to
"TRACE" in the log4jconfig.xml and then look at tomcat's catalina.out
log file.

[Brett Bernstein]

Jason, I'm glad to hear I didn't do anything to offend the group... (at
least as of yet).

I've made the changes specified to log4jconfig.xml in:

/var/lib/tomcat6/webapps/pwm/WEB-INF/log4jconfig.xml
/usr/share/tomcat6/webapps/servlet/web/WEB-INF/log4jconfig.xml
As well as the pwm.war file.

The output in catalina.log looks fairly harmless I think:
Apr 30, 2010 11:10:00 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Apr 30, 2010 11:10:00 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Apr 30, 2010 11:10:07 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Apr 30, 2010 11:10:07 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 484 ms
Apr 30, 2010 11:10:07 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Apr 30, 2010 11:10:07 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.20
Apr 30, 2010 11:10:07 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive pwm.war
Apr 30, 2010 11:10:08 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Apr 30, 2010 11:10:08 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 843 ms

Any thoughts?

Thx

[Jason Rivard]

A pwm startup (even when not in trace mode) should generate a lot of
log entries, here it is generating none, only tomcat's own log events
are showing up. Tomcat does not appear to be deploying pwm properly.
Try checking other log files for clues.

Also, are you using an OS supplied tomcat instance? If so it may be
configured in a way unhelpful for deploying tomcat. Try running from
a fresh download from tomcat.apache.org.

[Shay]

So I'm on ubuntu 9.10 and I was using the tomcat 6.x supplied through
the server distribution. After uninstalling the OS supplied tomcat
and reinstalling as you recommended, this resolved the accessibility
issues. Now back to understanding how to use the UPN DN format for
accessing AD.

Thank you again for your guidance!

> > For more options, visit this group athttp://groups.google.com/group/pwm-general?hl=en.

>
> --
> You received this message because you are subscribed to the Google Groups "pwm-general" group.
> To post to this group, send email to pwm-g...@googlegroups.com.
> To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

> For more options, visit this group athttp://groups.google.com/group/pwm-general?hl=en.

[Shay]

I'm almost there. I'm able to query the AD and I've updated the
schema with the extended attributes contained within the edirectory
schema ldif file. I ended up making the changes manually through the
use of AD's Schema Plugin schmmgmt. I'm struggling a bit with regards
to implementing the edirectory rights ldif file though. Does anyone
know how I can manually implement the user rights in AD? If so, I
will document the pwm configuration process for AD and make it
available to the community.

Again, thanks for any input you're able to provide.

-Shay

[Jason Rivard]

Brett,

You won't be able to apply the eDirectory rights ldif, it is specific
to eDirectory. AD rights are handled differently. I have tested and
had success in a lab environment with AD after manually creating
schema and configuring rights, but it's been awhile and I don't have a
record of what I did...

The project could really use some information AD rights and schema, so
if you can share anything you produce, it would be appreciated!

-Jason