OpenAM 12 and Active Directory groups

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenAM 12 and Active Directory groups

Tony Harris

In OpenAM 10 if I had AD structure for groups of

 

ou=payable,ou=finance,ou=groups,dc=sso,dc=local

 

I could if I wished define the following attributes against the group configuration on the Datastore

 

LDAP Groups Container Naming Attribute: ou

LDAP Groups Container Value: payable,ou=finance,ou=groups

 

And the groups tab under subjects would show just the groups in that area, but under OpenAM 12 I get an empty list and do not see anything obvious in the debug files.  No matter what debug level I set I do not seem to be able to get the logs to contain the ldap query either.

 

Tony

 

***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.

 

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.

 

***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.

 

***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.

 

Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.

 

This email has been scanned for viruses by the Symantec Email Security.cloud service.

 

Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280




Please consider the environment: Think before you print!

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM 12 and Active Directory groups

Bernhard Thalmayr
Most likely the user data store can not be initialized due to the new
HeartBeatConnectionFactory which uses an anonymous search request
against the Root DSE.

You may check OpenAM IdRepo debug logs ...

-Bernhard

Am 08/04/16 um 17:31 schrieb Tony Harris:

> In OpenAM 10 if I had AD structure for groups of
>
>  
>
> ou=payable,ou=finance,ou=groups,dc=sso,dc=local
>
>  
>
> I could if I wished define the following attributes against the group
> configuration on the Datastore
>
>  
>
> LDAP Groups Container Naming Attribute: ou
>
> LDAP Groups Container Value: payable,ou=finance,ou=groups
>
>  
>
> And the groups tab under subjects would show just the groups in that
> area, but under OpenAM 12 I get an empty list and do not see anything
> obvious in the debug files.  No matter what debug level I set I do not
> seem to be able to get the logs to contain the ldap query either.
>
>  
>
> Tony
>
>  
>
> ***** Email confidentiality *****
>
> This message is private and confidential. If you have received this
> message in error, please notify us and remove it from your system. The
> dissemination, copying or distribution of this message, or related
> files, by anyone other than the intended recipient is strictly prohibited.
>
>  
>
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Advanced Computer Software Group Limited.
>
>  
>
> ***** Email monitoring *****
>
> Advanced Computer Software Group Limited may monitor email traffic data
> and also the content of email for the purposes of security and staff
> training.
>
>  
>
> ***** Email security *****
>
> In keeping with good computing practice, the recipient of this email
> should ensure that it is virus-free. Advanced Computer Software Group
> Limited does not accept responsibility for any virus that may be
> transferred by way of this email.
>
>  
>
> Email may be susceptible to data corruption, interception and/or
> unauthorised amendment. Advanced Computer Software Group Limited does
> not accept liability for any such corruption, interception or amendment
> or any consequences thereof.
>
>  
>
> This email has been scanned for viruses by the Symantec Email
> Security.cloud service.
>
>  
>
> Advanced Computer Software Group Limited
>
> Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire,
> SL3 9LL, UK
>
> Registered in England under number 5965280
>
>
> ------------------------------------------------------------------------
>
> Please consider the environment: Think before you print!
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM 12 and Active Directory groups

Tony Harris
Thanks, I do not see any errors that include heartbeat in the message or stack trace.  I do see the following and I can find a few instances of the same message being mentioned in the mailing list but none with any resolution.


amIdm:04/11/2016 10:08:31:499 AM BST: Thread[default task-56,5,main]
IdRepoPluginsCache.getIdRepoPlugins for OrgName: dc=openam,dc=forgerock,dc=org Op: Operation: service Type: IdType: realm
DJLDAPv3Repo:04/11/2016 10:08:31:499 AM BST: Thread[default task-56,5,main]
getAssignedServices invoked
DJLDAPv3Repo:04/11/2016 10:08:31:499 AM BST: Thread[default task-56,5,main]
Assigned services returned: []
amIdm:04/11/2016 10:08:31:500 AM BST: Thread[default task-56,5,main]
IdCachedServicesImpl.getAttributes(): DN: id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org found all attributes in Cache.
amIdm:04/11/2016 10:08:31:500 AM BST: Thread[default task-56,5,main]
AMIdentity.getAttributes all: attrs={telephoneNumber=[], mail=[], iplanet-am-user-alias-list=[], employeeNumber=[], roles=[], sn=[amAdmin], postalAddress=[], givenName=[amAdmin], dn=[uid=amAdmin,ou=people,dc=openam,dc=forgerock,dc=org], iplanet-am-user-success-url=[], inetuserstatus=[Active], cn=[amAdmin], sunIdentityMSISDNNumber=[], iplanet-am-user-failure-url=[]}
amIdm:04/11/2016 10:08:31:502 AM BST: Thread[default task-56,5,main]
IdRepoPluginsCache.getIdRepoPlugins for OrgName: dc=openam,dc=forgerock,dc=org Op: Operation: read Type: IdType: group
DJLDAPv3Repo:04/11/2016 10:08:31:502 AM BST: Thread[default task-56,5,main]
search invoked with type: IdType: group pattern: * avPairs: null maxTime: 5 maxResults: 100 returnAttrs: null returnAllAttrs: false filterOp: 0 recursive: false
DJLDAPv3Repo:04/11/2016 10:08:31:528 AM BST: Thread[default task-56,5,main]
ERROR: Unexpected error occurred during search
org.forgerock.opendj.ldap.EntryNotFoundException: No Such Entry: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=sso,DC=local'

at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:225)
at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:246)
at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.search(DJLDAPv3Repo.java:1126)
at com.sun.identity.idm.server.IdServicesImpl.search(IdServicesImpl.java:1528)
at com.sun.identity.idm.server.IdCachedServicesImpl.search(IdCachedServicesImpl.java:640)
at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:298)
at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:196)
at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:248)
at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:192)
at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
at org.apache.jsp.console.idm.Entities_jsp._jspService(Entities_jsp.java:129)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:82)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:192)
at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:160)
at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:161)
at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:116)
at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:229)
at com.sun.identity.console.idm.EntitiesViewBean.handleBtnSearchRequest(EntitiesViewBean.java:373)
at sun.reflect.GeneratedMethodAccessor33.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

amIdm:04/11/2016 10:08:31:529 AM BST: Thread[default task-56,5,main]
IdRepoPluginsCache.getIdRepoPlugins orgName: dc=openam,dc=forgerock,dc=org
DJLDAPv3Repo:04/11/2016 10:08:31:529 AM BST: Thread[default task-56,5,main]
getSupportedTypes invoked


Tony

----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 11 April 2016 07:39
To: [hidden email]
Subject: Re: [OpenAM] OpenAM 12 and Active Directory groups

Most likely the user data store can not be initialized due to the new HeartBeatConnectionFactory which uses an anonymous search request against the Root DSE.

You may check OpenAM IdRepo debug logs ...

-Bernhard

Am 08/04/16 um 17:31 schrieb Tony Harris:

> In OpenAM 10 if I had AD structure for groups of
>
>
>
> ou=payable,ou=finance,ou=groups,dc=sso,dc=local
>
>
>
> I could if I wished define the following attributes against the group
> configuration on the Datastore
>
>
>
> LDAP Groups Container Naming Attribute: ou
>
> LDAP Groups Container Value: payable,ou=finance,ou=groups
>
>
>
> And the groups tab under subjects would show just the groups in that
> area, but under OpenAM 12 I get an empty list and do not see anything
> obvious in the debug files.  No matter what debug level I set I do not
> seem to be able to get the logs to contain the ldap query either.
>
>
>
> Tony
>
>
>
> ***** Email confidentiality *****
>
> This message is private and confidential. If you have received this
> message in error, please notify us and remove it from your system. The
> dissemination, copying or distribution of this message, or related
> files, by anyone other than the intended recipient is strictly prohibited.
>
>
>
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Advanced Computer Software Group Limited.
>
>
>
> ***** Email monitoring *****
>
> Advanced Computer Software Group Limited may monitor email traffic
> data and also the content of email for the purposes of security and
> staff training.
>
>
>
> ***** Email security *****
>
> In keeping with good computing practice, the recipient of this email
> should ensure that it is virus-free. Advanced Computer Software Group
> Limited does not accept responsibility for any virus that may be
> transferred by way of this email.
>
>
>
> Email may be susceptible to data corruption, interception and/or
> unauthorised amendment. Advanced Computer Software Group Limited does
> not accept liability for any such corruption, interception or
> amendment or any consequences thereof.
>
>
>
> This email has been scanned for viruses by the Symantec Email
> Security.cloud service.
>
>
>
> Advanced Computer Software Group Limited
>
> Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire,
> SL3 9LL, UK
>
> Registered in England under number 5965280
>
>
> ----------------------------------------------------------------------
> --
>
> Please consider the environment: Think before you print!
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.



Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.



***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.



***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.



Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.



This email has been scanned for viruses by the Symantec Email Security.cloud service.



Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM 12 and Active Directory groups

Peter Major
In reply to this post by Tony Harris
The groups container value will be taken literally so, the search will
end up under ou=payable\,ou=finance\,ou=groups,<base DN>. You could
capture the LDAP traffic with wireshark to verify, but pretty sure
that's your problem.

cheers,
Peter

2016. 04. 08. 16:31 keltezéssel, Tony Harris írta:

> In OpenAM 10 if I had AD structure for groups of
>
> ou=payable,ou=finance,ou=groups,dc=sso,dc=local
>
> I could if I wished define the following attributes against the group
> configuration on the Datastore
>
> LDAP Groups Container Naming Attribute: ou
>
> LDAP Groups Container Value: payable,ou=finance,ou=groups
>
> And the groups tab under subjects would show just the groups in that
> area, but under OpenAM 12 I get an empty list and do not see anything
> obvious in the debug files.  No matter what debug level I set I do not
> seem to be able to get the logs to contain the ldap query either.
>
> Tony
>
> ***** Email confidentiality *****
>
> This message is private and confidential. If you have received this
> message in error, please notify us and remove it from your system. The
> dissemination, copying or distribution of this message, or related
> files, by anyone other than the intended recipient is strictly prohibited.
>
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Advanced Computer Software Group Limited.
>
> ***** Email monitoring *****
>
> Advanced Computer Software Group Limited may monitor email traffic data
> and also the content of email for the purposes of security and staff
> training.
>
> ***** Email security *****
>
> In keeping with good computing practice, the recipient of this email
> should ensure that it is virus-free. Advanced Computer Software Group
> Limited does not accept responsibility for any virus that may be
> transferred by way of this email.
>
> Email may be susceptible to data corruption, interception and/or
> unauthorised amendment. Advanced Computer Software Group Limited does
> not accept liability for any such corruption, interception or amendment
> or any consequences thereof.
>
> This email has been scanned for viruses by the Symantec Email
> Security.cloud service.
>
> Advanced Computer Software Group Limited
>
> Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire,
> SL3 9LL, UK
>
> Registered in England under number 5965280
>
>
> ------------------------------------------------------------------------
>
> Please consider the environment: Think before you print!
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM 12 and Active Directory groups

Tony Harris
Wireshark has given me an interesting insight to the search string being sent.

If I enter payable,ou=finance,ou=groups into the LDAP Groups Container Value:  field in the datastore page then the search string issued by OpenAM escapes the , and = symbol

Giving

ou=payable\,ou\=finance\,ou\=groups,dc=sso,dc=local

This results in the error

noSuchObject (0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of ..

being returned from AD.

Using an LDAP browser the same search string without the escaping does not cause the issue, any ideas please.

Tony




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Peter Major
Sent: 11 April 2016 10:17
To: Users
Subject: Re: [OpenAM] OpenAM 12 and Active Directory groups

The groups container value will be taken literally so, the search will end up under ou=payable\,ou=finance\,ou=groups,<base DN>. You could capture the LDAP traffic with wireshark to verify, but pretty sure that's your problem.

cheers,
Peter

2016. 04. 08. 16:31 keltezéssel, Tony Harris írta:

> In OpenAM 10 if I had AD structure for groups of
>
> ou=payable,ou=finance,ou=groups,dc=sso,dc=local
>
> I could if I wished define the following attributes against the group
> configuration on the Datastore
>
> LDAP Groups Container Naming Attribute: ou
>
> LDAP Groups Container Value: payable,ou=finance,ou=groups
>
> And the groups tab under subjects would show just the groups in that
> area, but under OpenAM 12 I get an empty list and do not see anything
> obvious in the debug files.  No matter what debug level I set I do not
> seem to be able to get the logs to contain the ldap query either.
>
> Tony
>
> ***** Email confidentiality *****
>
> This message is private and confidential. If you have received this
> message in error, please notify us and remove it from your system. The
> dissemination, copying or distribution of this message, or related
> files, by anyone other than the intended recipient is strictly prohibited.
>
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Advanced Computer Software Group Limited.
>
> ***** Email monitoring *****
>
> Advanced Computer Software Group Limited may monitor email traffic
> data and also the content of email for the purposes of security and
> staff training.
>
> ***** Email security *****
>
> In keeping with good computing practice, the recipient of this email
> should ensure that it is virus-free. Advanced Computer Software Group
> Limited does not accept responsibility for any virus that may be
> transferred by way of this email.
>
> Email may be susceptible to data corruption, interception and/or
> unauthorised amendment. Advanced Computer Software Group Limited does
> not accept liability for any such corruption, interception or
> amendment or any consequences thereof.
>
> This email has been scanned for viruses by the Symantec Email
> Security.cloud service.
>
> Advanced Computer Software Group Limited
>
> Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire,
> SL3 9LL, UK
>
> Registered in England under number 5965280
>
>
> ----------------------------------------------------------------------
> --
>
> Please consider the environment: Think before you print!
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.



Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.



***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.



***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.



Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.



This email has been scanned for viruses by the Symantec Email Security.cloud service.



Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: OpenAM 12 and Active Directory groups

Tony Harris
Found a workaround!

Instead of entering payable,ou=finance,ou=groups into the LDAP Groups Container Value field I enter

ou=payable,ou=finance,ou  in to the LDAP Groups Container Naming Attribute field and just
groups into the LDAP Groups Container Value field and I get want I want, at least in the groups page.

Tony

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Tony Harris
Sent: 11 April 2016 11:04
To: Users
Subject: Re: [OpenAM] OpenAM 12 and Active Directory groups

Wireshark has given me an interesting insight to the search string being sent.

If I enter payable,ou=finance,ou=groups into the LDAP Groups Container Value:  field in the datastore page then the search string issued by OpenAM escapes the , and = symbol

Giving

ou=payable\,ou\=finance\,ou\=groups,dc=sso,dc=local

This results in the error

noSuchObject (0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of ..

being returned from AD.

Using an LDAP browser the same search string without the escaping does not cause the issue, any ideas please.

Tony




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Peter Major
Sent: 11 April 2016 10:17
To: Users
Subject: Re: [OpenAM] OpenAM 12 and Active Directory groups

The groups container value will be taken literally so, the search will end up under ou=payable\,ou=finance\,ou=groups,<base DN>. You could capture the LDAP traffic with wireshark to verify, but pretty sure that's your problem.

cheers,
Peter

2016. 04. 08. 16:31 keltezéssel, Tony Harris írta:

> In OpenAM 10 if I had AD structure for groups of
>
> ou=payable,ou=finance,ou=groups,dc=sso,dc=local
>
> I could if I wished define the following attributes against the group
> configuration on the Datastore
>
> LDAP Groups Container Naming Attribute: ou
>
> LDAP Groups Container Value: payable,ou=finance,ou=groups
>
> And the groups tab under subjects would show just the groups in that
> area, but under OpenAM 12 I get an empty list and do not see anything
> obvious in the debug files.  No matter what debug level I set I do not
> seem to be able to get the logs to contain the ldap query either.
>
> Tony
>
> ***** Email confidentiality *****
>
> This message is private and confidential. If you have received this
> message in error, please notify us and remove it from your system. The
> dissemination, copying or distribution of this message, or related
> files, by anyone other than the intended recipient is strictly prohibited.
>
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Advanced Computer Software Group Limited.
>
> ***** Email monitoring *****
>
> Advanced Computer Software Group Limited may monitor email traffic
> data and also the content of email for the purposes of security and
> staff training.
>
> ***** Email security *****
>
> In keeping with good computing practice, the recipient of this email
> should ensure that it is virus-free. Advanced Computer Software Group
> Limited does not accept responsibility for any virus that may be
> transferred by way of this email.
>
> Email may be susceptible to data corruption, interception and/or
> unauthorised amendment. Advanced Computer Software Group Limited does
> not accept liability for any such corruption, interception or
> amendment or any consequences thereof.
>
> This email has been scanned for viruses by the Symantec Email
> Security.cloud service.
>
> Advanced Computer Software Group Limited
>
> Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire,
> SL3 9LL, UK
>
> Registered in England under number 5965280
>
>
> ----------------------------------------------------------------------
> --
>
> Please consider the environment: Think before you print!
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.



Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.



***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.



***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.



Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.



This email has been scanned for viruses by the Symantec Email Security.cloud service.



Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280 _______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
***** Email confidentiality *****

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.



Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.



***** Email monitoring *****

Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.



***** Email security *****

In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.



Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.



This email has been scanned for viruses by the Symantec Email Security.cloud service.



Advanced Computer Software Group Limited

Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK

Registered in England under number 5965280
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam