Connection with multidirectory

Hello

We try to connect 2 Active Directory for our Nuxeo.

We use a file “default-multi-ldap-users-directory-bundle.xml” in which we indicate the two directories.
But server send an error “Directory 'userDirectory' source 'ldapUserDirectories' has two subdirectories with a password field”

Here our “default-multi-ldap-users-directory-bundle.xml” :

<component name="org.nuxeo.ecm.directory.ldap.storage.users">
  <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
  <require>org.nuxeo.ecm.directory.multi.MultiDirectoryFactory</require>
  <require>org.nuxeo.ecm.directory.sql.storage</require>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers">
    <server name="serverSO">
      <ldapUrl>ldap://adxxx:389</ldapUrl>
      <bindDn>CN=xxx</bindDn>
      <bindPassword>xxx</bindPassword>
    </server>
    <server name="serverPP">
      <ldapUrl>ldap://xxx:389</ldapUrl>
      <bindDn>CN=xxx</bindDn>
      <bindPassword>xxx</bindPassword>
    </server>
  </extension>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">

    <directory name="ldapUserDirectorySO">
      <server>serverSO</server>
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <searchBaseDn>dc=xxx</searchBaseDn>
      <searchClass>person</searchClass>
      <searchScope>subtree</searchScope>
      <substringMatchType>subany</substringMatchType>
      <readOnly>true</readOnly>
      <cacheTimeout>3600</cacheTimeout>
      <cacheMaxSize>2000</cacheMaxSize>
      <missingIdFieldCase>lower</missingIdFieldCase>
      <querySizeLimit>200</querySizeLimit>
      <queryTimeLimit>0</queryTimeLimit>
      <rdnAttribute>uid</rdnAttribute>
      <fieldMapping name="username">sAMAccountName</fieldMapping>
      <fieldMapping name="password">userPassword</fieldMapping>
      <fieldMapping name="firstName">givenName</fieldMapping>
      <fieldMapping name="lastName">sn</fieldMapping>
      <fieldMapping name="company">company</fieldMapping>
      <fieldMapping name="email">mail</fieldMapping>
      <references>
        <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" />
      </references>
    </directory>

    <directory name="ldapUserDirectoryPP">
      <server>serverPP</server>
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <searchBaseDn>OU=xxx</searchBaseDn>
      <searchClass>person</searchClass>
      <searchScope>subtree</searchScope>
      <substringMatchType>subany</substringMatchType>
      <readOnly>true</readOnly>
      <cacheTimeout>3600</cacheTimeout>
      <cacheMaxSize>2000</cacheMaxSize>
      <missingIdFieldCase>lower</missingIdFieldCase>
      <querySizeLimit>200</querySizeLimit>
      <queryTimeLimit>0</queryTimeLimit>
      <rdnAttribute>uid</rdnAttribute>
      <fieldMapping name="username">sAMAccountName</fieldMapping>
      <fieldMapping name="password">userPassword</fieldMapping>
      <fieldMapping name="firstName">givenName</fieldMapping>
      <fieldMapping name="lastName">sn</fieldMapping>
      <fieldMapping name="company">company</fieldMapping>
      <fieldMapping name="email">mail</fieldMapping>    
      <references>
        <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" />
      </references>
    </directory>

  </extension>

  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="ldapUserDirectories">
        <subDirectory name="ldapUserDirectorySO" />
        <subDirectory name="ldapUserDirectoryPP" />
      </source>
    </directory>
  </extension>
</component>

And here the error :

ERROR [org.nuxeo.ecm.platform.login.NuxeoLoginModule] Authentication failed: Directory 'userDirectory' source 'ldapUserDirectories' has two subdirectories with a password field, 'ldapUserDirectorySO' and 'ldapUserDirectoryPP'
org.nuxeo.ecm.directory.DirectoryException: Directory 'userDirectory' source 'ldapUserDirectories' has two subdirectories with a password field, 'ldapUserDirectorySO' and 'ldapUserDirectoryPP'
        at org.nuxeo.ecm.directory.multi.MultiDirectorySession.recomputeSourceInfos(MultiDirectorySession.java:276)
        at org.nuxeo.ecm.directory.multi.MultiDirectorySession.init(MultiDirectorySession.java:174)
        at org.nuxeo.ecm.directory.multi.MultiDirectorySession.authenticate(MultiDirectorySession.java:388)
        at org.nuxeo.ecm.platform.usermanager.UserManagerImpl.checkUsernamePassword(UserManagerImpl.java:382)
        at org.nuxeo.ecm.platform.login.NuxeoLoginModule.validateUserIdentity(NuxeoLoginModule.java:321)
        at org.nuxeo.ecm.platform.login.NuxeoLoginModule.getPrincipal(NuxeoLoginModule.java:210)
        at org.nuxeo.ecm.platform.login.NuxeoLoginModule.login(NuxeoLoginModule.java:261)
        at org.nuxeo.runtime.api.LoginModuleWrapper.login(LoginModuleWrapper.java:77)
        at sun.reflect.GeneratedMethodAccessor56.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doAuthenticate(NuxeoAuthenticationFilter.java:233)
        at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:484)
        at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:345)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter(NuxeoExceptionFilter.java:79)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.nuxeo.ecm.platform.web.common.encoding.NuxeoEncodingFilter.doFilter(NuxeoEncodingFilter.java:59)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:662)

1 votes

2 answers

3157 views

ANSWER

Copy URL

ANSWERS

In your multi directory configuration, you put both LDAP directories in the same `source` hence their entries are expected to be mergeable (each entry of the multi is expected to be compound with attributes coming from matching entries in both subdirectories). For this type of configuration to work, only one of the subdirectories is expected to provide the authentication field.

<extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
        <directory name="userDirectory">
          <schema>user</schema>
          <idField>username</idField>
          <passwordField>password</passwordField>
          <source name="ldapUserDirectories">
            <subDirectory name="ldapUserDirectorySO" />
            <subDirectory name="ldapUserDirectoryPP" />
          </source>
        </directory>
     </extension>

If you want to stack the entries rather than combining them into single entries you should put the subdirectories into separate sources:

<extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
        <directory name="userDirectory">
          <schema>user</schema>
          <idField>username</idField>
          <passwordField>password</passwordField>
          <source name="ldapUserDirectorySO">
            <subDirectory name="ldapUserDirectorySO" />
           </source>
           <source name="ldapUserDirectoryPP">
            <subDirectory name="ldapUserDirectoryPP" />
          </source>
        </directory>
     </extension>

More details in the [documentation](http://doc.nuxeo.com/display/NXDOC/Directories+and+Vocabularies#DirectoriesandVocabularies-Multi-directories).

In your multi directory configuration, you put both LDAP directories in the same source hence their entries are expected to be mergeable (each entry of the multi is expected to be compound with attributes coming from matching entries in both subdirectories). For this type of configuration to work, only one of the subdirectories is expected to provide the authentication field.

  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="ldapUserDirectories">
        <subDirectory name="ldapUserDirectorySO" />
        <subDirectory name="ldapUserDirectoryPP" />
      </source>
    </directory>
 </extension>

If you want to stack the entries rather than combining them into single entries you should put the subdirectories into separate sources:

  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="ldapUserDirectorySO">
        <subDirectory name="ldapUserDirectorySO" />
       </source>
       <source name="ldapUserDirectoryPP">
        <subDirectory name="ldapUserDirectoryPP" />
      </source>
    </directory>
 </extension>

Authentication Required

Connection with multidirectory

Invite people to answer

What's new in Quandora?