Connection with multidirectory

Hello

We try to connect 2 Active Directory for our Nuxeo.

We use a file “default-multi-ldap-users-directory-bundle.xml” in which we indicate the two directories.
But server send an error “Directory 'userDirectory' source 'ldapUserDirectories' has two subdirectories with a password field”

Here our “default-multi-ldap-users-directory-bundle.xml” :

<component name="org.nuxeo.ecm.directory.ldap.storage.users">
  <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
  <require>org.nuxeo.ecm.directory.multi.MultiDirectoryFactory</require>
  <require>org.nuxeo.ecm.directory.sql.storage</require>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers">
    <server name="serverSO">
      <ldapUrl>ldap://adxxx:389</ldapUrl>
      <bindDn>CN=xxx</bindDn>
      <bindPassword>xxx</bindPassword>
    </server>
    <server name="serverPP">
      <ldapUrl>ldap://xxx:389</ldapUrl>
      <bindDn>CN=xxx</bindDn>
      <bindPassword>xxx</bindPassword>
    </server>
  </extension>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">

    <directory name="ldapUserDirectorySO">
      <server>serverSO</server>
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <searchBaseDn>dc=xxx</searchBaseDn>
      <searchClass>person</searchClass>
      <searchScope>subtree</searchScope>
      <substringMatchType>subany</substringMatchType>
      <readOnly>true</readOnly>
      <cacheTimeout>3600</cacheTimeout>
      <cacheMaxSize>2000</cacheMaxSize>
      <missingIdFieldCase>lower</missingIdFieldCase>
      <querySizeLimit>200</querySizeLimit>
      <queryTimeLimit>0</queryTimeLimit>
      <rdnAttribute>uid</rdnAttribute>
      <fieldMapping name="username">sAMAccountName</fieldMapping>
      <fieldMapping name="password">userPassword</fieldMapping>
      <fieldMapping name="firstName">givenName</fieldMapping>
      <fieldMapping name="lastName">sn</fieldMapping>
      <fieldMapping name="company">company</fieldMapping>
      <fieldMapping name="email">mail</fieldMapping>
      <references>
        <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" />
      </references>
    </directory>

    <directory name="ldapUserDirectoryPP">
      <server>serverPP</server>
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <searchBaseDn>OU=xxx</searchBaseDn>
      <searchClass>person</searchClass>
      <searchScope>subtree</searchScope>
      <substringMatchType>subany</substringMatchType>
      <readOnly>true</readOnly>
      <cacheTimeout>3600</cacheTimeout>
      <cacheMaxSize>2000</cacheMaxSize>
      <missingIdFieldCase>lower</missingIdFieldCase>
      <querySizeLimit>200</querySizeLimit>
      <queryTimeLimit>0</queryTimeLimit>
      <rdnAttribute>uid</rdnAttribute>
      <fieldMapping name="username">sAMAccountName</fieldMapping>
      <fieldMapping name="password">userPassword</fieldMapping>
      <fieldMapping name="firstName">givenName</fieldMapping>
      <fieldMapping name="lastName">sn</fieldMapping>
      <fieldMapping name="company">company</fieldMapping>
      <fieldMapping name="email">mail</fieldMapping>    
      <references>
        <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" />
      </references>
    </directory>

  </extension>

  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="ldapUserDirectories">
        <subDirectory name="ldapUserDirectorySO" />
        <subDirectory name="ldapUserDirectoryPP" />
      </source>
    </directory>
  </extension>
</component>

And here the error :

ERROR [org.nuxeo.ecm.platform.login.NuxeoLoginModule] Authentication failed: Directory 'userDirectory' source 'ldapUserDirectories' has two subdirectories with a password field, 'ldapUserDirectorySO' and 'ldapUserDirectoryPP'
org.nuxeo.ecm.directory.DirectoryException: Directory 'userDirectory' source 'ldapUserDirectories' has two subdirectories with a password field, 'ldapUserDirectorySO' and 'ldapUserDirectoryPP'
        at org.nuxeo.ecm.directory.multi.MultiDirectorySession.recomputeSourceInfos(MultiDirectorySession.java:276)
        at org.nuxeo.ecm.directory.multi.MultiDirectorySession.init(MultiDirectorySession.java:174)
        at org.nuxeo.ecm.directory.multi.MultiDirectorySession.authenticate(MultiDirectorySession.java:388)
        at org.nuxeo.ecm.platform.usermanager.UserManagerImpl.checkUsernamePassword(UserManagerImpl.java:382)
        at org.nuxeo.ecm.platform.login.NuxeoLoginModule.validateUserIdentity(NuxeoLoginModule.java:321)
        at org.nuxeo.ecm.platform.login.NuxeoLoginModule.getPrincipal(NuxeoLoginModule.java:210)
        at org.nuxeo.ecm.platform.login.NuxeoLoginModule.login(NuxeoLoginModule.java:261)
        at org.nuxeo.runtime.api.LoginModuleWrapper.login(LoginModuleWrapper.java:77)
        at sun.reflect.GeneratedMethodAccessor56.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doAuthenticate(NuxeoAuthenticationFilter.java:233)
        at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:484)
        at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:345)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter(NuxeoExceptionFilter.java:79)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.nuxeo.ecm.platform.web.common.encoding.NuxeoEncodingFilter.doFilter(NuxeoEncodingFilter.java:59)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:662)
1 votes

2 answers

1534 views

ANSWER



In your multi directory configuration, you put both LDAP directories in the same source hence their entries are expected to be mergeable (each entry of the multi is expected to be compound with attributes coming from matching entries in both subdirectories). For this type of configuration to work, only one of the subdirectories is expected to provide the authentication field.

  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="ldapUserDirectories">
        <subDirectory name="ldapUserDirectorySO" />
        <subDirectory name="ldapUserDirectoryPP" />
      </source>
    </directory>
 </extension>

If you want to stack the entries rather than combining them into single entries you should put the subdirectories into separate sources:

  <extension target="org.nuxeo.ecm.directory.multi.MultiDirectoryFactory" point="directories">
    <directory name="userDirectory">
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>
      <source name="ldapUserDirectorySO">
        <subDirectory name="ldapUserDirectorySO" />
       </source>
       <source name="ldapUserDirectoryPP">
        <subDirectory name="ldapUserDirectoryPP" />
      </source>
    </directory>
 </extension>

More details in the documentation.

4 votes



MANY THANKS !!! It works :D
12/18/2012


What about if i want to merge them what should i do because i have the same problem? I want to merge the local user with ldap user.

0 votes