WSO2 : connecting to ldap fails

Question

I am following the WSO2 guide for Active Directory on WSO2 Identity manager (standalone version). I am trying to connect my WSO2 Server with the company LDAP. I set the admin username/password to an existing user, set the connection properties (from apache directory studio i can access the active directory), I set the query for fetching users but I got this error:

13.6.2017 13:24:12[2017-06-13 11:24:12,318] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12  at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:99)
13.6.2017 13:24:12  at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:42)
13.6.2017 13:24:12  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
13.6.2017 13:24:12  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
13.6.2017 13:24:12  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
13.6.2017 13:24:12  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
13.6.2017 13:24:12  at java.lang.Thread.run(Thread.java:745)
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Error while trying to login to data receiver :/10.42.210.146:9711
13.6.2017 13:24:12  at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:47)
13.6.2017 13:24:12  at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:93)
13.6.2017 13:24:12  ... 6 more
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException: wrong userName or password
13.6.2017 13:24:12  at sun.reflect.GeneratedConstructorAccessor207.newInstance(Unknown Source)
13.6.2017 13:24:12  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
13.6.2017 13:24:12  at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
13.6.2017 13:24:12  at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:162)
13.6.2017 13:24:12  at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:42)
13.6.2017 13:24:12  ... 7 more

I have this configuration set up:

<UserManager>
    <Realm>
        <Configuration>
            <AddAdmin>false</AddAdmin>
            <AdminRole>admin</AdminRole>
            <AdminUser>
                <UserName>it\wso2system</UserName>
                <Password>mypassword</Password>
            </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName>
            <!-- By default users in this role sees the registry root -->
            <Property name="isCascadeDeleteEnabled">true</Property>
            <Property name="initializeNewClaimManager">true</Property>
            <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
        </Configuration>

and the AD-Connection:

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
        <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
        <Property name="ConnectionURL">ldap://activedirectory.local:389</Property>
        <Property name="ConnectionName">it\wso2system</Property>
        <Property name="ConnectionPassword">mypassword</Property>
        <Property name="AnonymousBind">false</Property>
        <Property name="UserSearchBase">...my working search query from directory studio ...</Property>
        <Property name="UserEntryObjectClass">user</Property>
        <Property name="UserNameAttribute">cn</Property>
        <Property name="UserNameSearchFilter">(&amp;(objectCategory=Person)(sAMAccountName=*))</Property>
        <Property name="UserNameListFilter">(objectClass=user)</Property>
        <Property name="DisplayNameAttribute"/>
        <Property name="ReadGroups">false</Property>
        <Property name="WriteGroups">false</Property>
        <Property name="GroupSearchBase">ou=system</Property>
        <Property name="GroupEntryObjectClass">group</Property>
        <Property name="GroupNameAttribute">cn</Property>
        <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
        <Property name="GroupNameListFilter">(objectcategory=group)</Property>
        <Property name="MembershipAttribute">member</Property>
        <Property name="MemberOfAttribute">memberOf</Property>
        <Property name="BackLinksEnabled">true</Property>
        <Property name="Referral">follow</Property>
        <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
        <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
        <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
        <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
        <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
        <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
        <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
        <Property name="SCIMEnabled">false</Property>
        <Property name="IsBulkImportSupported">true</Property>
        <Property name="EmptyRolesAllowed">true</Property>
        <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
        <Property name="MultiAttributeSeparator">,</Property>
        <Property name="isADLDSRole">false</Property>
        <Property name="userAccountControl">512</Property>
        <Property name="MaxUserNameListLength">100</Property>
        <Property name="MaxRoleNameListLength">100</Property>
        <Property name="kdcEnabled">false</Property>
        <Property name="defaultRealmName">WSO2.ORG</Property>
        <Property name="UserRolesCacheEnabled">true</Property>
        <Property name="ConnectionPoolingEnabled">false</Property>
        <Property name="LDAPConnectionTimeout">5000</Property>
        <Property name="ReadTimeout"/>
        <Property name="RetryAttempts"/>
    </UserStoreManager>

Have I missed some configuration file? Using the standard dabase configuration worked before, after switching I get the above mentioned error PLUS i cannot log into wso2 (neither store, apim oder carbon).

We have no roles defined in AD, we only want to authenticate the WSO2 users.

Any help appreciated :)

score 0 · Answer 1 · answered Jun 20 '17 at 17:46

My first piece of advice would be to just add your LDAP by means of the carbon, adding a secondary user store. Here is some documentation on it, for the IDs 5.3.0. If you want to go down that path you should first put the original admin log in back. (So you can at least log into carbon.) and putting back the JDBC store.

<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
   <AdminUser>
     <UserName>admin</UserName>
     <Password>admin</Password>
    </AdminUser>

If you do go down the secondary user store, it will automatically create an XML file of the user store under the /repository/deployment/server/userstores.

Here is an example of the user store file.

<?xml version="1.0" encoding="UTF-8"?>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
   <Property name="ConnectionURL">ldap://domain.com:389</Property>
   <Property name="ConnectionName">CN=user,OU=work,DC=domain,DC=com</Property>
   <Property encrypted="true" name="ConnectionPassword">cantseethat</Property>
   <Property name="UserSearchBase">OU=Unit,DC=domain,DC=com</Property>
   <Property name="UserNameAttribute">cn</Property>
   <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(cn=?))</Property>
   <Property name="UserNameListFilter">(objectClass=person)</Property>
   <Property name="UserDNPattern"/>
   <Property name="DisplayNameAttribute">name</Property>
   <Property name="Disabled">false</Property>
   <Property name="ReadGroups">true</Property>
   <Property name="GroupSearchBase">OU=R,DC=domain,DC=com</Property>
   <Property name="GroupNameAttribute">cn</Property>
   <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
   <Property name="GroupNameListFilter">(objectClass=group)</Property>
   <Property name="RoleDNPattern"/>
   <Property name="MembershipAttribute">member</Property>
   <Property name="MemberOfAttribute">memberOf</Property>
   <Property name="BackLinksEnabled">false</Property>
   <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
   <Property name="SCIMEnabled">false</Property>
   <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
   <Property name="MultiAttributeSeparator">,</Property>
   <Property name="MaxUserNameListLength">100</Property>
   <Property name="MaxRoleNameListLength">100</Property>
   <Property name="UserRolesCacheEnabled">true</Property>
   <Property name="ConnectionPoolingEnabled">false</Property>
   <Property name="LDAPConnectionTimeout">5000</Property>
   <Property name="ReadTimeout">5000</Property>
   <Property name="RetryAttempts">0</Property>
   <Property name="CountRetrieverClass"/>
   <Property name="java.naming.ldap.attributes.binary"> </Property>
   <Property name="DomainName">Domain</Property>
   <Property name="Description">LDAP User Store</Property>
</UserStoreManager>

Other Stuff

Disable the Embedded LDAP under /repository/conf/identity/embedded-ldap.xml

<EmbeddedLDAP>
    <Property name="enable">false</Property>

"If you are using LDAPS (secure) to connect to the Active Directory, you need to import its public certificate to the client-truststore.jks of the WSO2 product you are configuring." Oracle: Import Cert can also import using carbon under keystore.

Sorry I can't be more helpful.

gorefest · Accepted Answer · 2017-06-26T10:38:56.677

The solution to this problem is somewhat tricky, but here we go:

After a couple of tries, I decided to set up the AD connection as a secondary user store using LDAP Readonly Connector. I fell into a NullPointerException.

I got myself the sourcecode of the wso2am and started debugging. The server tries to open the certificate chain in order to get the public key for encrypting the password. This chain was not returend properly

TID: [-1234] [] [2017-06-20 12:18:21,318] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} -  Exception occurred while trying
to invoke service method addUserStore {org.apache.axis2.rpc.receivers.RPCMessageReceiver}
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
        at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
        at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
        at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
        at org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:4
5)
        at org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
        at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
        at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
        at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
        at org.wso2.carbon.identity.user.store.configuration.stub.UserStoreConfigAdminServiceStub.addUserStore(UserStoreConfigAdminServ
iceStub.java:889)
        at org.wso2.carbon.identity.user.store.configuration.ui.client.UserStoreConfigAdminServiceClient.addUserStore(UserStoreConfigAd
minServiceClient.java:95)
        at org.apache.jsp.userstore_005fconfig.userstore_002dconfig_002dfinish_002dajaxprocessor_jsp._jspService(userstore_002dconfig_0
02dfinish_002dajaxprocessor_jsp.java:198)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
        at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
        at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:958)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
        at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.initializeKeyStore(SecondaryUserStoreConfigurationUtil.java:82)
        at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.encryptPlainText(SecondaryUserStoreConfigurationUtil.java:125)
        at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addProperties(UserStoreConfigAdminService.java:569)
        at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.writeUserMgtXMLFile(UserStoreConfigAdminService.java:812)
        at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addUserStore(UserStoreConfigAdminService.java:270)
        ... 76 more

To solve the problem I extracted the code and put it into a standalone program which can be found on our github site.

I figured out, that the chain was not sufficiently packed into the keystore. To create a working keystore I followed Non's answer to this stackoverflow.

I got

my server certificate (PEM)
go daddy bundle certificate including root (PEM)
go daddy secure server certificate (PEM)
the certiface key (keyfile from the CSR)

To understand these three certs you may look here

Following above mentioned post answer I did

> cat server.crt bundle-g2-g1.crt gdig2.crt >combined.crt
> openssl pkcs12 -export -chain -in server.crt -inkey server.key -out keystore.p12 -name wso2carbon -CAfile combined.crt
> keytool -importkeystore -destkeystore wso2carbon.jks -srckeystore keystore.p12 -alias wso2carbon

The created keystore passed my test program successfully. The installed wso2 instance successfully saved my AD connection and did not create any SSL problems.

PS: I also got the keystore here from operations in PKCS12 format. One CANNOT convert it into a jks keystore, the bloody keytool DROPS the chain!

WSO2 : connecting to ldap fails

2 Answers2

Other Stuff