1

I try to use a ldap-server, which is a Microsoft Active Directory. These "tree" has following structure: 

com/ 
name/ 
corp/ 
ger/
Workers/

(over 1000 entries) and under Workers, there are entries starting with: 

CN=Mustermann,\Max  
CN=... 
CN=....

and so on...

the framework which I use is cuba-studio. I had to declare following properties: 

cuba.web.requirePasswordForNewUsers = false
cuba.web.ldap.enabled = true
cuba.web.ldap.urls = ldap://corpldap.name.com:3268
cuba.web.ldap.base = OU=Workers,DC=ger,DC=corp,DC=name,DC=com
cuba.web.ldap.user = CN=Mustermann Max,OU=Workers,DC=ger,DC=corp,DC=name,DC=com
cuba.web.ldap.password = PASSWORD
cuba.web.standardAuthenticationUsers = admin
cuba.web.ldap.userLoginField = sAMAccountName

but, when I try to use this, I get following exception: 

com.haulmont.cuba.security.global.InternalAuthenticationException: Exception is thrown by login provider
            at com.haulmont.cuba.web.security.ConnectionImpl.loginInternal(ConnectionImpl.java:225) ~[cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.security.ConnectionImpl.login(ConnectionImpl.java:89) ~[cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.app.loginwindow.AppLoginWindow.doLogin(AppLoginWindow.java:342) [cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.app.loginwindow.AppLoginWindow.doLogin(AppLoginWindow.java:311) [cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.app.loginwindow.AppLoginWindow.login(AppLoginWindow.java:257) [cuba-web-6.8.8.jar:6.8.8]
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_151]
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_151]
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
            at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
            at com.haulmont.cuba.gui.xml.DeclarativeAction.actionPerform(DeclarativeAction.java:92) [cuba-gui-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.gui.components.WebButton.performAction(WebButton.java:44) [cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.gui.components.WebButton.lambda$new$61446b05$1(WebButton.java:36) [cuba-web-6.8.8.jar:6.8.8]
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_151]
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_151]
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
            at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
            at com.vaadin.event.ListenerMethod.receiveEvent(ListenerMethod.java:510) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.event.EventRouter.fireEvent(EventRouter.java:200) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.event.EventRouter.fireEvent(EventRouter.java:163) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.AbstractClientConnector.fireEvent(AbstractClientConnector.java:1037) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.ui.Button.fireClick(Button.java:377) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.haulmont.cuba.web.toolkit.ui.CubaButton.fireClick(CubaButton.java:54) ~[cuba-web-6.8.8.jar:6.8.8]
            at com.vaadin.ui.Button$1.click(Button.java:54) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_151]
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_151]
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
            at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
            at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:158) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:119) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.communication.ServerRpcHandler.handleInvocation(ServerRpcHandler.java:444) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.communication.ServerRpcHandler.handleInvocations(ServerRpcHandler.java:409) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:274) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:90) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:41) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1435) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:361) ~[vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
            at com.haulmont.cuba.web.sys.CubaApplicationServlet.serviceAppRequest(CubaApplicationServlet.java:300) ~[cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.sys.CubaApplicationServlet.service(CubaApplicationServlet.java:191) ~[cuba-web-6.8.8.jar:6.8.8]
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) ~[servlet-api.jar:na]
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.23]
            at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-websocket.jar:8.5.23]
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.23]
            at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
            at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:73) ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
            at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:107) ~[cuba-web-6.8.8.jar:6.8.8]
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:8.5.23]
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[catalina.jar:8.5.23]
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) ~[catalina.jar:8.5.23]
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) ~[catalina.jar:8.5.23]
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) ~[catalina.jar:8.5.23]
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[catalina.jar:8.5.23]
            at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) ~[tomcat-coyote.jar:8.5.23]
            at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:8.5.23]
            at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-coyote.jar:8.5.23]
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) ~[tomcat-coyote.jar:8.5.23]
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:8.5.23]
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_151]
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_151]
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.5.23]
            at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_151]
    Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]
            at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:578) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1441) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1426) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1359) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at com.haulmont.cuba.web.security.ldap.LdapLoginProvider.authenticateInLdap(LdapLoginProvider.java:131) ~[cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.security.ldap.LdapLoginProvider.login(LdapLoginProvider.java:82) ~[cuba-web-6.8.8.jar:6.8.8]
            at com.haulmont.cuba.web.security.ConnectionImpl.loginInternal(ConnectionImpl.java:209) ~[cuba-web-6.8.8.jar:6.8.8]
            ... 65 common frames omitted
    Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]
            at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[na:1.8.0_151]
            at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[na:1.8.0_151]
            at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_151]
            at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_151]
            at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_151]
            at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[na:1.8.0_151]
            at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:343) ~[spring-ldap-core-2.3.1.RELEASE.jar:2.3.1.RELEASE]
            ... 77 common frames omitted

Also I found out, that the exception shall be something with "invalid credentials"

https://confluence.atlassian.com/stashkb/ldap-error-code-49-317195698.html

Also I startet to login with client, using DN= ger\mustermann and it worked.

Does anybody have an idea, how to fix it?

Schaumkuesschen
  • 139
  • 4
  • 18
  • Prove your settings and credentials are correct. Use ADExplorer and try to bind to this server and submit any queries. –  Jun 01 '18 at 17:45
  • I could make a connection with Apache Directory Activity – Schaumkuesschen Jun 01 '18 at 18:34
  • https://stackoverflow.com/q/31411665/1531971 Looks like a credential issue. If binding with something like ADExplorer works, then make sure that properties file isn't munging strings. –  Jun 01 '18 at 18:44

1 Answers1

1

Have you created the same user in your CUBA application? In Basic LDAP integration, LDAP server is used only to store passwords. At the same time, access rights of the user should be defined somehow. That is why you have to create the user with the same login in your CUBA application.

Rostislav Iskandarov
  • 11
  • 1