I am following the WSO2 guide for Active Directory on WSO2 Identity manager (standalone version). I am trying to connect my WSO2 Server with the company LDAP. I set the admin username/password to an existing user, set the connection properties (from apache directory studio i can access the active directory), I set the query for fetching users but I got this error:
13.6.2017 13:24:12[2017-06-13 11:24:12,318] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:99)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:42)
13.6.2017 13:24:12 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
13.6.2017 13:24:12 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
13.6.2017 13:24:12 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
13.6.2017 13:24:12 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
13.6.2017 13:24:12 at java.lang.Thread.run(Thread.java:745)
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Error while trying to login to data receiver :/10.42.210.146:9711
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:47)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:93)
13.6.2017 13:24:12 ... 6 more
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException: wrong userName or password
13.6.2017 13:24:12 at sun.reflect.GeneratedConstructorAccessor207.newInstance(Unknown Source)
13.6.2017 13:24:12 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
13.6.2017 13:24:12 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:162)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:42)
13.6.2017 13:24:12 ... 7 more
I have this configuration set up:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>it\wso2system</UserName>
<Password>mypassword</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
and the AD-Connection:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://activedirectory.local:389</Property>
<Property name="ConnectionName">it\wso2system</Property>
<Property name="ConnectionPassword">mypassword</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">...my working search query from directory studio ...</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectCategory=Person)(sAMAccountName=*))</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">false</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
Have I missed some configuration file? Using the standard dabase configuration worked before, after switching I get the above mentioned error PLUS i cannot log into wso2 (neither store, apim oder carbon).
We have no roles defined in AD, we only want to authenticate the WSO2 users.
Any help appreciated :)
My first piece of advice would be to just add your LDAP by means of the carbon, adding a secondary user store. Here is some documentation on it, for the IDs 5.3.0. If you want to go down that path you should first put the original admin log in back. (So you can at least log into carbon.) and putting back the JDBC store.
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
If you do go down the secondary user store, it will automatically create an XML file of the user store under the /repository/deployment/server/userstores.
Here is an example of the user store file.
<?xml version="1.0" encoding="UTF-8"?>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://domain.com:389</Property>
<Property name="ConnectionName">CN=user,OU=work,DC=domain,DC=com</Property>
<Property encrypted="true" name="ConnectionPassword">cantseethat</Property>
<Property name="UserSearchBase">OU=Unit,DC=domain,DC=com</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(cn=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserDNPattern"/>
<Property name="DisplayNameAttribute">name</Property>
<Property name="Disabled">false</Property>
<Property name="ReadGroups">true</Property>
<Property name="GroupSearchBase">OU=R,DC=domain,DC=com</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="RoleDNPattern"/>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout">5000</Property>
<Property name="RetryAttempts">0</Property>
<Property name="CountRetrieverClass"/>
<Property name="java.naming.ldap.attributes.binary"> </Property>
<Property name="DomainName">Domain</Property>
<Property name="Description">LDAP User Store</Property>
</UserStoreManager>
Other Stuff
Disable the Embedded LDAP under /repository/conf/identity/embedded-ldap.xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
"If you are using LDAPS (secure) to connect to the Active Directory, you need to import its public certificate to the client-truststore.jks of the WSO2 product you are configuring." Oracle: Import Cert
can also import using carbon under keystore.
Sorry I can't be more helpful.
The solution to this problem is somewhat tricky, but here we go:
After a couple of tries, I decided to set up the AD connection as a secondary user store using LDAP Readonly Connector. I fell into a NullPointerException.
I got myself the sourcecode of the wso2am and started debugging. The server tries to open the certificate chain in order to get the public key for encrypting the password. This chain was not returend properly
TID: [-1234] [] [2017-06-20 12:18:21,318] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} - Exception occurred while trying
to invoke service method addUserStore {org.apache.axis2.rpc.receivers.RPCMessageReceiver}
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
at org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:4
5)
at org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.identity.user.store.configuration.stub.UserStoreConfigAdminServiceStub.addUserStore(UserStoreConfigAdminServ
iceStub.java:889)
at org.wso2.carbon.identity.user.store.configuration.ui.client.UserStoreConfigAdminServiceClient.addUserStore(UserStoreConfigAd
minServiceClient.java:95)
at org.apache.jsp.userstore_005fconfig.userstore_002dconfig_002dfinish_002dajaxprocessor_jsp._jspService(userstore_002dconfig_0
02dfinish_002dajaxprocessor_jsp.java:198)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:958)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.initializeKeyStore(SecondaryUserStoreConfigurationUtil.java:82)
at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.encryptPlainText(SecondaryUserStoreConfigurationUtil.java:125)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addProperties(UserStoreConfigAdminService.java:569)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.writeUserMgtXMLFile(UserStoreConfigAdminService.java:812)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addUserStore(UserStoreConfigAdminService.java:270)
... 76 more
To solve the problem I extracted the code and put it into a standalone program which can be found on our github site.
I figured out, that the chain was not sufficiently packed into the keystore. To create a working keystore I followed Non's answer to this stackoverflow.
I got
my server certificate (PEM)
go daddy bundle certificate including root (PEM)
go daddy secure server certificate (PEM)
the certiface key (keyfile from the CSR)
To understand these three certs you may look here
Following above mentioned post answer I did
> cat server.crt bundle-g2-g1.crt gdig2.crt >combined.crt
> openssl pkcs12 -export -chain -in server.crt -inkey server.key -out keystore.p12 -name wso2carbon -CAfile combined.crt
> keytool -importkeystore -destkeystore wso2carbon.jks -srckeystore keystore.p12 -alias wso2carbon
The created keystore passed my test program successfully. The installed wso2 instance successfully saved my AD connection and did not create any SSL problems.
PS: I also got the keystore here from operations in PKCS12 format. One CANNOT convert it into a jks keystore, the bloody keytool DROPS the chain!
Related
Environment:
wso2 5.3.0 installed on
Windows 7 sp1
jdk_1.8.0_151 with external primary user store on
AD (Windows server 2016 Active Directory)
Action:
wso2 starts normally
wsoadmin user is available in AD
wso2 binds via ldaps to AD
logging into the wso2 management menue on win 7 client as administrator ok
all existing AD users show up in the wso2 users list view (only those with an email address)
If I want to add a new user "wsotest" an error is thrown:
ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} -
Error while adding the user to the Active Directory for user :
wsotest
[...]
Caused by: javax.naming.directory.NoSuchAttributeException:
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C091027, comment:
Error in attribute conversion operation, data 0, v3839 ];
remaining name 'cn=wsotest'
user-mgt.xml:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>False</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>wsoadmin</UserName><!-- already be available in user store, here: AD -->
<Password>admin</Password><!-- keep default; real pw is already set in AD -->
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">wso.ad.org</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">true</Property>
<Property name="ConnectionURL">ldaps://dc.wso.ad.org:636</Property>
<Property name="ConnectionName">CN=wsoadmin,OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="ConnectionPassword">*******</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(sAMAccountName=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=user)(sAMAccountName=*))</Property>
<!-- -->
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">CN=Users,DC=wso,DC=ad,DC=org</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<!-- -->
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">false</Property><!-- default true -->
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
embedded-ldap.xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
Any recommendations?
Found the solution:
add this property to the UserStoreManager within user-mgt.xml
<Property name="UserDNPattern">cn={0},ou=AllUsers,dc=wso,dc=ad,dc=com</Property>
thus the CN will be properly constructed. Obviously you have to adapt the structure and content of this DN string according to your AD LDAP.
Took me quite a time to find this, for WSO2's manual is a bit misleading re UserDNPattern:
The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
Sounds like an option, but seems to be neccessary.
2016-05-16 09:49:20,505 [http-bio-8080-exec-6] WARN [com.mchange.v2.c3p0.impl.DefaultConnectionTester] - SQL State '08007' of Exception tested by statusOnException() implies that the database is invalid, and the pool should refill itself with fresh Connections.
at com.mchange.v2.c3p0.impl.NewProxyConnection.commit(NewProxyConnection.java:803)
2016-05-16 09:49:20,506 [http-bio-8080-exec-6] WARN [com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - A ConnectionTest has failed, reporting that all previously acquired Connections are likely invalid. The pool will be reset.
at com.mchange.v2.c3p0.impl.NewProxyConnection.commit(NewProxyConnection.java:803)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeUpdate(NewProxyPreparedStatement.java:105)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeUpdate(NewProxyPreparedStatement.java:105)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeUpdate(NewProxyPreparedStatement.java:105)
When an Exception occurs on a Connection during a c3p0 Connection test, c3p0 examines the SQL State of the Exception to evaluate whether that means that only the Connection is invalid, or if all Connections in the pool are likely to be invalid given the condition signaled. If the SQL state suggests all Connections are likely to be invalid, c3p0 will reset the pool, close()ing and discarding the Connections it has previously acquired and replacing them with fresh Connections.
You don't need to do anything about this, as long as it is rare or occasional. c3p0 is trying to recover from a database outage as early and as quickly as possible. It is proactively replacing its Connections rather than waiting for each individually, to fail a test and then get replaced.
If this is happening a lot, then there is a problem either with your database or with how Connection tests are getting performed. But that's worth tracking down only if it happens a lot.
it's my OCD,i want fix any warn,i am trying to change the property
this is my old version:
<property name="minPoolSize"><value>5</value>
</property>
<property name="maxPoolSize">
<value>30</value>
</property>
<property name="initialPoolSize">
<value>10</value>
</property>
<property name="maxIdleTime">
<value>60</value>
</property>
<property name="acquireIncrement">
<value>5</value>
</property>
<property name="maxStatements">
<value>0</value>
</property>
<property name="idleConnectionTestPeriod">
<value>60</value>
</property> -->
<property name="acquireRetryAttempts">
<value>30</value>
</property>
<property name="breakAfterAcquireFailure">
<value>true</value>
</property>
<property name="preferredTestQuery" value="SELECT 1"/>
false
new version:
<property name="idleConnectionTestPeriod" value="${c3p0.idleConnectionTestPeriod}" />
<property name="initialPoolSize" value="${c3p0.initialPoolSize}" />
<property name="maxIdleTime" value="${c3p0.maxIdleTime}" />
<property name="maxPoolSize" value="${c3p0.maxPoolSize}" />
<property name="maxStatements" value="${c3p0.maxStatements}" />
<property name="maxStatementsPerConnection" value="${c3p0.maxStatementsPerConnection}" />
<property name="minPoolSize" value="${c3p0.minPoolSize}" />
Here is my Hikari datasource configuration:
<bean id="hikariConfig" class="com.zaxxer.hikari.HikariConfig">
<property name="jdbcUrl" value="jdbc:sqlserver://" />
<property name="initializationFailFast" value="false"/>
<property name="poolName" value="springHikariCP" />
<property name="username" value="nexgen"/>
<property name="password" value="nexgen"/>
<property name="connectionTimeout" value="1000"/>
<property name="connectionTestQuery" value="USE NexGen;SELECT TOP 1 * FROM Transactions"/>
<property name="dataSourceProperties">
<props>
<prop key="serverName">"DEVWORX01\DEV2014"</prop>
<prop key="databaseName">NexGen</prop>
<prop key="user">nexgen</prop>
<prop key="password">nexgen</prop>
</props>
</property>
</bean>
Here is the stack trace:
java.sql.SQLTransientConnectionException: springHikariCP - Connection is not available, request timed out after 1003ms.
at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:195)
at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:147)
at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:83)
at com.pevco.persist.reports.ReportsDaoImpl.setDataSource(ReportsDaoImpl.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.springframework.beans.BeanWrapperImpl$BeanPropertyHandler.setValue(BeanWrapperImpl.java:346)
at org.springframework.beans.AbstractNestablePropertyAccessor.setPropertyValue(AbstractNestablePropertyAccessor.java:454)
at org.springframework.beans.AbstractNestablePropertyAccessor.setPropertyValue(AbstractNestablePropertyAccessor.java:280)
at org.springframework.beans.AbstractPropertyAccessor.setPropertyValues(AbstractPropertyAccessor.java:95)
at org.springframework.beans.AbstractPropertyAccessor.setPropertyValues(AbstractPropertyAccessor.java:75)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1514)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1226)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:543)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:305)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:301)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:196)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:772)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:835)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:537)
at org.springframework.test.context.support.AbstractGenericContextLoader.loadContext(AbstractGenericContextLoader.java:125)
at org.springframework.test.context.support.AbstractGenericContextLoader.loadContext(AbstractGenericContextLoader.java:60)
at org.springframework.test.context.support.AbstractDelegatingSmartContextLoader.delegateLoading(AbstractDelegatingSmartContextLoader.java:109)
at org.springframework.test.context.support.AbstractDelegatingSmartContextLoader.loadContext(AbstractDelegatingSmartContextLoader.java:261)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContextInternal(DefaultCacheAwareContextLoaderDelegate.java:98)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:116)
at org.springframework.test.context.support.DefaultTestContext.getApplicationContext(DefaultTestContext.java:83)
at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.injectDependencies(DependencyInjectionTestExecutionListener.java:117)
at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.prepareTestInstance(DependencyInjectionTestExecutionListener.java:83)
at org.springframework.test.context.TestContextManager.prepareTestInstance(TestContextManager.java:228)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.createTest(SpringJUnit4ClassRunner.java:230)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner$1.runReflectiveCall(SpringJUnit4ClassRunner.java:289)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.methodBlock(SpringJUnit4ClassRunner.java:291)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:249)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:89)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:193)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The connection to the host "DEVWORX01, named instance DEV2014" failed. Error: "java.net.UnknownHostException: "DEVWORX01". Verify the server and instance names and check that no firewall is blocking UDP traffic to port 1434. For SQL Server 2005 or later, verify that the SQL Server Browser Service is running on the host.
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:190)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.getInstancePort(SQLServerConnection.java:3589)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.primaryPermissionCheck(SQLServerConnection.java:1225)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:972)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:95)
at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:101)
at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:314)
at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:171)
at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:436)
at com.zaxxer.hikari.pool.HikariPool.access$500(HikariPool.java:65)
at com.zaxxer.hikari.pool.HikariPool$PoolEntryCreator.call(HikariPool.java:567)
at com.zaxxer.hikari.pool.HikariPool$PoolEntryCreator.call(HikariPool.java:560)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The connection to the host "DEVWORX01, named instance DEV2014" failed. Error: "java.net.UnknownHostException: "DEVWORX01". Verify the server and instance names and check that no firewall is blocking UDP traffic to port 1434. For SQL Server 2005 or later, verify that the SQL Server Browser Service is running on the host.
The above line is what I have been focusing on. I've tried using just the IP address instead of the server name.
I've tried using dataSourceClassName with same result:
<property name="dataSourceClassName" value="com.microsoft.sqlserver.jdbc.SQLServerDataSource" />
All with the same result. I am able to connect using a different datasource. I am also able to connect using sqlcmd.
I've looked at the many SO already existing questions and it appears my configuration should work.
implementing hikaricp with microsoft sql server
How to set up datasource with Spring for HikariCP?
As well as the hikariCP documentation.
I can't see anything wrong with the setup. Why am I getting the unknown host exception? Another set of eyes would be greatly appreciated.
Get rid of the jdbcUrl. Also, there are quotes around your hostname/instance, there probably shouldn't be. You can also separate the instance from the host in the configuration as below:
<bean id="hikariConfig" class="com.zaxxer.hikari.HikariConfig">
<property name="initializationFailFast" value="false"/>
<property name="poolName" value="springHikariCP" />
<property name="username" value="nexgen"/>
<property name="password" value="nexgen"/>
<property name="connectionTimeout" value="1000"/>
<property name="connectionTestQuery" value="SELECT 1"/>
<property name="dataSourceClassName" value="com.microsoft.sqlserver.jdbc.SQLServerDataSource" />
<property name="dataSourceProperties">
<props>
<prop key="serverName">DEVWORX01</prop>
<prop key="instanceName">DEV2014</prop>
<prop key="databaseName">NexGen</prop>
<prop key="user">nexgen</prop>
<prop key="password">nexgen</prop>
</props>
</property>
</bean>
I'm trying to add users to backend AD.
However, if i specify the password, I always get 'Password does not meet the system requirements. Please try again.' (I can add user to AD with the same pwd on ad server)
Then i tried 'Ask password from user' and not specifying password. Creation faild with the following message:
Could not add user test.com/testadd. Error is: Credential not valid. Credential must be a non null string with following format, null
While I'm sure the ad certificate is added to all keystores i can find.
So what can i do next?
here is my user-mgt.xml
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<!-- .... -->
<!-- I didn't change this part -->
</UserStoreManager>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">test.com</Property>
<Property name="DomainName">test.com</Property>
<Property name="kdcEnabled">false</Property>
<Property name="ConnectionURL">ldaps://10.20.112.213:636</Property>
<Property name="ConnectionName">CN=Adaccount,CN=Users,DC=test,DC=com</Property>
<Property name="ConnectionPassword">password#123</Property>
<Property name="UserSearchBase">CN=Users,DC=test,DC=com</Property>
<Property name="UserEntryObjectClass">person</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(sAMAccountName=?))</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">CN=Users,DC=test,DC=com</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">memberOf</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="isADLDSRole">false</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
I guess there can be issue with regex pattern of password. According to your configuration regex pattern is not define in config. May be, WSO2IS uses some default pattern. Please try to configure them and see... I could see following in default user-mgt.xml file. Try to configure them and check.
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
<Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
I'd like to know if somebody has successfully got ESB connecting to a BAM that uses LDAP for authentication, and how. In other words: what're the necessary permissions to publish events in a BAM server?
We've installed ESB 4.6.0 and BAM 2.2.0, and both of them are configured to use LDAP (it's an Active Directory) for user management.
We've followed as much as possible this documentation (has some outdated/wrong instructions though) http://docs.wso2.org/wiki/display/ESB450/Configuring+External+User+Stores
Since ESB sends events to BAM, there is a BAM Profile created, that needs a valid user and password to connect to BAM Server. Therefore we've created specific users for that. Those users where configured to belong to the admin group by adding them to the default admin role (the one specified in the user-mgt.xml file shown below) but the connection between ESB and BAM fails with:
TID: [0] [BAM] [2013-05-07 12:50:58,802] INFO {org.wso2.carbon.databridge.core.DataBridge} - wso2_dev_server connected {org.wso2.carbon.databridge.core.DataBridge}
TID: [0] [BAM] [2013-05-07 12:50:58,847] ERROR {org.wso2.carbon.databridge.core.internal.authentication.Authenticator} - wrong userName or password {org.wso2.carbon.databridge.core.internal.authentication.Authenticator}
while direct login into the Management Console (same credentials) works:
TID: [0] [BAM] [2013-05-07 14:10:48,570] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'wso2_dev_server#carbon.super [-1234]' logged in at [2013-05-07 14:10:48,570+1200] from IP address 172.26.34.38 {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
To make it even funnier, communication between ESB and BAM works if I use MY credentials instead.
Thanks in advance.
This is our user-mgt.xml file:
<UserManager>
<Realm>
<Configuration>
<AdminRole>wso2_admin</AdminRole>
<AdminUser>
<UserName>gherrera</UserName>
<Password></Password>
</AdminUser>
<EveryOneRoleName></EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ReadOnly">true</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://activedirectoryserver:389</Property>
<Property name="ConnectionName">CN=someadminuser,OU=Service Accounts,OU=mycompany Users,DC=mycompany,DC=co,DC=nz</Property>
<Property name="ConnectionPassword">someadminuserpassword</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">DC=mycompany,DC=co,DC=nz</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">OU=mycompany Groups,DC=mycompany,DC=co,DC=nz</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">3</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>