Our organization stores signing certificates in Active Directory. We are using anonymous bind to search for them at a base DN (e.g. OU=MY ORG,dc=mydc,dc=org). I have been trying to use the Spring LdapTemplate to look them up, but no matter what method I use, I get the cryptic InterruptedNamingException.
Assuming a cert subject of cn=mycert.myorg.com
My code looks like this
LdapContextSource contextSource = new LdapContextSource();
contextSource.setUrl(String.format(LDAP_URL_FORMAT, ldapCertStoreParameters.getServerName(),
ldapCertStoreParameters.getPort()));
contextSource.setBase(ldapCertStoreParameters.getBaseDn());
contextSource.setAnonymousReadOnly(true);
contextSource.afterPropertiesSet();
LdapTemplate ldapTemplate = new LdapTemplate(contextSource);
ldapTemplate.setIgnorePartialResultException(true);
ldapTemplate.afterPropertiesSet();
X500Principal principal = x509CertSelector.getSubject();
Object obj = ldapTemplate.lookup(new LdapName(principal.getName()));
The X500 principal's name is the whole dn. cn=mycert.myorg.com,OU=MY ORG,dc=mydc,dc=org
I have also tried the search using just the cn.
We have verified that the DN exists on the server using Apache Directory Studio.
• I would suggest you to please remove the call altogether or set the ‘userSearchBase’ either to an empty String (“”) as per the given example in the below community thread: -
Configure Spring security for Ldap connection
As in the ‘AbstractContextSource’, set the base suffix from which all operations should origin. If a base suffix is set, you will not have to (and, indeed, must not) specify the full distinguished names in any operations performed. Since you specified the full DN for the userDN/filter, you must not specify the base.
AD servers are apparently unable to handle referrals automatically, which causes a ‘PartialResultException’ to be thrown whenever a referral is encountered in a search. To avoid this, set the ‘ignorePartialResultException’ property to true. There is currently no way of manually handling these referrals in the form of ‘ReferralException’, i.e., either you get the exception (and your results are lost) or all referrals are ignored (if the server is unable to handle them properly). Neither is there any simple way to get notified that a ‘PartialResultException’ has been ignored.
For more details regarding the LDAP template search for Active Directory stored certificates, kindly refer to the link below: -
https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/core/LdapTemplate.html
• Also, please try to refer to the below documentation for configuration of Springboot LDAP template configuration through certificates stored in Active Directory: -
https://www.baeldung.com/x-509-authentication-in-spring-security
Currently we are using OpenLDAP Version 2.4, From what I know is default password storage scheme is SSHA.
But is there anyway by which I can view it on console, I need to send screenshot where it is mentioned that password storage scheme of our OpenLDAP is SSHA.
UPDATE : olcPasswordHash attribute is not specified in any ldif files present under cn=config folder
Depending on the configuration mode, you can check if it's set :
Using slapd.conf file :
grep password-hash slapd.conf
Using on-line configuration (OLC) :
slapcat -n 0 -a olcPasswordHash=*
olcPasswordHash attribute is defined at the database level (like in olcDatabase={<n>}<name>,cn=config), so you won't find it directly in cn=config.ldif but in the corresponding ldif file. That's why you have better to use slapcat.
A password policy may also require cleartext passwords to be hashed. The ppolicy overlay enables this behavior via the ppolicy_hash_cleartext flag (cf. slapo-ppolicy) :
ppolicy_hash_cleartext : Specify that cleartext passwords present in Add and Modify requests
should be hashed before being stored in the database.
In this case, SSHA is used if no password storage scheme is explicitly set via password-hash or olcPasswordHash, so you would just check for the flag :
Using slapd.conf file :
grep ppolicy_hash_cleartext slapd.conf
Using on-line configuration (OLC) :
slapcat -n 0 -a olcPPolicyHashCleartext=*
If the attribute is not set : How do you set password-hash for OpenLDAP ?
Do some of u guys have some experience with authentication in zabbix using lotus domino? Im not quite sure what to enter there. I know i made some authentication for IBM WebSphere but i cant get it working in zabbix. Can someone give me some tutorial? or explanations? :)
There is :
LDAP HOST : mydomino.local.address
Port : 389
Base DN : ???What is this???
Search attribute : cn;
Bind DN : ???my 'sudo'user / binduser???
Bind password : binduser.password
Ok so I tried it. Also i can easily telnet "mydomino.local.address" on 389 port. So there is nothing bad with connection. Maybe Base DN. Is this something special - unique for each LDAP server like "mycompany DomainName?" or can it be something universal? Alsosearch attribute. I know cn; or uid; or mail; works in WAS.
I would be really glad if someone could just help me with this.
In Domino there are different "Base DNs". For a user search the Base DN typically is o=YourOrganizer, so if your Notesnames look like CN=MartinFric/OU1=IT/O=YourCompany, then the base DN would be o=YourCompany.
Groups do NOT have a Base- DN. If you search for groups, then the Base DN has to be empty.
Bind- DN depends on the configuration of your Domino. Your mail- address will always work as well as your CN- name. So this might be "Martin Fric" or "martin.fric#yourcompany.com". Other variations might work as well. The bind password is the Internet- Password of the bind user (HTTP Password in person document in domino directory).
Usually one creates a specific LDAPBind user in the directory with an internet password to not expose user- passwords to any external program.
The search- attributes depend on what you want to achieve.
Open the Lotus- Notes- Program- Directory of any installed Lotus Notes client in a CMD and type the following:
ldapsearch.exe -h mydomino.local.address -p 389 -D "Martin Fric"
-w YourInternetPassword "(CN=Martin Fric)"
In this query the parameters are:
-h = LDAP HOST
-p = Port
-D = Bind DN
-w = Bind Password
"(cn=Martin Fric)" = Query that sais: Search in (Search attribute) cn for an entry with value "Martin Fric"
If this query succeeeds and the query returns values, then the parameters for zabbix are correct. In that case someone knowing zabbix has to help you further in debugging that.
If this query does NOT succeed, then you need to fix your domino -> Come back with the error mmessage you get for help.
I'd like to get preferred domain controller name/adress on Mac, joined to Active Directory (MS Windows Server with Domain Controller) programmatically with C/Objective-C. The better solution for now is parsing output of dsconfigad -show commandline utility where are such lines:
Advanced Options - Administrative
Preferred Domain controller = 192.168.XXX.XXX
I already tried Open Directory API, as adviced here, but it fails to access nodes far than full name of domain:
// domainNode: "/Active Directory/MYDOMAIN/mydomain.local"
NSArray *domainSubNodes = [domainNode subnodeNamesAndReturnError:&err];
[domainSubNodes count]; // count is 0
Do I need to perform some kind of authorization to access subnodes of domain and how to perform it?
Is there any posix/BSD functions that can obtain domain controller name from pure C code?
Greetings,
Well I am bewildered. I have been tasked with updating a PHP script that uses the BulkAPI to upsert some data into the Opportunity entity.
This is all going well except that the Bulk API is returning this error for some clearly defined custom fields:
InvalidBatch : Field name not found : cv__Acknowledged__c
And similar.
I thought I finally found the problem when I discovered the WSDL version I was using was quite old (Partner WSDL). So I promptly regenerated the WSDL. Only problem? Enterprise, Partner, etc....all of them...do not include these fields. They're all coming from the Common Ground package and start with cv_
I even tried to find them in the object explorer in Workbench as well as the schema explorer in Force.com IDE.
So, please...lend me your experience. How can I update these values?
Thanks in advance!
Clif
Screenshots to prove I have the correct access:
EDIT -- Here is my code:
require_once 'soapclient/SforcePartnerClient.php';
require_once 'BulkApiClient.php';
$mySforceConnection = new SforcePartnerClient();
$mySoapClient = $mySforceConnection->createConnection(APP.'plugins'.DS.'salesforce_bulk_api_client'.DS.'vendors'.DS.'soapclient'.DS.'partner.wsdl.xml');
$mylogin = $mySforceConnection->login('redacted#redacted.com', 'redactedSessionredactedPassword');
$myBulkApiConnection = new BulkApiClient($mylogin->serverUrl, $mylogin->sessionId);
$job = new JobInfo();
$job->setObject('Opportunity');
$job->setOpertion('upsert');
$job->setContentType('CSV');
$job->setConcurrencyMode('Parallel');
$job->setExternalIdFieldName('Id');
$job = $myBulkApiConnection->createJob($job);
$batch = $myBulkApiConnection->createBatch($job, $insert);
$myBulkApiConnection->updateJobState($job->getId(), 'Closed');
$times = 1;
while($batch->getState() == 'Queued' || $batch->getState() == 'InProgress')
{
$batch = $myBulkApiConnection->getBatchInfo($job->getId(), $batch->getId());
sleep(pow(1.5, $times++));
}
$batchResults = $myBulkApiConnection->getBatchResults($job->getId(), $batch->getId());
echo "Number of records processed: " . $batch->getNumberRecordsProcessed() . "\n";
echo "Number of records failed: " . $batch->getNumberRecordsFailed() . "\n";
echo "stateMessage: " . $batch->getStateMessage() . "\n";
if($batch->getNumberRecordsFailed() > 0 || $batch->getNumberRecordsFailed() == $batch->getNumberRecordsProcessed())
{
echo "Failures detected. Batch results:\n".$batchResults."\nEnd batch.\n";
}
And lastly, an example of the CSV data being sent:
"Id","AccountId","Amount","CampaignId","CloseDate","Name","OwnerId","RecordTypeId","StageName","Type","cv__Acknowledged__c","cv__Payment_Type__c","ER_Acknowledgment_Type__c"
"#N/A","0018000000nH16fAAC","100.00","70180000000nktJ","2010-10-29","Gary Smith $100.00 Single Donation 10/29/2010","00580000001jWnq","01280000000F7c7AAC","Received","Individual Gift","Not Acknowledged","Credit Card","Email"
"#N/A","0018000000nH1JtAAK","30.00","70180000000nktJ","2010-12-20","Lisa Smith $30.00 Single Donation 12/20/2010","00580000001jWnq","01280000000F7c7AAC","Received","Individual Gift","Not Acknowledged","Credit Card","Email"
After 2 weeks, 4 cases, dozens of e-mails and phone calls, 3 bulletin board posts, and 1 Stackoverflow question, I finally got a solution.
The problem was quite simple in the end. (which makes all of that all the more frustrating)
As stated, the custom fields I was trying to update live in the Convio Common Ground package. Apparently our install has 2 licenses for this package. None of the licenses were assigned to my user account.
It isn't clear what is really gained/lost by not having the license other than API access. As the rest of this thread demonstrates, I was able to see and update the fields in every other way.
If you run into this, you can view the licenses on the Manage Packages page in Setup. Drill through to the package in question and it should list the users who are licensed to use it.
Thanks to SimonF's professional and timely assistance on the Developer Force bulletin boards:
http://boards.developerforce.com/t5/Perl-PHP-Python-Ruby-Development/Bulk-API-So-frustrated/m-p/232473/highlight/false#M4713
I really think this is a field level security issue. Is the field included in the opportunity layout for that user profile? Field level security picks the most restrictive option, so if you seem to have access from the setup screen but it's not included in the layout, I don't think the system will give you access.
If you're certain that your user's profile has FLS access to the fields and the assigned layouts include the fields, then I'd suggest looking into the definition of the package in question. I know the bulk API allows use of fields in managed packages normally (I've done this).
My best guess at this point is that your org has installed multiple versions of this package over time. Through component deprecation, it's possible the package author deprecated these custom fields. Take a look at two places once you've logged into salesforce:
1.) The package definition page. It should have details about what package version was used when the package was first installed and what package version you're at now.
2.) The page that has WSDL generation links. If you choose to generate the enterprise WSDL, you should be taken to a page that has dropdown elements that let you select which package version to use. Try fiddling with those to see if you can get the fields to show up.
These are just guesses. If you find more info, let me know, and I can try to provide additional guidance.