I am trying to authenticate users to an Active Directory Instance using spring security, I am getting an Partial Results Exception. I am going around in circles trying to figure this out. Below is my config.
security-app-context
<authentication-manager erase-credentials="true">
<authentication-provider>
<user-service>
<user name="admin#damien.com" authorities="ROLE_ADMINISTRATOR" password="123admin123" />
</user-service>
</authentication-provider>
<authentication-provider ref="ldapActiveDirectoryAuthProvider"/>
</authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="myDomain.com" />
<constructor-arg value="ldap://ldapurl:389/" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
Error I am getting
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0 org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
I am struggling to find examples and the documentation indicates I am working in the right direction.
This is from the logs
SpringSecurityLdapTemplate.java 213 - Searching for entry under DN '', base = 'dc=myDomain,dc=com', filter = '(&(objectClass=user)(userPrincipalName={0}))'
and this is what I would expect that to look like on a successful attempt from some scripts that work
Searching for entry under DN 'OU=Users and Groups,DC=one,DC=two,DC=myDomain,DC=com', base = 'OU=Users and Groups,DC=one,DC=two,DC=myDomain,DC=com', filter = '(&(objectClass=user)(userPrincipalName={0}))'
Do I need to get the DN populated? How? I have looked through the ActiveDirectoryLdapAuthenticationProvider properties and don't see a way? Also the base is off but myDomain.com is the correct domain for users e.g john.doe#myDomain.com. Has anyone come across a similar problem?
To solve this I used the default LDAP provider which enables user search base to be specified, specifying the user search base and user search filter.
<ldap-authentication-provider
user-search-base="OU=Users and Groups,DC=abc,DC=myDomain,DC=com"
user-search-filter="userPrincipalName={0}" />
A user would then be logging in with john.doe#myDomain.com but the usersearch base is more specific(abc.myDomain.com). I believe AD Spring was falling down due to this.
Related
I am trying to use a search filter for Nifi authorizer via LDAP.
The problem is that the usual search filter syntax does not seem to work.
I currently have nifi working with one of my groups, so getting LDAP to work is not the issue.
I was also able to make it work by using the complete paths to both groups, but I would like to use wildcards.
So I have my AD groups as following
prod.xxxx.be
|--PROD
|--Groups TIM application entitlements
|--(A) Nifi - Admin
|--(A) Nifi - Operator
|--(A) Nifi - User
When using the following it works, and users from both groups are populated in the users list in Nifi UI;
<property name="User Search Base">OU=PROD, DC=prod, DC=xxxx, DC=be</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(&(memberof=CN=(A) Nifi - Admin, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=xxxx, DC=be)(memberof=CN=(A) Nifi - User, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=xxxx, DC=be))</property>
<property name="User Identity Attribute">CN</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
But since more groups might be added, it does not seem to be very legible.
Therefore it would be great to use wildcards.
I tried many combinations I found at https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx but none seem to work for Nifi.
Examples;
(&(objectCategory=group)(cn=(A) Nifi*))
I even tried to escape the special characters;
(&(objectCategory=group)(cn=\28A\29 Nifi*))
or
(&(objectCategory=group)(cn=\28A\29 Nifi*))
Since the config file for authorizers is an XML file, but no luck.
Any advice would be greatly appreciated.
Best regards,
Kristof
We use ambari and needed to clarify the object as character data in the template:
I used Android Studio to create both an Android project, and its backend AppEngine Endpoints counterpart. I have a datastore for which I am using Objectify. The system worked great, until I added a filter to my Query (to show only specific given emails).
Query<Report> query = ofy().load().type(Report.class).filter("email", user.getEmail()).order("email").order("-when").limit(limit);
This is the POJO Datastore Entity:
#Entity
public class Report {
#Id
Long id;
String who;
#Index
Date when;
String what;
#Index
String email;
}
However, I receive such an error from the Google API Explorer when I attempt to test it:
com.google.appengine.api.datastore.DatastoreNeedIndexException: no matching index found.
The suggested index for this query is:
<datastore-index kind=\"AccessReport\" ancestor=\"false\" source=\"manual\">
<property name=\"email\" direction=\"asc\"/>
<property name=\"when\" direction=\"desc\"/>
</datastore-index>
As I understand it, I simply need to create a composite index including the specific fields email and when, with their specific sort direction.
However, most documentation that I find tell me to edit datastore-indexes.xml.
App Engine predefines a simple index on each property of an entity. An
App Engine application can define further custom indexes in an index
configuration file named datastore-indexes.xml, which is generated in
your application's /war/WEB-INF/appengine-generated directory.
Unfortunately, this file does not seem to exist anywhere in my project.
Is anyone familiar with the way to change this when working with Android Studio?
Create datastore-indexes.xml file and put it in /WEB-INF/ folder. The content will look like this:
<datastore-indexes
autoGenerate="true">
<datastore-index kind=\"AccessReport\" ancestor=\"false\" source=\"manual\">
<property name=\"email\" direction=\"asc\"/>
<property name=\"when\" direction=\"desc\"/>
</datastore-index>
</datastore-indexes>
Let say the Active Directory have Group A, B and C.
How to specified like only Group A sync to Sitecore?
Thanks for any help! :)
If you just want to get the members in a specific group, you can do this using a customFilter.
If for membership, you can add the following under your membership element in the web.config:
<add name="ad"
type="LightLDAP.SitecoreADMembershipProvider"
connectionStringName="ManagersConnString"
applicationName="sitecore"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
connectionUsername="user"
connectionPassword="12345"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true"
customFilter="(memberOf=cn=test role 1,OU=CRM,DC=VM)"
/>
Just ensure that you have a connection string configured for your AD, which would be something like: <add name="ManagersConnString" connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
And ensure that your custom filter gets to the specific group you're trying to allow access for. I used LDAP Browser to navigate to my groups using a simple GUI and then copied the path.
See more in the documentation about customFilters in section 4.1.
Try to specify your group in the connection string:
<connectionStrings>
<add name="ManagersConnString"
connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
</connectionStrings>
This example is copied from the Documentation (see chapter 2.1.3). In this example, Managers is just a sample organization unit. But this is a normal LDAP connection string, so you can insert and filter there whatever you want.
I have a camel 'seda' route that contains code roughly:
JaxbDataFormat jaxb = new JaxbDataFormat(false);
jaxb.setContextPath("com.example.data.api");
from("seda:validate")
.marshal(jaxb)
.to("spring-ws:" + getDataServiceURL())
.unmarshal(jaxb)
I send an object from com.example.data.api, the JaxbDataFormat formatter sets it up as a SOAP request and passes it along wo spring-ws to actually send to my service. This works like a charm most of the time.
I say "most" because every now and then, spring-ws throws an exception like so:
org.springframework.ws.client.WebServiceTransformerException: Transformation error: Can't transform a Source of type javax.xml.transform.stax.StAXSource; nested exception is javax.xml.transform.TransformerException: Can't transform a Source of type javax.xml.transform.stax.StAXSource
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:608)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:537)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:492)
at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceive(WebServiceTemplate.java:479)
at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceive(WebServiceTemplate.java:470)
at org.apache.camel.component.spring.ws.SpringWebserviceProducer.process(SpringWebserviceProducer.java:81)
at org.apache.camel.util.AsyncProcessorConverterHelper$ProcessorToAsyncProcessorBridge.process(AsyncProcessorConverterHelper.java:61)
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:73)
The core of that is this error message: "Can't transform a Source of type javax.xml.transform.stax.StAXSource".
None of that makes sense. The Jaxb marshalling will have already made sure that the object in question is an XML string (according to any debug logging I do). Furthermore, this exact code works most of the time and only occasionally will fail. It appears random.
For instance, I ran a test just a few minutes ago where I sent a message into my route and got this error. I then restarted my service and resend the exact same message... and it worked like a charm. Same code; same environment; same test -- two different results.
It's this randomness that makes this so maddening. Any ideas what I should be looking for to making sure this never happens?
The issue is not with Camel but Spring-WS. Modifying the transformerFactoryClass in WS template config would work
<bean id="baseCamelMarshallerWSTemplate" class="org.springframework.ws.client.core.WebServiceTemplate" scope="prototype">
<constructor-arg ref="messageFactory" />
<property name="messageSender">
<ref bean="httpSender"/>
</property>
<property name="checkConnectionForError" value="true"/>
**<property name="transformerFactoryClass" value="com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl"/>**
</bean>
If you still face the issue, please share spring WS config and a test case
I have a sqlMapConfig.xml that has three SQLMaps defined in it.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sqlMapConfig
PUBLIC "-//ibatis.apache.org//DTD SQL Map Config 2.0//EN"
"http://ibatis.apache.org/dtd/sql-map-config-2.dtd">
<sqlMapConfig>
<!-- Statement namespaces are required for Ibator -->
<settings enhancementEnabled="true" useStatementNamespaces="true"/>
<!-- Setup the transaction manager and data source that are
appropriate for your environment
-->
<transactionManager type="JDBC">
<dataSource type="SIMPLE" >
<property name="JDBC.Driver"
value="com.mysql.jdbc.Driver"/>
<property name="JDBC.ConnectionURL"
value="jdbc:mysql://localhost:3306/sug"/>
<property name="JDBC.Username"
value="root"/>
<property name="JDBC.Password"
value="admin"/>
</dataSource>
</transactionManager>
<!-- SQL Map XML files should be listed here -->
<sqlMap resource="com/tatakelabs/dbmaps/categories_SqlMap.xml" />
<sqlMap resource="com/tatakelabs/dbmaps/pro_SqlMap.xml" />
<sqlMap resource="com/tatakelabs/dbmaps/pro_category_SqlMap.xml" />
</sqlMapConfig>
I get a runtime error - Cause: java.io.IOException: Could not find resource com/tatakelabs/dbmaps/categories_SqlMap.xml
categories_SqlMap.xml is present in that location. I tried changing the location of the map xml, but that did not help. sqlMapConfig.xml validates against the DTD. categories_SqlMap.xml also validates against the right DTD. I am at my wits end trying to figure out why it can't find the resource. The sqlMap files are generated by iBator.
This was happening because the sqlmap file location was not getting copied to target. Added a copy goal and that fixed it.
I had the same problem. It appears the problem lies with the location of the config file. Thus, its in relation of the project resource structure.
I moved the config file in the same package as the mapper classes and it worked. In this case try moving all the resources to this package and update the resource attributes to:
<sqlMap resource="categories_SqlMap.xml" />
<sqlMap resource="pro_SqlMap.xml" />
<sqlMap resource="pro_category_SqlMap.xml" />
Solved it.
I moved the xml file to where the Pojo was located and provided the path as follows:
<sqlMap resource="com/heena/ibatis/model/jsr/jsr.xml" />
And it worked.
place it ...src\java\abc.xml under the Source Packages directory.
If you are using Spring, you can use a SqlMapClientFactoryBean specifying property "mappingLocations". In this property you can specify a generic path, such as "com/tatakelabs/dbmaps/*_SqlMap.xml" or with a variable such as ${mapfiles}, that will be resolved by Spring as an array of file names. This lets you omit sqlMap element in sqlMapConfig. This technique will run with iBatis 2.3.4 on. However sql-map-config-2.dtd is also contained inside iBatis.jar, so you can experience some parsing errors, as /com/ibatis/sqlmap/engine/builder/xml/sql-map-config-2.dtd may have a bug. In this case you may want to replace it inside the jar with the one from the URL:
http://ibatis.apache.org/dtd/sql-map-config-2.dtd.