LDAP WARNING message

Topics related to the integration of LSPS with external systems.
Forum rules
Make sure every topic contains information about your LSPS version and if relevant also your server OS, client OS, database name and version, and application server name and version.
Byron Glueck
 
Posts: 85
Joined: Thu Apr 26, 2012 8:17 pm

LDAP WARNING message

Wed Feb 13, 2013 1:00 am

Greetings,

We have successfully integrated LSPS with our ActiveDirectory (LDAP) directory via our Glassfish v3 JavaEE server.

However, we periodically receive the following WARNING in our log file when certain operations take place in the system:

Code: Select all
[#|2013-02-12T08:40:00.204-0500|WARNING|glassfish3.1.2|javax.enterprise.system.core.security.com.sun.enterprise.security.auth.realm|_ThreadID=19;_Thread
Name=http-thread-pool-8181(2);|SEC1114: Exception in LdapRealm when
trying to locate groups for user.
java.io.IOException: Incorrect AVA format
         at sun.security.x509.AVA.readChar(AVA.java:564)
         at sun.security.x509.AVA.<init>(AVA.java:185)
         at sun.security.x509.AVA.<init>(AVA.java:145)
         at sun.security.x509.RDN.<init>(RDN.java:151)
         at sun.security.x509.X500Name.parseDN(X500Name.java:935)
         at sun.security.x509.X500Name.<init>(X500Name.java:165)
         at sun.security.x509.X500Name.<init>(X500Name.java:152)
         at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.getGroups(LDAPRealm.java:368)

at $Proxy319.handleCommUnit(Unknown Source)
         at
com.whitestein.lsps.engine.CommunicationServiceBean.sendSync(CommunicationServiceBean.java:88)

        at $Proxy351.sendSync(Unknown Source)
         at
com.whitestein.lsps.engine.ProcessServiceBean.createModelInstance(ProcessServiceBean.java:375)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:616)
         at
org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052)
         at
org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124)
         at
com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388)
         at
com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619)
         at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800)
         at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571)
         at
com.whitestein.lsps.common.SecureAndLoggingService.logInvocation(SecureAndLoggingService.java:147)
         at
com.whitestein.lsps.common.SecureAndLoggingService.logErrorsAndInvocation(SecureAndLoggingService.java:112)
         at
com.whitestein.lsps.common.SecureAndLoggingService.secureAndLog(SecureAndLoggingService.java:77)
         at sun.reflect.GeneratedMethodAccessor110.invoke(Unknown Source)


We believe it could be related to the application's configuration file, as the error indicates that getGroups() is failing since the user is plain/common and not properly qualified, but would appreciate your assistance on this matter.

Thanks as always,

Team Modus21

Maros Bajtos
 
Posts: 145
Joined: Mon Feb 27, 2012 2:52 pm

Re: LDAP WARNING message

Wed Feb 13, 2013 1:05 am

This behavior is connected with special "processAgent" user which is used by LSPS
whenever running activities which has not been triggered by user (e.g.
triggered by timer).

To fix the problem, these two steps are needed:

1. Open META-INF/sun-application.xml in ear file
2. Modify the mapping for processAgent so that it looks like this:

<security-role-mapping>
<role-name>processAgent</role-name>
<principal-name>CN=processAgent,CN=Users,DC=exchange,DC=localdomain</principal-name>
</security-role-mapping>

It would be best if the DN would look like the DN of the real users. So
if there is an existing user in LDAP (or AD) with DN "CN=john.smith,
CN=Development, DC=company, DC=com" the process agent user DN should be
this: "CN=processAgent, CN=Development, DC=company, DC=com"

The given user doesn't need to exist in LDAP, it's
just to satisfy Glassfish expectation of valid ldap DN name.

Maros Bajtos
 
Posts: 145
Joined: Mon Feb 27, 2012 2:52 pm

Re: LDAP WARNING message

Thu Feb 14, 2013 5:06 pm

So, as it turned out, there is one more step that needs to be done - the following sql statement needs to be executed against lsps database.

UPDATE LSPS_PERSONS SET
LOGIN_NAME='CN=processAgent, CN=Development, DC=company, DC=com' WHERE ID =
'processAgent';

Where the value of LOGIN_NAME must be the same as specified in sun-application.xml

Return to Integration

Who is online

Users browsing this forum: No registered users and 1 guest