Hello Joget!  My LDAP plugin seems to be having some issues.  I've read up some other users comments and the problems seem to be similar, but I jsut can;t see where mine is going wrong.

It's doing the whole 'locking me out' thing that others seem to get, so I have my second browser open for testing logins while staying logged in with the other.  As far as I can tell the problem seems to be that it tries to log in (to LDAP) with my currently logged in user, instead of the user I provide in the config.

So I give it the following credentials for the LDAP, this is taken from the wf_setup table:

LDAP config
{
    "url": "ldap://ad.dneg.com:389",
    "username": "CN=joget,CN=Users,DC=ad,DC=dneg,DC=com",
    "password": "HASHEDPASSWORDSTRING",
    "rootDN": "dc=ad,dc=dneg,dc=com",
    "userBaseDN": "ou=People,dc=ad,dc=dneg,dc=com",
    "userImportSearchFilter": "(objectClass=person)",
    "user-attr-username": "name",
    "user-attr-firstName": "givenName",
    "user-attr-lastName": "sn",
    "user-attr-email": "mail",
    "user-attr-active": "",
    "user-attr-timeZone": "",
    "user-attr-employeeCode": "",
    "user-attr-role": "",
    "user-attr-reportTo": "",
    "user-attr-mappedToReportToAttr": "distinguishedName",
    "user-attr-groups": "memberOf",
    "user-attr-mappedToGroupAttr": "distinguishedName",
    "user-attr-departments": "",
    "user-attr-mappedToDepartmentAttr": "distinguishedName",
    "user-attr-grade": "",
    "user-attr-mappedToGradeAttr": "distinguishedName",
    "groupBaseDN": "ou=Groups,dc=ad,dc=dneg,dc=com",
    "groupImportSearchFilter": "(objectClass=group)",
    "group-attr-id": "cn",
    "group-attr-name": "description",
    "group-attr-description": "description",
    "group-attr-users": "member",
    "group-attr-mappedToUserAttr": "distinguishedName",
    "departmentBaseDN": "",
    "departmentImportSearchFilter": "",
    "department-attr-id": "cn",
    "department-attr-name": "description",
    "department-attr-description": "description",
    "department-attr-hod": "",
    "department-attr-users": "member",
    "department-attr-mappedToUserAttr": "distinguishedName",
    "gradeBaseDN": "",
    "gradeImportSearchFilter": "",
    "grade-attr-id": "cn",
    "grade-attr-name": "description",
    "grade-attr-description": "description",
    "grade-attr-users": "member",
    "grade-attr-mappedToUserAttr": "distinguishedName",
    "roleAdminBaseDN": "cn=tech,ou=groups,dc=ad,dc=dneg,dc=com",
    "roleAdminImportSearchFilter": "objectClass=group",
    "roleAdmin-attr-users": "member",
    "roleAdmin-attr-mappedToUserAttr": "distinguishedName",
    "resultSize": "100",
    "debugMode": "yes"
}

SO with this, I expect it to try and connect with the user 'joget', which is a valid user in our LDAP system, but in the logs you see it trying to connect with a user called 'admin', and at this time I am obviously logged in with the 'admin, pw:admin' user.  I've attached the error message I get from the logs at the point of hitting 'submit' on the LDAP plugin, also in that log file is the error that occurs when I try and log in with my actual LDAP login after I've loaded the LDAP plugin.

Any suggestions would be fantastic, and if you need any more information from me then don;t hesitate to ask.

Thanks

Matt

  • No labels

3 Comments

  1. Julian

    Hi Matt,

    Based on the error message in the log file

    org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1]

    it seems to indicate that there is an authentication problem when connecting to the LDAP server. Based on a quick google on the error codes in the bolded bits above, there are some relevant results

    More specifically, the error code "773 user must reset password" suggests that the user's password must be changed before logging on.

    Hope this helps!

    Best Regards
    Julian

  2. Matthew Albone

    Ah right you are!  Turns out the user we created for Joget to use had an option that demanded the password be changed on each login. 

    One question I do have about Joget tough is why does the client demand that we provide authentication for our LDAP user?  LDAP itself doesn't require a password, and we found ourselves in a situation where we didn't have a user available n LDAP with a password, and thus created the new one.

    Anyway, now I have all my LDAP users inside Joget, but still can't log in with any of those accounts, I instead get this message...

    Login restricted, license not activated for this system

    I appreciate why the trial license restricts our entire LDAP userbase, but is there some way I can allow a few of these users to be available for some testing?

    Matt

    1. Hugo

      Thanks for your posting. We will follow up with you accordingly.