Active IQ Unified Manager Discussions
Active IQ Unified Manager Discussions
Is it possible to connect WFA to a virtual directory services instance that is not an MS AD implementation? My customer is no longer allowing direct connections to AD servers, and I need to bind to a secure LDAP implementation provided by a third party vendor.
ldaps://<server>:<port> appears to allow the connection, but the user is not able to log in. My assumption is because normally the credentials are being passed through to AD which allows a connection, whereas with VDS solution the individual users are not allowed to authenticate.
using ldaps://<server>:<port> I get the following error:
(domain/user/server/port info manually removed)
2014-11-18 15:39:20,253 INFO [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) Looking up user ‘<DOMAIN>\<USER> in LDAP servers
2014-11-18 15:39:20,269 INFO [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting LDAP context for server 'ldaps://<LDAP_SERVER>:<PORT>'
2014-11-18 15:39:20,706 INFO [com.netapp.wfa.ldap.LdapWrapper] (http-executor-threads - 100) Getting default naming context
2014-11-18 15:39:20,738 ERROR [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 100) null: java.lang.NullPointerException
at com.netapp.wfa.ldap.LdapWrapper.getDefaultNamingContext(LdapWrapper.java:198) [ldap-login-module-0.5.jar:]
at com.netapp.wfa.ldap.LdapWrapper.findUserInLdap(LdapWrapper.java:105) [ldap-login-module-0.5.jar:]
at com.netapp.wfa.ldap.LdapLoginModule.validatePassword(LdapLoginModule.java:67) [ldap-login-module-0.5.jar:]
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]
at sun.reflect.GeneratedMethodAccessor331.invoke(Unknown Source) [:1.7.0_25]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_25]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_25]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:416) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:518) [jbossweb-7.0.13.Final.jar:]
at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)
at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:801)
at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)
at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:842)
at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
Thank you,
Scott
Solved! See The Solution
You requirement is valid but WFA as of 3.0 can't work with any other Directory server other than Microsoft Active Directory. I'll try to see if I can manage a workaround.
It may be available in a future release.
sinhaa
You requirement is valid but WFA as of 3.0 can't work with any other Directory server other than Microsoft Active Directory. I'll try to see if I can manage a workaround.
It may be available in a future release.
sinhaa
Thank you,
I would like to pose this as an RFE. We worked with the customer and built the POC, showed it and pushed it into production, using AD LDAP. Then they started blocking access to AD LDAP connections before a new set jobs of were added and effectively set us back. So while we met all the requirements at the time, with the change I have no other options currently.
EDIT: My Apologies, I am still on WFA version 2.1 and had not even read the 3.0 release notes, it would have answered my question!
Thank you for your time!
Scott
Also, FWIW... WFA 4.0 (build 3858982) does not support LDAP either. What's the deal with removing LDAP support? OCUM7 supports it too!
No, its not true. WFA 4.0completely supports Active Directory LDAP login.
What problem are you facing?
sinhaa
Nowhere in my post did I write anything about Active Directory. I only , and this thread is titled WFA using non AD LDAP, so why are you even mentioning AD? I Wonder if @sinhaa found a workaround?
Active Directory also works on LDAP protocol.
WFA as of 4.0 doesn't support other directory servers like OpenLDAP.
Workaround.. I had tried when this post was originally submitted ( ~2 years back) without success. Let me try again.
sinhaa