Error while integrating AD to openIDM using generic LDAP connector

This topic has 4 replies, 2 voices, and was last updated 4 years, 8 months ago by [email protected].

  • Author
    Posts
  • #15553
     Nwz
    Participant

    Hi,

    I am trying to integrate AD with OpenIDM using generic ldap connector. I have used provisioner.openicf-adldap.json provided in samples/provisioner folder. Even though the details configured are correct I am getting below error. Also please find below contents of provisioner file. Response will be greatly appreciated.

    Error logs

    Using boot properties at /opt/openidm/conf/boot/boot.properties
    -> Jan 27, 2017 8:56:05 PM org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService$1 handleResult
    SEVERE: Connection error for SystemIdentifier{ uri=’system/adldap/’}
    org.identityconnectors.framework.common.exceptions.InvalidCredentialException: 172.16.10.156:636; socket closed

    Jan 27, 2017 8:56:05 PM org.slf4j.impl.JDK14LoggerAdapter fillCallerData
    FINE: Enter: validate() Method: validate
    Jan 27, 2017 8:56:05 PM org.slf4j.impl.JDK14LoggerAdapter fillCallerData
    FINE: Return: null Method: validate
    Jan 27, 2017 8:56:05 PM org.slf4j.impl.JDK14LoggerAdapter fillCallerData
    FINE: Enter: test() Method: test
    Jan 27, 2017 8:56:05 PM org.identityconnectors.framework.impl.api.local.operations.ConnectorOperationalContext getPool
    INFO: Creating new pool: ConnectorKey( bundleName=org.forgerock.openicf.connectors.ldap-connector bundleVersion=1.4.1.0 connectorName=org.identityconnectors.ldap.LdapConnector ) Method: getPool2
    Jan 27, 2017 8:56:05 PM org.slf4j.impl.JDK14LoggerAdapter fillCallerData
    FINE: Exception: Method: test
    org.identityconnectors.framework.common.exceptions.InvalidCredentialException: 172.16.10.156:636; socket closed
    at org.identityconnectors.ldap.LdapConnection$AuthenticationResultType$4.propagate(LdapConnection.java:537)
    at org.identityconnectors.ldap.LdapConnection$AuthenticationResult.propagate(LdapConnection.java:560)
    at org.identityconnectors.ldap.LdapConnection.connect(LdapConnection.java:197)
    at org.identityconnectors.ldap.LdapConnection.getInitialContext(LdapConnection.java:182)

    Provisioner file

    {
    “name” : “adldap”,
    “connectorRef” : {
    “connectorHostRef” : “#LOCAL”,
    “connectorName” : “org.identityconnectors.ldap.LdapConnector”,
    “bundleName” : “org.forgerock.openicf.connectors.ldap-connector”,
    “bundleVersion” : “1.4.1.0”
    },
    “configurationProperties” : {
    “host” : “172.16.10.156”,
    “port” : “636”,
    “ssl” : false,
    “principal” : “CN=Administrator,OU=Users,DC=GSOC,DC=LAB,DC=COM”,
    “credentials” : {
    “$crypto” : {
    “type” : “x-simple-encryption”,
    “value” : {
    “cipher” : “AES/CBC/PKCS5Padding”,
    “data” : “cGG1J3OcDBdu1UdKUOBFlw==”,
    “iv” : “TMhIeMx477SSdsSK0CbR4g==”,
    “key” : “openidm-sym-default”
    }
    }
    },
    “baseContexts” : [
    “OU=Users,OU=IDaaS,DC=GSOC,DC=LAB,DC=COM”
    ],
    “baseContextsToSynchronize” : [
    “OU=Users,OU=IDaaS,DC=GSOC,DC=LAB,DC=COM”
    ],
    “accountSearchFilter” : null,
    “accountSynchronizationFilter” : “(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))”,
    “groupSearchFilter” : null,
    “groupSynchronizationFilter” : “(&(!(cn=Domain Users)))”,
    “passwordAttributeToSynchronize” : “userPassword”,
    “synchronizePasswords” : false,
    “vlvSortAttribute” : “uid”,
    “passwordAttribute” : “unicodePwd”,
    “groupMemberAttribute” : “member”,
    “uidAttribute” : “objectGUID”,
    “changeNumberAttribute” : “changeNumber”,
    “accountUserNameAttributes” : [
    “sAMAccountName”
    ],
    “passwordHashAlgorithm” : “WIN-AD”,
    “removeLogEntryObjectClassFromFilter” : true,
    “modifiersNamesToFilterOut” : [ ],
    “passwordDecryptionKey” : null,
    “changeLogBlockSize” : 100,
    “attributesToSynchronize” : [ ],
    “passwordDecryptionInitializationVector” : null,
    “filterWithOrInsteadOfAnd” : false,
    “objectClassesToSynchronize” : [
    “user”
    ],
    “useBlocks” : true,
    “maintainPosixGroupMembership” : false,
    “failover” : [ ],
    “referralsHandling” : “ignore”,
    “readSchema” : false,
    “accountObjectClasses” : [
    “user”

    #15560

    I think you should login with windows domain name, not the user DN. So change your principal to something like “administrator” or “DOMAIN\administrator”.

    #15561

    Giving the configuration second look, “ssl” : false, seems quite suspicious as well. You are connecting to port 636, which should be SSL.

    #15568
     Nwz
    Participant

    Hi Pavel,

    Thanks for your response.

    I incorporated both the above changes and also added the path of trust store in system.properties file. However I got the below error while starting openIDM.

    Jan 28, 2017 12:17:51 AM org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService$1 handleResult
    SEVERE: OpenICF connector test of SystemIdentifier{ uri=’system/adldap/’} failed!
    org.identityconnectors.framework.common.exceptions.ConnectionFailedException: javax.naming.CommunicationException: simple bind failed: 172.16.10.156:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

    Any idea how to overcome this.

    #15571

    and also added the path of trust store in system.properties

    Add the certificate to $OPENIDM_HOME/security/truststore . Do not try to add different truststore (btw. the truststore location is in boot.properties).

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?