Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-53003

Create a user with export users enabled to Active Directory does not work

    XMLWordPrintable

    Details

      Description

      STEPS TO REPRODUCE
      1.- Set up Active Directory. It must be accept SSL connections, so certificates must be put in place.
      If not, the same error as in the EXPECTED section appears.
      For this test, self-signed certificates can be created following these steps:
      1.1.- I used SelfSSL.exe that is distributed as part of the IIS Tools: http://support.microsoft.com/kb/840671/es
      Run the command: 

      selfssl.exe /T /K:1024 /V:365 /N:CN=liferay-20148a1.mydomain.com

      Just change the last parameter to the FQDN of your Domain controller
      1.2.- Create a certificate repository using a tool called InstallCert.
      Reference: http://infposs.blogspot.com.es/2013/06/installcert-and-java-7.html
      1.2.1.- Copy the code
      1.2.2.- Compile it

      javac InstallCert.java

      1.2.2.- Run it:

      $ java InstallCert liferay-20148a1.mydomain.com:636
Loading KeyStore /Library/Java/JavaVirtualMachines/jdk1.7.0_55.jdk/Contents/Home/jre/lib/security/cacerts...
Opening connection to liferay-20148a1.mydomain.com:636...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
	at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:183)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:813)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
	... 8 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 16 more

Server sent 1 certificate(s):

 1 Subject CN=liferay-20148a1.mydomain.com
   Issuer  CN=liferay-20148a1.mydomain.com
   sha1    3d a0 ca 12 fe 10 39 71 cd 90 01 9d 79 ad 2e 97 be 5b a3 56 
   md5     d4 77 b1 d4 42 a8 48 5a 3c d1 d5 90 bb e1 30 98 

Enter certificate to add to trusted keystore or 'q' to quit: [1]


[
[
  Version: V3
  Subject: CN=liferay-20148a1.mydomain.com
  Signature Algorithm: SHA1withRSA, OID = 1.3.14.3.2.29

  Key:  Sun RSA public key, 1024 bits
  modulus: 125452588288597013163643418999188716056206137261604739300812499575923589140221750194244466293716724110218422886437334177746692388706252805266231840456035948515932274531505149642492356188122106930334016912117153700612272009704230960295024070386703807506294591941774182149106052346052002255235434950695669452293
  public exponent: 65537
  Validity: [From: Mon Jan 19 17:51:46 CET 2015,
               To: Wed Nov 27 17:51:46 CET 2024]
  Issuer: CN=liferay-20148a1.mydomain.com
  SerialNumber: [    2e632bdb 57e27292 4ac0f5a5 a374e723]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 66 46 B7 FE 81 18 DF 4C   04 D7 FF 4D FD CE 5B 11  fF.....L...M..[.
0010: DF FE 59 34 77 78 AC 52   F9 EA 39 A0 BA 1B 42 3E  ..Y4wx.R..9...B>
0020: E7 2C 8C 9A 49 7D 0A A8   EF 9B 6C 25 EE C8 43 28  .,..I.....l%..C(
0030: 95 15 43 86 28 66 49 6B   F5 D2 57 B2 87 42 12 0B  ..C.(fIk..W..B..
0040: A7 49 45 A1 0E A0 6B E0   1D E0 A0 FD B1 AF 09 59  .IE...k........Y
0050: 8F F5 E9 7D 03 E4 4F C5   55 DF 17 AF 0E 99 A6 0C  ......O.U.......
0060: 6E 47 2D 41 D7 B1 89 B2   9F FC 54 31 8E A1 F5 D3  nG-A......T1....
0070: 7E 87 C3 60 A3 3F 03 82   AA B0 FE F1 27 66 FB F2  ...`.?......'f..

]

Added certificate to keystore 'jssecacerts' using alias 'liferay-20148a1.mydomain.com-1'

      That command will create a jssecacerts file
      1.3 Reference that cert store in setenv.bat/sh for Tomcat including this parameter:

      -Djavax.net.ssl.trustStore=/your/path/to/jssecacerts

      2.- Include en portal-ext.properties:

      passwords.regexptoolkit.pattern=(?=.{8})(?:[a-zA-Z0-9]*)

      3.- Enable LDAP integration in Liferay.
      The URL should be something like: ldaps://liferay-20148a1.mydomain.com:636
      4.- Check that you can connect to the LDAP and see the users
      Mark it as enabled, import enabled, export enabled
      In the section Export > User Default Object Classes, enter: the following
      top,person,organizationalPerson,user
      5.- Create a user in Liferay

      EXPECTED
      The user is created in AD

      ACTUAL
      The user creation fails (see liferay-failure.png) and the following error appear in log files:

      17:39:07,992 ERROR [http-bio-7000-exec-8][render_portlet_jsp:131] null
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0__]; remaining name 'cn=rfv,CN=Users,DC=mydomain,DC=com' [Sanitized]
     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
     at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:420)
     at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:377)
     at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:614)
     at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:201)
     at javax.naming.InitialContext.bind(InitialContext.java:423)
     at com.liferay.portal.ldap.exportimport.LDAPUserExporterImpl.addUser(LDAPUserExporterImpl.java:380)
     at com.liferay.portal.ldap.exportimport.LDAPUserExporterImpl.exportUser(LDAPUserExporterImpl.java:274)
     at com.liferay.portal.ldap.listener.UserModelListener.exportToLDAP(UserModelListener.java:130)
     at com.liferay.portal.ldap.listener.UserModelListener.onAfterUpdate(UserModelListener.java:83)
     at com.liferay.portal.ldap.listener.UserModelListener.onAfterUpdate(UserModelListener.java:48)
     at com.liferay.portal.service.persistence.impl.BasePersistenceImpl.update(BasePersistenceImpl.java:332)
     at com.liferay.portal.service.impl.UserLocalServiceImpl.updateStatus(UserLocalServiceImpl.java:5115)
     at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:149)
     at com.liferay.portal.spring.transaction.DefaultTransactionExecutor.execute(DefaultTransactionExecutor.java:53)
     at com.liferay.portal.spring.transaction.TransactionInterceptor.invoke(TransactionInterceptor.java:55)
     at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:123)
     at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:173)

        Attachments

          Issue Links

          relates

          Bug - A problem which impairs or prevents the functions of the product. LPE-13330 Create a user with export users enabled to Active Directory does not work

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 15 weeks, 2 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.3 CE GA4
                  6.2.X EE
                  7.0.0 M4