-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.1.30 EE GA3, 7.0.0 M4
-
Fix Version/s: 6.1.X EE, 6.2.3 CE GA4, 6.2.X EE, 7.0.0 M4
-
Component/s: Application Security > LDAP, Portal Services
-
Branch Version/s:6.2.x, 6.1.x
-
Backported to Branch:Committed
-
Story Points:69
-
Fix Priority:3
-
Git Pull Request:
STEPS TO REPRODUCE
1.- Set up Active Directory. It must be accept SSL connections, so certificates must be put in place.
If not, the same error as in the EXPECTED section appears.
For this test, self-signed certificates can be created following these steps:
1.1.- I used SelfSSL.exe that is distributed as part of the IIS Tools: http://support.microsoft.com/kb/840671/es
Run the command:
selfssl.exe /T /K:1024 /V:365 /N:CN=liferay-20148a1.mydomain.com
Just change the last parameter to the FQDN of your Domain controller
1.2.- Create a certificate repository using a tool called InstallCert.
Reference: http://infposs.blogspot.com.es/2013/06/installcert-and-java-7.html
1.2.1.- Copy the code
1.2.2.- Compile it
javac InstallCert.java
1.2.2.- Run it:
$ java InstallCert liferay-20148a1.mydomain.com:636 Loading KeyStore /Library/Java/JavaVirtualMachines/jdk1.7.0_55.jdk/Contents/Home/jre/lib/security/cacerts... Opening connection to liferay-20148a1.mydomain.com:636... Starting SSL handshake... javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at InstallCert.main(InstallCert.java:87) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107) at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:183) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:813) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ... 8 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 16 more Server sent 1 certificate(s): 1 Subject CN=liferay-20148a1.mydomain.com Issuer CN=liferay-20148a1.mydomain.com sha1 3d a0 ca 12 fe 10 39 71 cd 90 01 9d 79 ad 2e 97 be 5b a3 56 md5 d4 77 b1 d4 42 a8 48 5a 3c d1 d5 90 bb e1 30 98 Enter certificate to add to trusted keystore or 'q' to quit: [1] [ [ Version: V3 Subject: CN=liferay-20148a1.mydomain.com Signature Algorithm: SHA1withRSA, OID = 1.3.14.3.2.29 Key: Sun RSA public key, 1024 bits modulus: 125452588288597013163643418999188716056206137261604739300812499575923589140221750194244466293716724110218422886437334177746692388706252805266231840456035948515932274531505149642492356188122106930334016912117153700612272009704230960295024070386703807506294591941774182149106052346052002255235434950695669452293 public exponent: 65537 Validity: [From: Mon Jan 19 17:51:46 CET 2015, To: Wed Nov 27 17:51:46 CET 2024] Issuer: CN=liferay-20148a1.mydomain.com SerialNumber: [ 2e632bdb 57e27292 4ac0f5a5 a374e723] Certificate Extensions: 2 [1]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ] [2]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment Data_Encipherment ] ] Algorithm: [SHA1withRSA] Signature: 0000: 66 46 B7 FE 81 18 DF 4C 04 D7 FF 4D FD CE 5B 11 fF.....L...M..[. 0010: DF FE 59 34 77 78 AC 52 F9 EA 39 A0 BA 1B 42 3E ..Y4wx.R..9...B> 0020: E7 2C 8C 9A 49 7D 0A A8 EF 9B 6C 25 EE C8 43 28 .,..I.....l%..C( 0030: 95 15 43 86 28 66 49 6B F5 D2 57 B2 87 42 12 0B ..C.(fIk..W..B.. 0040: A7 49 45 A1 0E A0 6B E0 1D E0 A0 FD B1 AF 09 59 .IE...k........Y 0050: 8F F5 E9 7D 03 E4 4F C5 55 DF 17 AF 0E 99 A6 0C ......O.U....... 0060: 6E 47 2D 41 D7 B1 89 B2 9F FC 54 31 8E A1 F5 D3 nG-A......T1.... 0070: 7E 87 C3 60 A3 3F 03 82 AA B0 FE F1 27 66 FB F2 ...`.?......'f.. ] Added certificate to keystore 'jssecacerts' using alias 'liferay-20148a1.mydomain.com-1'
That command will create a jssecacerts file
1.3 Reference that cert store in setenv.bat/sh for Tomcat including this parameter:
-Djavax.net.ssl.trustStore=/your/path/to/jssecacerts
2.- Include en portal-ext.properties:
passwords.regexptoolkit.pattern=(?=.{8})(?:[a-zA-Z0-9]*)
3.- Enable LDAP integration in Liferay.
The URL should be something like: ldaps://liferay-20148a1.mydomain.com:636
4.- Check that you can connect to the LDAP and see the users
Mark it as enabled, import enabled, export enabled
In the section Export > User Default Object Classes, enter: the following
top,person,organizationalPerson,user
5.- Create a user in Liferay
EXPECTED
The user is created in AD
ACTUAL
The user creation fails (see liferay-failure.png) and the following error appear in log files:
17:39:07,992 ERROR [http-bio-7000-exec-8][render_portlet_jsp:131] null javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0__]; remaining name 'cn=rfv,CN=Users,DC=mydomain,DC=com' [Sanitized] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840) at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:420) at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:377) at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:614) at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:201) at javax.naming.InitialContext.bind(InitialContext.java:423) at com.liferay.portal.ldap.exportimport.LDAPUserExporterImpl.addUser(LDAPUserExporterImpl.java:380) at com.liferay.portal.ldap.exportimport.LDAPUserExporterImpl.exportUser(LDAPUserExporterImpl.java:274) at com.liferay.portal.ldap.listener.UserModelListener.exportToLDAP(UserModelListener.java:130) at com.liferay.portal.ldap.listener.UserModelListener.onAfterUpdate(UserModelListener.java:83) at com.liferay.portal.ldap.listener.UserModelListener.onAfterUpdate(UserModelListener.java:48) at com.liferay.portal.service.persistence.impl.BasePersistenceImpl.update(BasePersistenceImpl.java:332) at com.liferay.portal.service.impl.UserLocalServiceImpl.updateStatus(UserLocalServiceImpl.java:5115) at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:149) at com.liferay.portal.spring.transaction.DefaultTransactionExecutor.execute(DefaultTransactionExecutor.java:53) at com.liferay.portal.spring.transaction.TransactionInterceptor.invoke(TransactionInterceptor.java:55) at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:123) at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:173)
- relates
-
LPE-13330 Create a user with export users enabled to Active Directory does not work
-
- Closed
-