Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-53003

Create a user with export users enabled to Active Directory does not work

    Details

      Description

      STEPS TO REPRODUCE
      1.- Set up Active Directory. It must be accept SSL connections, so certificates must be put in place.
      If not, the same error as in the EXPECTED section appears.
      For this test, self-signed certificates can be created following these steps:
      1.1.- I used SelfSSL.exe that is distributed as part of the IIS Tools: http://support.microsoft.com/kb/840671/es
      Run the command:

      selfssl.exe /T /K:1024 /V:365 /N:CN=liferay-20148a1.mydomain.com
      

      Just change the last parameter to the FQDN of your Domain controller
      1.2.- Create a certificate repository using a tool called InstallCert.
      Reference: http://infposs.blogspot.com.es/2013/06/installcert-and-java-7.html
      1.2.1.- Copy the code
      1.2.2.- Compile it

      javac InstallCert.java
      

      1.2.2.- Run it:

      $ java InstallCert liferay-20148a1.mydomain.com:636
      Loading KeyStore /Library/Java/JavaVirtualMachines/jdk1.7.0_55.jdk/Contents/Home/jre/lib/security/cacerts...
      Opening connection to liferay-20148a1.mydomain.com:636...
      Starting SSL handshake...
      
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
      	at InstallCert.main(InstallCert.java:87)
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
      	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
      	at sun.security.validator.Validator.validate(Validator.java:260)
      	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
      	at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:183)
      	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:813)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
      	... 8 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
      	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
      	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
      	... 16 more
      
      Server sent 1 certificate(s):
      
       1 Subject CN=liferay-20148a1.mydomain.com
         Issuer  CN=liferay-20148a1.mydomain.com
         sha1    3d a0 ca 12 fe 10 39 71 cd 90 01 9d 79 ad 2e 97 be 5b a3 56 
         md5     d4 77 b1 d4 42 a8 48 5a 3c d1 d5 90 bb e1 30 98 
      
      Enter certificate to add to trusted keystore or 'q' to quit: [1]
      
      
      [
      [
        Version: V3
        Subject: CN=liferay-20148a1.mydomain.com
        Signature Algorithm: SHA1withRSA, OID = 1.3.14.3.2.29
      
        Key:  Sun RSA public key, 1024 bits
        modulus: 125452588288597013163643418999188716056206137261604739300812499575923589140221750194244466293716724110218422886437334177746692388706252805266231840456035948515932274531505149642492356188122106930334016912117153700612272009704230960295024070386703807506294591941774182149106052346052002255235434950695669452293
        public exponent: 65537
        Validity: [From: Mon Jan 19 17:51:46 CET 2015,
                     To: Wed Nov 27 17:51:46 CET 2024]
        Issuer: CN=liferay-20148a1.mydomain.com
        SerialNumber: [    2e632bdb 57e27292 4ac0f5a5 a374e723]
      
      Certificate Extensions: 2
      [1]: ObjectId: 2.5.29.37 Criticality=false
      ExtendedKeyUsages [
        serverAuth
      ]
      
      [2]: ObjectId: 2.5.29.15 Criticality=false
      KeyUsage [
        DigitalSignature
        Key_Encipherment
        Data_Encipherment
      ]
      
      ]
        Algorithm: [SHA1withRSA]
        Signature:
      0000: 66 46 B7 FE 81 18 DF 4C   04 D7 FF 4D FD CE 5B 11  fF.....L...M..[.
      0010: DF FE 59 34 77 78 AC 52   F9 EA 39 A0 BA 1B 42 3E  ..Y4wx.R..9...B>
      0020: E7 2C 8C 9A 49 7D 0A A8   EF 9B 6C 25 EE C8 43 28  .,..I.....l%..C(
      0030: 95 15 43 86 28 66 49 6B   F5 D2 57 B2 87 42 12 0B  ..C.(fIk..W..B..
      0040: A7 49 45 A1 0E A0 6B E0   1D E0 A0 FD B1 AF 09 59  .IE...k........Y
      0050: 8F F5 E9 7D 03 E4 4F C5   55 DF 17 AF 0E 99 A6 0C  ......O.U.......
      0060: 6E 47 2D 41 D7 B1 89 B2   9F FC 54 31 8E A1 F5 D3  nG-A......T1....
      0070: 7E 87 C3 60 A3 3F 03 82   AA B0 FE F1 27 66 FB F2  ...`.?......'f..
      
      ]
      
      Added certificate to keystore 'jssecacerts' using alias 'liferay-20148a1.mydomain.com-1'
      

      That command will create a jssecacerts file
      1.3 Reference that cert store in setenv.bat/sh for Tomcat including this parameter:

      -Djavax.net.ssl.trustStore=/your/path/to/jssecacerts
      

      2.- Include en portal-ext.properties:

      passwords.regexptoolkit.pattern=(?=.{8})(?:[a-zA-Z0-9]*)
      

      3.- Enable LDAP integration in Liferay.
      The URL should be something like: ldaps://liferay-20148a1.mydomain.com:636
      4.- Check that you can connect to the LDAP and see the users
      Mark it as enabled, import enabled, export enabled
      In the section Export > User Default Object Classes, enter: the following
      top,person,organizationalPerson,user
      5.- Create a user in Liferay

      EXPECTED
      The user is created in AD

      ACTUAL
      The user creation fails (see liferay-failure.png) and the following error appear in log files:

      17:39:07,992 ERROR [http-bio-7000-exec-8][render_portlet_jsp:131] null
      javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0__]; remaining name 'cn=rfv,CN=Users,DC=mydomain,DC=com' [Sanitized]
           at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
           at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
           at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
           at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:420)
           at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:377)
           at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:614)
           at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:201)
           at javax.naming.InitialContext.bind(InitialContext.java:423)
           at com.liferay.portal.ldap.exportimport.LDAPUserExporterImpl.addUser(LDAPUserExporterImpl.java:380)
           at com.liferay.portal.ldap.exportimport.LDAPUserExporterImpl.exportUser(LDAPUserExporterImpl.java:274)
           at com.liferay.portal.ldap.listener.UserModelListener.exportToLDAP(UserModelListener.java:130)
           at com.liferay.portal.ldap.listener.UserModelListener.onAfterUpdate(UserModelListener.java:83)
           at com.liferay.portal.ldap.listener.UserModelListener.onAfterUpdate(UserModelListener.java:48)
           at com.liferay.portal.service.persistence.impl.BasePersistenceImpl.update(BasePersistenceImpl.java:332)
           at com.liferay.portal.service.impl.UserLocalServiceImpl.updateStatus(UserLocalServiceImpl.java:5115)
           at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:149)
           at com.liferay.portal.spring.transaction.DefaultTransactionExecutor.execute(DefaultTransactionExecutor.java:53)
           at com.liferay.portal.spring.transaction.TransactionInterceptor.invoke(TransactionInterceptor.java:55)
           at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:123)
           at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:173)
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  4 years, 47 weeks, 5 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.3 CE GA4
                  6.2.X EE
                  7.0.0 M4