Issues Connecting CM1 to our LDAP

David · September 11, 2013, 9:12pm

We’ve been unsuccessful connecting our LDAP to CM1. One example of what we’ve placed into our ldapserver.xml is:

192.168.99.10 

389 

CM 1 LDAP Query 

somepassword 

deep 

cn 

mail 

OU=Special Accounts,DC=crt,DC=state,DC=la,DC=us 

false

In CM1, when we attempt to search for Active Directory usernames in Workflow, we get a blank screen. The server log then reports the following error:

2013-09-11 15:11:39,072 ERROR [com.percussion.services.security.impl.PSRoleMgr] Error finding users: An unknown naming exception was caught. The error message was: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=crt,DC=state,DC=la,DC=us’
]

Another attempt was made using the ‘shallow’ catalog method:

192.168.99.10 

389 CN=CM%201%20LDAP%20Query,DC=crt,DC=state,DC=la,DC=us 

somepassword 

shallow 

cn 

mail 

 OU=Special%20Accounts,OU=IS,OU=OMF,OU=CRT%20Users,DC=crt,DC=state,DC=la,DC=us 

false

And that produced the following error:

2013-09-11 15:49:57,305 ERROR [com.percussion.services.security.impl.PSRoleMgr] Error finding users: An unknown naming exception was caught. The error message was: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]

I’ve tried variations where I replaced the host with hostname, ldap:\hostname. I’ve also tried variations on the user naming convention, as shown here http://help.percussion.com/admin-topi…, with no luck. I’ve also tried with and without the ‘%20’ as explained here https://community.percussion.com/t/ldap-issue/559 with no luck. I’ve also tried variations of objectAttributeName with ‘cn’ and ‘samaccountname’ with their corresponding usernames with no luck. So, I’m out of luck.

Can anyone see what I can’t?

Nathaniel · September 12, 2013, 1:02pm

Hi David,

To give you a little more context around these errors, your first error, “LDAP: error code 32 … data 0”, indicates that the defined DN does not exist:

https://confluence.atlassian.com/disp…

If you identified the user without a full DN and just the user name (as it appears in your example), that might cause this.

Your second error is similar, “LDAP: error code 49 … data 525”, and indicates that the user was not found:

https://confluence.atlassian.com/disp…

It’s not 100% clear, but I believe at this point these errors are coming from your “CM 1 LDAP Query” user. You may already be doing this, but to verify that your syntax for this user’s DN is correct, please connect to your LDAP server using a directory browsing tool such as Softerra, find this “CM 1 LDAP Query” user, right-click on it, and bring up its properties. From here you should be able to copy out the user’s full, properly formatted DN, which you can paste back into the “user” element (take the DN as-is, with or without encoded spaces). It wouldn’t be a bad idea to do the same for the specified “organizationalUnit” as well.

Note that you will need to reinsert the password each time you modify this file and restart Percussion, or else your changes may not take effect.

Let me know if any of this info gets you closer to resolving this.

David · September 12, 2013, 9:25pm

Making some progress! In the directions you gave us to find the correct DN we now have the following:

CN=CM 1 LDAP Query,OU=Special Accounts,OU=IS,OU=OMF,OU=CRT Users,DC=crt,DC=state,DC=la,DC=us

which we’ve used for both the and .

Unfortunately we’re still unable to connect, getting the same blank screen when we attempt to search for Active Directory usernames in Workflow.
The server log error is different:

013-09-12 15:10:12,018 INFO [org.apache.commons.httpclient.HttpMethodDirector] I/O exception (java.net.ConnectException) caught when processing request: Connection refused: connect
2013-09-12 15:10:12,018 INFO [org.apache.commons.httpclient.HttpMethodDirector] Retrying request
2013-09-12 15:10:13,017 INFO [org.apache.commons.httpclient.HttpMethodDirector] I/O exception (java.net.ConnectException) caught when processing request: Connection refused: connect
2013-09-12 15:10:13,017 INFO [org.apache.commons.httpclient.HttpMethodDirector] Retrying request
2013-09-12 15:10:14,046 INFO [org.apache.commons.httpclient.HttpMethodDirector] I/O exception (java.net.ConnectException) caught when processing request: Connection refused: connect
2013-09-12 15:10:14,046 INFO [org.apache.commons.httpclient.HttpMethodDirector] Retrying request
2013-09-12 15:10:15,060 ERROR [com.percussion.delivery.client.PSDeliveryClient] Fatal transport error: Connection refused: connect

Any ideas?

Nathaniel · September 12, 2013, 10:15pm

That error there is actually unrelated, and has to do with DTS connectivity (and can be ignored until you get to the point during coaching where you’ll cover dynamic widgets and publishing). In your server.log file, during the start-up sequence, there should be an entry that looks like this:

[PSServerConfigUpdater] Loading LDAP configuration…

Shortly below this line you should see your LDAP error(s) being logged, if there is still an issue connecting / authenticating.

David · September 13, 2013, 3:13pm

In that case I’m not getting any related lines in the server.log for search attempts made in Workflow->Users->Import Directory Users (even after stopping/restarting the percussion service, logged in under the Admin account.)

The only LDAP-related entry I could find was

2013-09-13 09:34:52,253 INFO [com.percussion.share.dao.impl.PSServerConfigUpdater] Loading LDAP configuration…

Nathaniel · September 13, 2013, 4:18pm

That actually may be a good sign. It’s possible that you’re connecting at this point, but not finding any users. Try submitting a blank search when you have the LDAP user import menu open – this will act as a wildcard search and will pull back all available users. Also, is catalog still set to “shallow”? If so, it may be that no users are being found at the immediate level of the specified OU, and you’ll need to set this to “deep”.

David · September 13, 2013, 4:26pm

The catalog tag in ldapserver.xml is currently set to “deep,” so that’s fine.

A blank search only returns one user, the “CM 1 LDAP Query” user. This is the same user account we’re using to access our LDAP…

David · September 13, 2013, 4:47pm

I edited the organizationalUnit line to start at the root of our user directory in AD and everything is showing up now! Thank you again Nathaniel!

Nathaniel · September 13, 2013, 4:52pm

Excellent! I was just about to ask what level your OU was set to, but you beat me to it.