Hi Ryan,

My URL looks like this

jdbc:ldaps://Company.biz:636/DC=Company,DC=biz?SEARCH_SCOPE:=subTreeScope

My Username like this

cn=boersmaa,cn=Users,dc=Company,dc=biz

When I try this I get a connection error.

That all looks correct. Is the Username the same (case-sensitive?) as what you see in Active Directory?

user name is correct.

I have found this error in the logs

Unable to create data source org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Invalid name: Company.biz:636) at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:855

actually this is only a small part of it but it all looks like it cannot find the company.biz domain.

The xMII server is part of it!

Hmm, I wonder if it is the 636 port?

Hi Ryan,

That pointed me to the Secure Cert. We took the ssl out for the moment

now I am getting this error

Unable to create data source org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory ([LDAP: error code 32 - 0000208D: NameErr: DSID-031001CB, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=CompName,DC=biz' ]) at

I am going in the right direction.

OK, that's good news. At this point, I can only suggest you search the error codes on Google or the MSDN. I'm not, unfortunately, an LDAP guy. Glad we could help you get this far.

I did some googling. It looks like the error 32 is fairly common. Referencing a Adobe/Macromedia product error code with LDAP integration:

1. Error: com.macromedia.contribute.server.exception.DBException: Error in searchForUserList from LDAP plugin: [LDAP: error code 32 - No Such Object]

Cause: Very general error when there is a problem finding the users in LDAP/AD. Could be that the DN pointing to the users is pointing to the wrong place or is just incorrect and does not exist.

Note: For more detail look at the sub-exception, which can be 7 below.

1. Error: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name '[DN]'

Cause: The DN path which points to where the users are located in the directory is invalid.

from http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_19576

Does your domain contain more than two parts? Like phl.sap.com or us.phl.sap.com? There's definitely a problem finding the domain controller, I just wish I could tell you what it was ;*)

Hi Andy,

Ok, there are a few ways to go about what you want to do. The authenication process in xMII is a two part process (Authentication and Authorization).

"Authentication"

The authentication is handled by the "policies" that you define in the Security manager. These are what validates the "username" and "password" you supply to the xMII login.

The policies supported are: LDAP, Windows Domain, Kerberos, and Database.

Most of the time in a Windows only scenario, you can get away with using the "Windows Domain" login policy. This is the easiest to setup and the first one I would try. You simply supply the name of your domain in all UPPERCASE and the name of your AD server.

"Authorization"

This is the next stage in the login process, once the username/password combination has been verified, the Security manager then starts to process each of the "External User Configurations" you may have defined. Most of the time this is either LDAP or Database, or could be a combination of either.

In your case of the LDAP configuration, the error 32 means indicates the base DN that you are connecting with, does not exist.

Your URL:

jdbc:ldaps://Company.biz:636/DC=Company,DC=biz?SEARCH_SCOPE:=subTreeScope

is saying that you are trying to connect via SSL to a AD server called "Company.biz" at port 636. Do you have an AD server at the URL company.biz running on port 636. The standard LDAP port is 389, and 636 is the SSL port. This can be changed by your AD administrator.

This error:

Unable to create data source org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory ([LDAP: error code 32 - 0000208D: NameErr: DSID-031001CB, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=CompName,DC=biz' ]) at

Seems to indicate that the name of your URL is wrong, I don't see Company.biz but rather CompName.biz.

Can you verify your server names and ports and let me know?

Thanks,

- Tim

Hi Tim,

We first tried with SSL, but we took that off for now just to get it working.

Also I change the company name to company.

Thsi it what we have at present

jdbc:ldap://LDAP.NA.jdbc:Company.biz:389/OU=ANS,DC=Company,DC=biz??base?(objectClass=*)

With a LDAP browser I can see into the AD system using this.

With xMII I get a connection error.

This is what I get as the error message

boersmaa -- java.lang.ExceptionInInitializerError: Could not create datasource from properties - {validationQuery=select boersmaa from cn=People, url=jdbc:ldap://LDAP.NA.jdbc:Company.biz:389/OU=ANS,DC=Compny,DC=biz??base?(objectClass=*), com.sun.jndi.ldap.connect.timeout=5000, driverClassName=com.lighthammer.jdbcLdap.sql.JdbcLdapDriver, java.naming.security.authentication=Simple, username=cn=boersmaa,ou=ans,DC=Company,DC=BIZ} due to error - String index out of range: -1

I am still trying to authenticate.

Thanks

Hi Andy,

Your URL is incorrect. It's not the proper format for connecting to the LDAP server.

So you will get that error you saw.

The proper format is:

jdbc:ldap://<ldap server name>:<port>/<Base Context>?SEARCH_SCOPE:=subTreeScope

Where,

<b>LDAP SERVER NAME</b> = the name of your AD/LDAP server

<b>BASE Context</b> = the root of the LDAP Directory tree you are going to search from

Have you tried looking at the online help for the setting up the "External User" configurations?

http://help.sap.com/saphelp_xmii115/helpdata/en/Security_Manager/LDAP_User_Configuration.htm

Questions:

1. What is the name of your active directory server?

2. What is the name of your company domain?

I assume it is Company.BIZ? This is the same domain that your Windows machines log into.

3. What is the username that can view all the information in the LDAP server? This is not your username but typically an administrative user who has the proper persmissions to view all the user information.

I assume it is: cn=boersmaa,ou=ans,DC=Company,DC=BIZ?

4. Where are your user and roles located in the AD tree? Does your company

run a standard active directory schema? or has it been modified?

The default location of users and roles in a standard AD installation is: cn=Users, DC=somecompany, DC=com

You have ou=ans, dc=company, dc=biz which makes me think it is a modified one?

Are you the Active Directory administrator? If not, ask your administrator the answer to these questions.

Let me know..

- Tim

> Hi Tim,

>

>

> We first tried with SSL, but we took that off for now

> just to get it working.

> Also I change the company name to company.

>

> Thsi it what we have at present

>

> jdbc:ldap://LDAP.NA.jdbc:Company.biz:389/OU=ANS,DC=Com

> pany,DC=biz??base?(objectClass=*)

>

> With a LDAP browser I can see into the AD system

> using this.

> With xMII I get a connection error.

>

> This is what I get as the error message

>

>

> boersmaa -- java.lang.ExceptionInInitializerError:

> Could not create datasource from properties -

> {validationQuery=select boersmaa from cn=People,

> url=jdbc:ldap://LDAP.NA.jdbc:Company.biz:389/OU=ANS,DC

> =Compny,DC=biz??base?(objectClass=*),

> com.sun.jndi.ldap.connect.timeout=5000,

> driverClassName=com.lighthammer.jdbcLdap.sql.JdbcLdapD

> river, java.naming.security.authentication=Simple,

> username=cn=boersmaa,ou=ans,DC=Company,DC=BIZ} due to

> error - String index out of range: -1

>

> I am still trying to authenticate.

>

> Thanks

Here is an update, Got past the logon problems.

Using a LDAP Browser, with the following config I can get cleanly without any errors into the AD system.

URL:ldap://company:389/DC=company,DC=biz??base?(objectClass=*)

With the following user credentials

cn=boersmaa,ou=soho,ou=users,ou=chicago,ou=cgi,OU=Food,OU=AM,OU=PKG,OU=PROD,DC=company,DC=biz

This works.

So I used the same in xMII. Did not work.

Changed the URL to:

jdbc:ldap://company.biz:389/DC=company,DC=biz?SEARCH_SCOPE:=subTreeScope

Does not connect this is the error I still get:

admin -- java.lang.ExceptionInInitializerError: Could not create datasource from properties - {validationQuery=select 1 from cn=Users, url=jdbc:ldap://company.biz:389/DC=company,DC=biz?SEARCH_SCOPE:=subTreeScope, com.sun.jndi.ldap.connect.timeout=5000, driverClassName=com.lighthammer.jdbcLdap.sql.JdbcLdapDriver, java.naming.security.authentication=simple, username=cn=boersmaa,ou=soho,ou=users,ou=chicago,ou=cgi,OU=Food,OU=AM,OU=PKG,OU=PROD,DC=company,DC=bi} due to error - Cannot create PoolableConnectionFactory ([LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece])

Error 49 indicates a login problem, searching the web, I found out that LDAP username for logon is either one or the other.

That means that is the "official" login does not work try the other.

Using boersma@company.biz got me connected, now I am sorting out the queries.

That may be another issue, but I hope that this will help other people.

Hi Andy,

Glad you made progress..

One note in regards to your username issue on the DN.

In Active Directory, I've seen the username URL look like this:

cn=Tim Mulle,dc=SOMEDOMAIN,dc=COM

Where the cn is the "<b>First and Last</b>" name of the user. The short name login in the long form of the URL doesn't work. To use that form you can do <i><b>username@domain.com</b></i> but that only works for MS AD, which in your case is ok.

I'm surprised that your username login worked. What LDAP browser are you using? Is it a Java Tool? or the Microsoft LDAP viewer?

- Tim

Anyway, this link talks about your error:

http://www.websina.com/bugzero/faq/ldap-error-code-49.html

> Here is an update, Got past the logon problems.

>

> Using a LDAP Browser, with the following config I can

> get cleanly without any errors into the AD system.

> URL:ldap://company:389/DC=company,DC=biz??base?(object

> Class=*)

>

> With the following user credentials

> cn=boersmaa,ou=soho,ou=users,ou=chicago,ou=cgi,OU=Food

> ,OU=AM,OU=PKG,OU=PROD,DC=company,DC=biz

>

> This works.

>

> So I used the same in xMII. Did not work.

> Changed the URL to:

> jdbc:ldap://company.biz:389/DC=company,DC=biz?SEARCH_S

> COPE:=subTreeScope

>

> Does not connect this is the error I still get:

> admin -- java.lang.ExceptionInInitializerError: Could

> not create datasource from properties -

> {validationQuery=select 1 from cn=Users,

> url=jdbc:ldap://company.biz:389/DC=company,DC=biz?SEAR

> CH_SCOPE:=subTreeScope,

> com.sun.jndi.ldap.connect.timeout=5000,

> driverClassName=com.lighthammer.jdbcLdap.sql.JdbcLdapD

> river, java.naming.security.authentication=simple,

> username=cn=boersmaa,ou=soho,ou=users,ou=chicago,ou=cg

> i,OU=Food,OU=AM,OU=PKG,OU=PROD,DC=company,DC=bi} due

> to error - Cannot create PoolableConnectionFactory

> ([LDAP: error code 49 - 80090308: LdapErr:

> DSID-0C090334, comment: AcceptSecurityContext error,

> data 525, vece])

>

> Error 49 indicates a login problem, searching the

> web, I found out that LDAP username for logon is

> either one or the other.

> That means that is the "official" login does not work

> try the other.

>

> Using boersma@company.biz got me connected, now I am

> sorting out the queries.

>

> That may be another issue, but I hope that this will

> help other people.

Hi Tim,

The LDAP browser I use is from Softerra, it seems to work pretty good.

I highly recommend anybody that needs to read AD with LDAP to user it.

Its free.

I have been looking at the difference in logon name, and I believe the OU string for my name is to long to store in xMII the last z from biz is missing when I use my fully qualified string. but the short name works for me.

Now I have another issue whit trying to run down the OU string to get my users, but I will start a new post for that.

Thanks.

Hi Andy,

That's cool.. I've always used the Java LDAP Browser:

http://www-unix.mcs.anl.gov/~gawor/ldap/

Works really well..

As far as the size limit, I saw the java exception cut off the .biz as well, as far as I know there isn't a limit on the string. I've never hit one in the past.

Let me know, if you have any other issues..I'll look forward to your other post.

- Tim

> Hi Tim,

>

> The LDAP browser I use is from Softerra, it seems to

> work pretty good.

> I highly recommend anybody that needs to read AD with

> LDAP to user it.

> Its free.

>

> I have been looking at the difference in logon name,

> and I believe the OU string for my name is to long to

> store in xMII the last z from biz is missing when I

> use my fully qualified string. but the short name

> works for me.

>

> Now I have another issue whit trying to run down the

> OU string to get my users, but I will start a new

> post for that.

>

> Thanks.

Hi Andy,

I am facing the problem with LDAP. As per your explanation, if xMII is in different domain, I wont be able to query LDAP.

My current scenario is similar and I am getting the error, "LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece"

Can you pls help me out.

Thanks,

Praveen

The user name in your application is not valid.

Here is a list of Active Directory errors:

525 - user not found

52e - invalid credentials

530 - not permitted to logon at this time

532 - password expired

533 - account disabled

701 - account expired

773 - user must reset password

If the user is indeed valid and they can logon interactively, perhaps their userPrinciplaName (alberte@example.com) or samAccountName (EXAMPLE\alberte) have not changed but their distinguished name has changed as a result of a rename or move operation. Eg. From cn=Albert Einstein, ou=Research,dc=example,dc=com to cn=Albert Einstein,OU=Scientists,dc=example,dc=com.

What format of the user logon name are you using in your application ?

- Tim

Hi Praveen,

what we did was create a user account in the AD domain to use as a logon service

then in xMII ldap config front page, we use LDAP-xMII-AD-ServAcc@company.biz and the password.

our url is like this pointing directly to the network nearest DC.

jdbc:ldap://OurCitydc01.company.biz:389/DC=company,DC=biz?SEARCH_SCOPE:=subTreeScope.

That works, I have still 3 queries not working

Select role by DN

Select User for Role

Select User by DN

The issue is really understanding the limited explantion of the query and then find the matching field in AD.

Here is an explanation on what those last four (4) queries do.

These two queries work together to find the roles for a particular user. We need to first find the DN of the user we are trying to find the roles for. Then we pass that DN into the select role by DN. Where DN is really the "users" DN we are using as the filter.

Select roles for User

-

This returns the distinguished name of the user passed to it. This is then fed into the "Select Role by DN" query below. The '?' MUST be left in the query because this gets replaced with the "username".

Example:

select distinguishedName from cn=Users where objectCategory=user and sAMAccountName=jblow
returns "cn=Joe Blow,cn=Users,dc=DOMAIN,dc=COM"

Select role by DN

-

This returns the name(s) of the roles that the user belongs in. This query works in conjunction with the "Select Roles For User" query. The result of that query is passed into this query. The '?' MUST be kept in the query because this is a place holder during runtime and will be filled in with the DN from the previous query.

Example:

select name from cn=Users where objectCategory=group and member=cn=Joe Blow,cn=Users,dc=DOMAIN,dc=COM
returns "Administrators"

AND

These two queries work together to find the users for a particular role. We need to first find the DN of the role we are trying to find the users for. Then we pass that DN into the select user by DN. Where DN is really the "roles" DN we are using as the filter.

Select User for Role

-

This returns the distinguished name of the role passed to it. This is then fed into the "Select User by DN" query below.

Example:

select distinguishedName from cn=Users where objectCategory=group and name=Administrators
returns "cn=Administrators,cn=Users,dc=DOMAIN,dc=COM"

Select User by DN

-

This returns the name(s) of the users that are in the role. This query works in conjunction with the "Select User For Role" query. The result of that query is passed into this query.

Example:

select sAMAccountName name from cn=Users where objectCategory=user and memberOf=cn=Administrators,cn=Users,dc=DOMAIN,dc=COM
returns "cn=Joe Blow,cn=Users,dc=DOMAIN,dc=COM"

Hopefully this clarifies some of the confusion...

- Tim