Re: Active Directory, JNDI, EOModel
Re: Active Directory, JNDI, EOModel
- Subject: Re: Active Directory, JNDI, EOModel
- From: Chuck Hill <email@hidden>
- Date: Tue, 25 Jul 2017 17:12:19 +0000
- Thread-topic: Active Directory, JNDI, EOModel
You might want to consider a custom LDAPPlugin, it is a subclass of the JNDI
one. That seems like the appropriate place to set this.
Chuck
On 2017-07-25, 9:24 AM, "Tim Worman" <email@hidden> wrote:
Thanks (as always) Chuck!
I tested out the URL approach and it works. I’m also connecting to port
3268 instead of 389 per this:
https://stackoverflow.com/questions/16412236/how-to-resolve-javax-naming-partialresultexception.
That’s solved everything for now and it looks like including the search
base in the URL is a somewhat standard way to go. I’m still gonna investigate
some more code-centric ways of handling it - seems less brittle.
JNDIAdaptor does not expose the search base attribute. It does expose the
connection dictionary - so I’m guessing you could read it and add a key/value
pair for the search base, which I think would update the wrapped DirContext.
Tim
> On Jul 24, 2017, at 11:56 AM, Chuck Hill <email@hidden> wrote:
>
> Hi Tim,
>
> Take a look at the JNDIAdaptor class. There are connection dictionary
parameters in there, one of those might be what you want. Or can you specify
that on the connection URL?
>
> Chuck
>
>
> From: Tim Worman <email@hidden>
> Date: Monday, July 24, 2017 at 11:43 AM
> To: Chuck Hill <email@hidden>
> Cc: WebObjects Development <email@hidden>
> Subject: Re: Active Directory, JNDI, EOModel
>
> Using Wireshark, below is what I’m seeing for the two queries. The
biggest difference right off the bat is that the WO/EOModel search seems to
search ROOT as the base DN whereas the Apache DirectoryStudio is using
“DC=adinstance,DC=ucla,DC=edu” as the base. The WO/EOModel search also appears
to have additional objectClass ‘AND’ filters.
>
> Looks like my first guess was somewhat likely - I need to find a way to
get a handle on the query and feed a base DN to my fetch in WO.
>
> It looks like this might be a way to set that:
> JNDIPlugin - base
>
> But I’m wondering if there is a way to set it once at the launch of an
app and not have to set it again.
>
> --------------------------------------------
>
> From WebObjects:
> Lightweight Directory Access Protocol
> LDAPMessage searchRequest(2) "<ROOT>" wholeSubtree
> messageID: 2
> protocolOp: searchRequest (3)
> searchRequest
> baseObject:
> scope: wholeSubtree (2)
> derefAliases: derefAlways (3)
> sizeLimit: 0
> timeLimit: 3601
> typesOnly: False
> Filter: (objectClass=user)
> filter: and (0)
> and: (objectClass=user)
> and: 1 item
> Filter: (objectClass=user)
> attributes: 0 items
> [Response In: 8]
> controls: 1 item
> Control
> controlType: 2.16.840.1.113730.3.4.2 (Manage DSA IT
LDAPv3 control)
>
> From Apache Directory Studio:
> Lightweight Directory Access Protocol
> LDAPMessage searchRequest(14) “DC=adinstance,DC=ucla,DC=edu"
wholeSubtree
> messageID: 14
> protocolOp: searchRequest (3)
> searchRequest
> baseObject: DC=adinstance,DC=ucla,DC=edu
> scope: wholeSubtree (2)
> derefAliases: derefAlways (3)
> sizeLimit: 1000
> timeLimit: 0
> typesOnly: False
> Filter: (objectClass=user)
> filter: equalityMatch (3)
> equalityMatch
> attributeDesc: objectClass
> assertionValue: user
> attributes: 2 items
> AttributeDescription: cn
> AttributeDescription: objectClass
> [Response In: 2]
>
>
>
> On Jul 21, 2017, at 12:58 PM, Chuck Hill <email@hidden> wrote:
>
> Try going through a proxy like Charles. Comparing what is sent from WO
and from Directory Studio might highlight what is wrong. I am sure that I did
this many years ago, but the details escape me. Microsoft’s standard is just a
little…different.
>
> Chuck
>
> On 2017-07-21, 12:56 PM, "Webobjects-dev on behalf of Tim Worman"
<webobjects-dev-bounces+chill=email@hidden on behalf of
email@hidden> wrote:
>
> Yeah, I’m not using the model for authentication to AD, I’m intending
to use simply to return EO's from AD. I’m encountering the error below when I
simply try:
>
> ADUser.fetchAllADUsers(pageEditingContext());
>
> The WARN log seems to indicate that I can’t search objectClass “user.”
But it is modeled and was reverse engineered. I’m unsure why that would be
considering I haven’t had that issue before with other ldap services.
>
> Tim
>
>
> On Jul 21, 2017, at 12:50 PM, Theodore Petrosky <email@hidden> wrote:
>
> did you see this:
>
> https://www.slideshare.net/wocommunity/third-party-auth-in-webobjects
>
> I was looking to see if there was a video to go along with the slides but
didn’t find one.
>
>
>
> On Jul 21, 2017, at 3:10 PM, Tim Worman <email@hidden> wrote:
>
> Has anyone used the JNDI plugin to model Active Directory? I’ve used it
with a lot of success with other ldap directories but I’m running into a
problem with a pretty simple model (which I’m sure has to do with AD’s
implementation).
>
> I reverse engineered our AD (Server 2016) instance with no problem - and
only included Person and User in my model. However, when I try to do a simple
fetch of all User (or Person) I get sth like:
>
> Jul 21 11:11:23 GSEISNetTestApplication[54777] DEBUG NSLog - Waiting for
requests...
> Jul 21 11:11:24 GSEISNetTestApplication[54777] WARN
er.extensions.eof.ERXModelGroup - Clearing previous class descriptions
> Jul 21 11:11:24 GSEISNetTestApplication[54777] DEBUG NSLog - Context
factory cache is already clear
> Jul 21 11:11:24 GSEISNetTestApplication[54777] DEBUG NSLog - Connecting:
{plugInClassName = "com.webobjects.jndiadaptor.LDAPPlugIn"; timeout = "3600";
scope = "Subtree"; username = "CN="Application Server",OU="Service
Accounts",OU=ETU,DC=gseisnet,DC=ucla,DC=edu"; authenticationMethod = "Simple";
password = "<omitted from log>"; serverUrl = "ldap://gseisnet.ucla.edu:389";
initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"; }
> Jul 21 11:11:24 GSEISNetTestApplication[54777] DEBUG NSLog - Creating
plug-in com.webobjects.jndiadaptor.LDAPPlugIn for JNDIAdaptor@1084219182
> Jul 21 11:11:24 GSEISNetTestApplication[54777] WARN NSLog - Cannot
search (&(objectClass=user))
> [2017-7-21 11:11:24 PDT] <WorkerThread0>
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr:
DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
> ''
> ]; remaining name ''
>
> When I use Directory Studio to perform what appears to be the same
search, filtering on objectClass user, I get the results I would expect. I’m
using the same bind credentials in both as well. One guess I have is the search
base, which I have set to the base DN in Directory Studio. Is there a way to
get a handle on the JNDI adaptor and set the search base globally in case it
isn’t right?
>
> Any other ideas? I know I’m probably off the reservation here.
>
> Tim
> UCLA GSE&IS
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
>
> This email sent to email@hidden
>
>
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >Active Directory, JNDI, EOModel (From: Tim Worman <email@hidden>) |
| >Re: Active Directory, JNDI, EOModel (From: Theodore Petrosky <email@hidden>) |
| >Re: Active Directory, JNDI, EOModel (From: Tim Worman <email@hidden>) |
| >Re: Active Directory, JNDI, EOModel (From: Chuck Hill <email@hidden>) |
| >Re: Active Directory, JNDI, EOModel (From: Tim Worman <email@hidden>) |
| >Re: Active Directory, JNDI, EOModel (From: Chuck Hill <email@hidden>) |
| >Re: Active Directory, JNDI, EOModel (From: Tim Worman <email@hidden>) |