Forum Discussion

B12328's avatar
B12328
New Contributor
12 years ago

LDAP: Multiple OU's

Hi,



I am having intermitent log in issues when using userPatternArray for multiple OU's. If I delete webapps and work folders and restart server (sometimes restarting service is not enought) users are able to log in with no issues, later on the day users start reporting that they cannot log in after multiple tries. I check the error log and collab log and I can see the error messages. If they wait about 5-10minutes and try again they are able to log in. This does not happen if I use only one OU.



note: I used JXplorer to troubleshoot LDAP and I am able to search all users with no issues.



Below is my Root.xml, error log, and collab log.



Any suggestions will be appreciated. I have submitted a few emails to the support team but we haven't found a solution.





--------------------------

Root.xml



    http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

 -->

<Context docBase="${catalina.home}/wars/smartbear-ccollab-server.war" path="" privileged="true" reloadable="false">

<Valve className="com.smartbear.ccollab.auth.AuthTicketValve" collabDbJndiName="/jdbc/collabserver"/>

<Valve className="com.smartbear.ccollab.auth.CollabFormAuthenticator" seed="ba3acb2ec9cc2a582aaa9031c60d40a5"/>

<Valve characterEncoding="UTF-8" className="org.apache.catalina.authenticator.FormAuthenticator"/>



    

<!--

    Code Collaborator database configuration.

The underlying database is exposed as a named resource in the application's JNDI namespace at the well-known name "/jdbc/collabserver".

Because this well-known name is also used directly in the software, it *must not* be changed.  However, the underlying datasource can be configured

        to support the specific configuration that is desired.

For information on configuring Data Sources, see documentation available at:

        

        http://tomcat.apache.org/tomcat-5.5-doc/jndi-datasource-examples-howto.html

        

        Keep in mind that Code Collaborator does not necessarily support all of the

        databases that are documented in the Data Source documentation.

    -->



<Resource driverClassName="com.mysql.jdbc.Driver" maxActive="100" maxIdle="20" maxWait="10000" name="/jdbc/collabserver" password="mypassword2" removeAbandoned="true" removeAbandonedTimeout="120" scope="Sharable" testOnBorrow="true" type="javax.sql.DataSource" url="jdbc:mysql://localhost:3306/codecollab?useServerPrepStmts=false&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true" username="username" validationQuery="SELECT 1"/>







<Realm

allRolesMode="strictAuthOnly"

    

className="org.apache.catalina.realm.JNDIRealm"

    

connectionName="myusername@mydomain"

    

connectionPassword="mypasswordhere"

    

connectionURL="ldap://192.168.1.10:389"

referrals="follow"

    

userBase="dc=my,dc=domain"

    

userPatternArray="(OU=Users,OU=Alaska,DC=my,dc=domain):(ou=users,ou=California,ou=San Jose,dc=my,dc=domain):(OU=Users,OU=Texas,OU=Houston,DC=my,DC=domain)"



userSearch="(sAMAccountName={0})"



userSubtree="true"

/>










Code Collaborator Parameters

 Configuration parameters made available to the Code Collaborator application.

     -->

    

<Parameter description="Is the Code Collaborator database used for authentication?" name="collaborator-authentication" override="false" value="false"/>



<Parameter description="Should older, less secure, clients be allowed to connect to the Code Collaborator server." name="client-compatibility" override="false" value="false"/>



<Parameter description="The name of the Code Collaborator system administrator who is always allowed to log in." name="system-administrator" override="false" value="myadmin"/>



<Parameter description="Directory (relative to tomcat) where Code Collaborator caches file contents." name="content-cache" override="false" value="collaborator-content-cache"/>



    

<!--

The following parameter is used for migrating data from one database type to

another.Please read the documentation on database migration carefully before

 changing this value.

    -->



<Parameter description="Full path to migration/backup database to restore" name="database-migration-data-path" override="false" value="c:\path\to\database\backup\file.zip"/>





</Context>



--------------------------------

Collab log:

WARN http-80-1 com.smartbear.ccollab.AuthTicketFilter - Login failed for user: jdoe



 2013-04-17 21:09:34,869 WARN http-80-2 com.smartbear.ccollab.rpc.RpcGwtServlet$GwtInvocationHandler - Could not authenticate user 'jdoe' using password






-------------------------------

Error Log:



Error " Caused by: javax.naming.CommunicationException: DOMAIN.COM:389



[Root exception is java.net.SocketTimeoutException: connect timed out]"



Caused by: java.net.SocketTimeoutException: connect timed out



Apr 23, 2013 9:18:15 AM org.apache.catalina.realm.JNDIRealm authenticate

SEVERE: Exception performing authentication

javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: mydomain:389 [Root exception is java.net.SocketTimeoutException: connect timed out]]
  • B12328's avatar
    B12328
    New Contributor
    I'm also using Wireshark to troubleshoot and this is what I've found:



    1142    16.255135000    192.168.1.10    192.168.2.20    LDAP    111    bindRequest(1) "adminuser@mydomain" simple

    1143    16.283321000    192.168.2.20    192.168.1.10    LDAP    76     bindResponse(1) success

    1144    16.283549000    192.168.1.10    192.168.2.20    LDAP    129    searchRequest(2) "dc=my,dc=domain" wholeSubtree

    1149    16.311655000    192.168.2.20    192.168.1.10    LDAP    499    searchResEntry(2) "CN=John Doe,OU=Users,OU=California,DC=my,DC=domain"  | searchResRef(2)  | searchResRef(2)  | searchResRef(2)  | searchResRef(2)  | searchResRef(2)  | searchResDone(2) success  [1 result]

    1153    16.316424000    192.168.1.10    192.168.2.144    LDAP    111    bindRequest(1) "adminuser@mydomain" simple

    1154    16.317344000    192.168.2.144    192.168.1.10    LDAP    164    bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)

    1973    26.378798000    192.168.1.10    192.168.2.14    LDAP    111    bindRequest(1) "adminuser@mydomain" simple

    1975    26.439360000    192.168.2.14    192.168.1.10    LDAP    76    bindResponse(1) success

    1976    26.439637000    192.168.1.10    192.168.2.14    LDAP    147    searchRequest(2) "DC=DomainDnsZones,DC=my,DC=domain" wholeSubtree

    1977    26.498631000    192.168.2.14    192.168.1.10    LDAP    76    searchResDone(2) success  [0 results]2305    31.497416000    192.168.1.10    192.168.2.14    LDAP    61    unbindRequest(3)