Error synchronizing Active Directory Users

Tiago Gomes

Hi,

I am currently developing an app using appWorks and I wanted to synchronize the app users with an existent Active Directory. Although, when I fill the LDAP connection info and hit connect button I'm getting an error with the following message:

The server encountered an internal error that prevented it from fulfilling this request.

with an http 500 error. The tomcat log outputs an exception starting with the following:

ERROR  com.opentext.otag.rest.impl.UseradminImpl  - Access denied
ERROR  com.opentext.otag.rest.impl.UseradminImpl  - Failed to get partition info from OTDS
com.opentext.otds.OtdsException: Access denied
    at com.opentext.otag.rest.OtdsProviders.checkWebServiceResponseV2(OtdsProviders.java:183)
    at com.opentext.otag.rest.OtdsProviders.queryBasicInfo(OtdsProviders.java:93)
    at com.opentext.otag.rest.LdapInfo.prepare(LdapInfo.java:57)
    at com.opentext.otag.rest.impl.UseradminImpl.getLdapConnectionInfo(UseradminImpl.java:271)
    at com.opentext.otag.rest.v1.Useradmin.getLdapConnectionInfo(Useradmin.java:100)

I'm using the following tutorial:

https://developer.opentext.com/webaccess/#url=/awd/resources/articles/1057/appworks+gateway++managing+users

and I've already tested the connection in an external application and it works well.

What am I doing wrong?

Werner de Jong

Sorry for the obvious question, but I assume the credentials you supplied to connect to OTDS are correct? Can the OTDS instance be reached from the machine running the AppWorks Gateway?

Tiago Gomes

Yes I also tested the ldap connection using ldapsearch in the machine running the Gateway and it worked well. Still about the credentials, if I supply wrong credentials the error is different it gives me a message saying:

Error: Could not connect: invalid credentials.

And the Exception is javax.naming.AuthenticationException. So I suppose I am supplying valid credentials.

Any idea?

Thanks

Werner de Jong

In that case, it may be a permissions issue. I have asked for further assistance. Please bear with me.

Werner

Tiago Gomes

Hi,

Any news about this issue?

Thanks

Pete_Oliver

Hi,

AppWorks Gateway will use an embedded version of OpenText Directory Services (OTDS) if you did not specify an external OTDS upon install. It may be the the credentials needed to connect to this that are invalid. You can take a look at the OTDS access log for entries corresponding to the times you observe this behaviour - my guess is you'll see a failed authentication. Let me know what you find. The log is here:

<tomacat home>\logs\directory-access.log

Once we have that we can dig a little deeper.

Cheers!
Pete.

Tyler Ford

I'm having the same issue. I see that OTDS is by default using port 389 and binding to another port on the same computer. I went into OpenDJ to try to see if there was a way to either stop the defaulted directory server or to add another connection but it's a little over my head. Do I have to configure OpenDJ in order to be able to connection to our LDAP server or is there a way that upon installation I can make it so the default directory server isn't used?

Pete_Oliver

By default, OTDS will use port 389 on Windows and 1389 on Unix/Linux. We have seen this cause problems in test environments where an AD might also be locally installed. If you consider there is a port clash, you should stop using the internal OTDS, and switch to an external installation. When you install OTDS you have control over the ports it will use. You would then configure AppWorks Gateway to use the external OTDS as shown in this article:

https://developer.opentext.com/awd/resources/articles/8725/appworks+gateway+v115++installing+and+updating

For development and testing purposes, some folk have discovered that they can bind to OTDS with a regular LDAP browser (such as Apache Directory Studio). Doing so might give you more insight into the problem. Use the user CN=Directory Manager and use the password you gave when you originally installed OTDS.

If you want to connect to an embedded OTDS, you can still do this. You'll find the password in the table otdsresourceinfo.

Tiago Gomes

Hi Pete,

Thanks for your answer.
Whenever I try to synchronize the users I get the following message from the directory access log:

Authentication Service,Success Access,27,Initial authentication successful,otag@otag,,Authentication success: otag@otag from host 127.0.0.1 with address 127.0.0.1 for resource __OTDS_AS__

So I think the authentication is not the problem here.
Do you have any idea?

Thanks

Pete_Oliver

Hi Tiago,

I would say that permissions in OTDS need to be looked at. otag@otag is not the user with which AppWorks Gateway is trying to connect; that is held in the otdsresourceinfo table. See if you can connect an LDAP browser with CN=Directory Manager and the password given in that table.

Another avenue is through the OTDS Admin client. Install this and patch 2 from here. You'll need to sign in to the client as otadmin@otds.admin, again with that password in the otdsresourceinfo table.

This is starting to get complicated. Have you tried installing AppWorks from scratch? Do you keep running into the same issues each time?

Thanks.

Tyler Ford

I was told to add this to the server.xml file under the GlobalNaming Resource section and it seems to be working

Resource auth="Container"
factory="com.opentext.otag.auth.CSIdentityServiceFactory"
name="otag/IdentityService"
type="com.opentext.otag.auth.IdentityService"/>

vitorcosta

Hi all,

I'm in charge to keep Tiago's work.

@Tyler Ford, I tried to add that to server.xml, but doing that breaks the login in gateway, giving an "Authentication Error" when I try to login with otag user.

@Pete Oliver, I tried to use an LDAP browser, Apache Directory Studio, to bind to OTDS with user CN=Directory Manager and password that is on the table otdsresourceinfo, as you said. My tries were unsuccessful, however I am not sure if I was doing it correctly. For example, some of the doubts I had doing so were:

• The host is the machine where OTDS is installed. What about the port? The only that I could connect to was the same that I use to connect to gateway (in my case, 8088), is this the correct one?
• In the table otdsresourceinfo, there were 3 columns with similar information: opendjpassword, otagpartitionpassword and resourceid. Which one is the one holding the password you meant? And are they encrypted? I tried all of them as they are in the table, but unsuccessfully.

Could you please be more specific about how to do it?

Thank you all for the help

vitorcosta

Hello all,

Finally managed to do this. Pete Oliver tips were very helpful! I'm going to describe the steps I followed to make this work, in case anyone is having the same issue.

I did a debug to the gateway and otds code, and found out where the access denied error was being thrown. The code validates if the user otag belongs to one of the following 3 groups: cn=otadmins,ou=Root,ou=otds.admin,ou=IdentityProviders,dc=identity,dc=opentext,dc=net, cn=otdsadmins,ou=Root,ou=otds.admin,ou=IdentityProviders,dc=identity,dc=opentext,dc=net or cn=otdsreadonlyadmins,ou=Root,ou=otds.admin,ou=IdentityProviders,dc=identity,dc=opentext,dc=net, throwing access denied if it doesn't belong to any of them. Turns out that this was the case: the otag user belonged just to one group, and it was not one of the previous groups: cn=otagadmins,ou=Root,ou=otag,ou=IdentityProviders,dc=identity,dc=opentext,dc=net.

So, the solution was accessing to OTDS LDAP using an LDAP browser and add one of those 3 groups to the otag user. The way I was trying to access OTDS LDAP using an LDAP browser before was, as I thought, wrong. The port chosen upon OTDS installation was not the default one. To find out what port was the chosen one, I had to have a look at log <OpenDJ_folder>/logs/errors and find the line category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 9989. This was the port that I had to put in Apache Directory Studio connection settings; Also, as Pete Oliver stated, the user is CN=Directory Manager and the password can be found in the table otdsresourceinfo, in the column opendjpassword.

Once the otag user belonged to one of the specified 3 groups, the LDAP synchronization was finally successful.

Thank you for the help! Cheers.

Anthony Hall

Sorry to dredge up an old thread but I have exactly the same symptoms. I have a CS 10 and OTAG 10 system I am trying to upgrade to CS 10.5 and OTAG 1.2.1 with OTEW 10.5.21 system. There's no documentation anywhere on how to do an upgrade like this. I'm following a CS parallel upgrade method where I have installed CS 10.5 and modules, and created a dummy database to confirm that all works. I also set up OTAG and Everywhere, connected it to the dummy CS system and it worked too. There is no OTDS in this customer environment, so we are using the "embedded OTDS" in OTAG.

Now I have connected to the test CS 10 database and upgraded it to 10.5. CS is working fine. However, while I've been able to set up the trusted server relationship from OTAG to the CS 10.5 system again, now I come to add synchronised users and cannot get past this problem, as the original poster described. I have used Apache Directory Studio to add the otag user to the otadmins group as well as otagadmins, but no change. I am beyond the point of despair and am now going to drop the entire OTAG installation and start again, which I am unhappy with as it means I will probably have to do this again as part of the production upgrade.

Furthermore the OTAG user cannot log in to OTAG any longer either - I get a message saying administrative credential required, despite the fact that the user is still an administrative user. One more reason to start again I guess.