CMDBuild Forum

Unable to get LDAP Auth work

Systems Engineering
#1

Hi,

I am trying to install CMDBuild 3.0 on Linux.

1. After installing tomcat and creating a demo Postgres DB with cmdbuild.sh I can log in with the admin user.

I created my user with a dummy password then, tried to configure LDAP authentication.

2. I used both auth.conf located in WEB-INF/conf 

3. and the rest calls with cmdbuild.sh, but none of them seem to take effect and I am not able to log in with my LDAP user.

      Once I run the first command:

     ./cmdbuild.sh restws setconfig org.cmdbuild.auth.methods LdapAuthenticator,DBAuthenticator

     All other rest calls fail with the following error:
     [ asmtadm on rams1.natinst.com :] ./cmdbuild.sh restws setconfig org.cmdbuild.auth.methods LdapAuthenticator,DBAuthenticator

Exception in thread "main" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException

        at org.cmdbuild.utils.cli.commands.restcommandutils.CliCommandParser$CliActionImpl.execute(CliCommandParser.java:105)

        at org.cmdbuild.utils.cli.commands.restcommandutils.CliCommandUtils$1.execute(CliCommandUtils.java:35)

        at org.cmdbuild.utils.cli.commands.RestCommandRunner.exec(RestCommandRunner.java:214)

        at org.cmdbuild.utils.cli.commands.AbstractCommandRunner.exec(AbstractCommandRunner.java:62)

        at org.cmdbuild.utils.cli.Main.runMain(Main.java:144)

        at org.cmdbuild.utils.cli.Main.main(Main.java:89)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.cmdbuild.webapp.cli.Main.runCli(Main.java:98)

        at org.cmdbuild.webapp.cli.Main.main(Main.java:76)

Caused by: java.lang.reflect.InvocationTargetException

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.cmdbuild.utils.cli.commands.restcommandutils.CliCommandParser$CliActionImpl.execute(CliCommandParser.java:103)

        ... 11 more

Caused by: org.cmdbuild.client.rest.core.RestClientException: error calling rest ws method loginapi.doLoginWithAnyGroup

        at org.cmdbuild.client.rest.RestClientImpl$ExceptionWrappingInvocationHandler.invoke(RestClientImpl.java:263)

        at com.sun.proxy.$Proxy3.doLoginWithAnyGroup(Unknown Source)

        at org.cmdbuild.client.rest.RestClient.doLoginWithAnyGroup(RestClient.java:63)

        at org.cmdbuild.utils.cli.commands.RestCommandRunner.setConfig(RestCommandRunner.java:821)

        ... 16 more

Caused by: java.lang.IllegalArgumentException: error: response status code = HTTP/1.1 401 , error message = ERROR: access denied

        at com.google.common.base.Preconditions.checkArgument(Preconditions.java:440)

        at org.cmdbuild.client.rest.core.AbstractServiceClientImpl$RequestRunner.checkResponse(AbstractServiceClientImpl.java:335)

        at org.cmdbuild.client.rest.core.AbstractServiceClientImpl$RequestRunner.execute(AbstractServiceClientImpl.java:305)

        at org.cmdbuild.client.rest.core.AbstractServiceClientImpl.post(AbstractServiceClientImpl.java:81)

        at org.cmdbuild.client.rest.impl.LoginApiImpl.doLogin(LoginApiImpl.java:50)

        at org.cmdbuild.client.rest.impl.LoginApiImpl.doLoginWithAnyGroup(LoginApiImpl.java:39)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.cmdbuild.client.rest.RestClientImpl$ExceptionWrappingInvocationHandler.invoke(RestClientImpl.java:258)

        ... 19 more

 

 

Also, documentation is very vague, I can even say poor.

I need instructions on how to implement LDAP authentication.

Thanks!

#2
Since 3.1, what worked for me was to put the auth.conf file in <cmdbuild home>/conf/cmdbuild/
 
Previously, with 3.0, I had to put it in <cmdbuild home>/webapps/cmdbuild/WEB-INF/conf/, but it doesn't seem to work anymore.
 
Be careful as with 3.1, the file seems to be read on startup and then deleted from the folder.
 
Previously Ferenc wrote:

Hi,

I am trying to install CMDBuild 3.0 on Linux.

1. After installing tomcat and creating a demo Postgres DB with cmdbuild.sh I can log in with the admin user.

I created my user with a dummy password then, tried to configure LDAP authentication.

2. I used both auth.conf located in WEB-INF/conf 

3. and the rest calls with cmdbuild.sh, but none of them seem to take effect and I am not able to log in with my LDAP user.

      Once I run the first command:

     ./cmdbuild.sh restws setconfig org.cmdbuild.auth.methods LdapAuthenticator,DBAuthenticator

     All other rest calls fail with the following error:
     [ asmtadm on rams1.natinst.com :] ./cmdbuild.sh restws setconfig org.cmdbuild.auth.methods LdapAuthenticator,DBAuthenticator

Exception in thread "main" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException

        at org.cmdbuild.utils.cli.commands.restcommandutils.CliCommandParser$CliActionImpl.execute(CliCommandParser.java:105)

        at org.cmdbuild.utils.cli.commands.restcommandutils.CliCommandUtils$1.execute(CliCommandUtils.java:35)

        at org.cmdbuild.utils.cli.commands.RestCommandRunner.exec(RestCommandRunner.java:214)

        at org.cmdbuild.utils.cli.commands.AbstractCommandRunner.exec(AbstractCommandRunner.java:62)

        at org.cmdbuild.utils.cli.Main.runMain(Main.java:144)

        at org.cmdbuild.utils.cli.Main.main(Main.java:89)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.cmdbuild.webapp.cli.Main.runCli(Main.java:98)

        at org.cmdbuild.webapp.cli.Main.main(Main.java:76)

Caused by: java.lang.reflect.InvocationTargetException

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.cmdbuild.utils.cli.commands.restcommandutils.CliCommandParser$CliActionImpl.execute(CliCommandParser.java:103)

        ... 11 more

Caused by: org.cmdbuild.client.rest.core.RestClientException: error calling rest ws method loginapi.doLoginWithAnyGroup

        at org.cmdbuild.client.rest.RestClientImpl$ExceptionWrappingInvocationHandler.invoke(RestClientImpl.java:263)

        at com.sun.proxy.$Proxy3.doLoginWithAnyGroup(Unknown Source)

        at org.cmdbuild.client.rest.RestClient.doLoginWithAnyGroup(RestClient.java:63)

        at org.cmdbuild.utils.cli.commands.RestCommandRunner.setConfig(RestCommandRunner.java:821)

        ... 16 more

Caused by: java.lang.IllegalArgumentException: error: response status code = HTTP/1.1 401 , error message = ERROR: access denied

        at com.google.common.base.Preconditions.checkArgument(Preconditions.java:440)

        at org.cmdbuild.client.rest.core.AbstractServiceClientImpl$RequestRunner.checkResponse(AbstractServiceClientImpl.java:335)

        at org.cmdbuild.client.rest.core.AbstractServiceClientImpl$RequestRunner.execute(AbstractServiceClientImpl.java:305)

        at org.cmdbuild.client.rest.core.AbstractServiceClientImpl.post(AbstractServiceClientImpl.java:81)

        at org.cmdbuild.client.rest.impl.LoginApiImpl.doLogin(LoginApiImpl.java:50)

        at org.cmdbuild.client.rest.impl.LoginApiImpl.doLoginWithAnyGroup(LoginApiImpl.java:39)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.cmdbuild.client.rest.RestClientImpl$ExceptionWrappingInvocationHandler.invoke(RestClientImpl.java:258)

        ... 19 more

 

 

Also, documentation is very vague, I can even say poor.

I need instructions on how to implement LDAP authentication.

Thanks!

 

#3

Hi, in my installation, authenticating using Ldap for openMAINT ver2 doesnot work and once i run the command:

./cmdbuild.sh restws setconfig org.cmdbuild.auth.methods LdapAuthenticator,DBAuthenticator

i get: invalid auth dir (see details below)

Which dir is meant? I have moved auth.conf in different directories in order to make Ldap authentication work but not succeeded. Any ideas where should i move it to? (in my case i use openmaint ver2, not cmdbuild, and is installed in /var/lib/tomcat9/webapps/openmaint/ )

Error details:

ERROR o.c.u.cli.commands.RestCommandRunner - error building file password
java.lang.IllegalArgumentException: invalid auth dir = /var/lib/tomcat9/webapps/openmaint/…/…/temp

   at com.google.common.base.Preconditions.checkArgument(Preconditions.java:216)*

   at org.cmdbuild.auth.login.file.FileAuthUtils.buildAuthFile(FileAuthUtils.java:27)*

   at org.cmdbuild.utils.cli.commands.RestCommandRunner.tryToBuildFilePassword(RestCommandRunner.java:297)*

   at org.cmdbuild.utils.cli.commands.RestCommandRunner.exec(RestCommandRunner.java:246)*

   at org.cmdbuild.utils.cli.commands.AbstractCommandRunner.exec(AbstractCommandRunner.java:78)*

   at org.cmdbuild.utils.cli.Main.runMain(Main.java:127)*

   at org.cmdbuild.utils.cli.Main.main(Main.java:56)*

   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*

   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)*

   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*

   at java.base/java.lang.reflect.Method.invoke(Method.java:566)*

   at org.cmdbuild.webapp.cli.Main.runCli(Main.java:125)*

   at org.cmdbuild.webapp.cli.Main.startFromWebappDir(Main.java:43)*

   at org.cmdbuild.webapp.cli.Main.main(Main.java:35)*

Exception in thread “main” java.lang.NullPointerException: missing ‘password’ param for user = system

   at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:919)*

   at org.cmdbuild.utils.lang.CmPreconditions.checkNotBlank(CmPreconditions.java:78)*

   at org.cmdbuild.utils.cli.commands.RestCommandRunner.exec(RestCommandRunner.java:268)*

   at org.cmdbuild.utils.cli.commands.AbstractCommandRunner.exec(AbstractCommandRunner.java:78)*

   at org.cmdbuild.utils.cli.Main.runMain(Main.java:127)*

   at org.cmdbuild.utils.cli.Main.main(Main.java:56)*

   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*

   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)*

   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*

   at java.base/java.lang.reflect.Method.invoke(Method.java:566)*

   at org.cmdbuild.webapp.cli.Main.runCli(Main.java:125)*

   at org.cmdbuild.webapp.cli.Main.startFromWebappDir(Main.java:43)*

   at org.cmdbuild.webapp.cli.Main.main(Main.java:35)*

Thank you

#4

I encountered the same problem and was able to solve it by specifying the -username and -password parameters from the local CMDBuild account with SuperUser rights, which is created when the application is deployed (in my case, in version 3.4.1 this account is called “admin” and the password is default from her is also “admin”)

As a result, in your case, the commands should look like this:

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.case.insensitive true

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.methods LdapAuthenticator,DBAuthenticator

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.enabled true

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.server.url "ldaps://FQDN-DNS-Server-Name1 ldaps://FQDN-DNS-Server-Name2 ldaps://FQDN-DNS-Server-Name3"

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.basedn dc=contoso,dc=com

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.bind.attribute userPrincipalName

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.search.auth.method simple

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.search.auth.principal "CN=cmdb_ldap_auth,OU=SystemAccounts,OU=DomainUsers,DC=contoso,DC=com"

./cmdbuild.sh restws -username {CMDBuild_admin_account} -password {CMDBuild_admin_account_password} setconfig org.cmdbuild.auth.ldap.search.auth.password 'A@;5rWE=sZv`'

When setting, pay attention to the parameter org.cmdbuild.auth.ldap.bind.attribute
In order for LDAP authentication to be successful, the user login in the CMDBuild must match the value of the SAMAccountName attribute of the ADDS user account.
It is not necessary to use the SAMAccountName attribute, you can use, for example, UserPincipalName, or any other that you want.

Also, please pay attention to the password, it must be enclosed in single quotes ‘’.
Example - ‘password’

Next, you must import the digital certificates to your CMDBuild server.
I imported the certificates into the /usr/local/share/ca-certificates/extra/ directory (there was no “extra” directory by default, I created it manually myself).

You will need 3 digital certificates:

1. Digital certificate of your root certification authority;
2. Digital certificate of an additional certificate authority
3. Digital certificate for your domain (it’s easier to use a wildcard)

After you place the digital certificates in the above directory, you will need to run this command:

update-ca-certificates

This completes the LDAP authentication setup.

#5

I had the same error.
This problem is solved very simply, you need to create a “temp” directory in the /var/lib/tomcat9 directory.

After creating the directory, try running the command again, it should work successfully.