LDAP Util library

Name LDAP Util
Latest Version 1.0.16
Confluence Versions any (osuser/atlassian-user configurations)
Jira Versions any (osuser configurations)
Support
Author(s) Andy Brook
Homepage here
Price Free
Issues tucked into the Confluence-LDAP section of the NTLM Jira project.
License BSD
Source SVN, Fisheye
Download view all jars, latest stable version 1.0.16 jar, unstable 1.0.17-SNAPSHOT

A missing Snapshot is not a bug, it just hasn't been built yet.

Description/Features

A library that provides a simplified interface to LDAP user lookup's that make use of pre-existing LDAP configuration in atlassian-user.xml and (deprecated) osuser.xml.

Install

In order to do this you need to have LDAP authentication setup and working. See LDAP User Management for more details.

Get the dependent JAR's

This plugin has one dependency on commons-digester, providing XML parser support used to process the Confluence atlassian-user.xml file. For JIRA, no such library is required. There are two use cases:

System referenced code (eg the NTLM authenticator for confluence)

In which case, the dependent JAR need to go into WEB-INF/lib, but confluence already comes with a digester jar so there is nothing to do in this scenario.

Confluence plugin (eg the Custom Space User Management plugin)

In which case, the dependent JAR need to be marked as 'compile' dependency of the plugins POM.

Using ldaputil in confluence plugins

If you want to make use of the LDAP util library, you need to have a 'compile' dependency for commons-digester (an earlier version is already bundled with confluence) as its needed for atlassian-user parsing, the additions to your pom should be:

<!-- ldap util compile dependency so it gets bundled with the plugin -->
        <dependency>
            <groupId>com.dolby.confluence.net</groupId>
            <artifactId>ldaputil</artifactId>
            <version>1.0.10</version>
        </dependency>

<!-- atlassian-user.xml parser -->
        <dependency>
            <groupId>commons-digester</groupId>
            <artifactId>commons-digester</artifactId>
            <version>1.8</version>
            <scope>compile</scope>
        </dependency>

Compatibility Matrix

This library should work with ALL versions of Confluence / Jira. Will document any exceptions as/when found.

Release Notes

Version Notes
1.0.16
  • Replace incorrect wildcard usage producing bad account lookups for emails. Enables domains that a users email address are equivalent to (user@myco.co.uk/user@myco.com) to match correctly
1.0.15
  • provide -generate command line function to load an atlassian-user.xml file, probe Active Directory to get a list of DC's and generate an ntlm-atlassian-user.xml file (obv, for use specifically with NTLM). This isn't particularly elegant but by keeping a common configuration file, multiple DOMAINS should, in theory at least, be able to be supported.
  • add method to check whether a given user exists and is enabled (ie not been disabled by admins)
1.0.14
  • Enabled anonymous login for LDAP
  • Enable configurable alternative for osuser/atlassian-user config files, useful for NTLM, perhaps other uses
1.0.13
  • Fixes NPE for Active Directory DC lookup when there are none found (usually an indicator that the basecontext in atlassian user is too low (ou=x,ou=y,dc=this,dc=that moved higher to: dc=this,dc=that)
  • moved ldaputil.properties to example-ldaputil.properties to enable inclusion in plugins with their own ldap configuration file/ configuration methods.
1.0.12
  • removed dependency on ClassLoaderUtils, should now work with confluence 2.10+
  • API expanded to allow general LDAP queries to be made (ie complete LDAP filters can be provided) with specified attributes and maximum return rows. The results are returned for flexible processing.
  • If using active directory, the ability to list out the Domain Controllers.
1.0.11
  • adds ability to use mulitple ldap server definitions, in both atlassian-user (Confluence only) and osuser (Jira and Confluence) configuration files. This means that if multiple LDAP servers are defined, plugins and macros that use this library will continue to work if the Primary (first) in the list, goes down, just like Confluence/Jira.
    verified under Jira
    believed to work ok under Confluence - feedback encouraged!
1.0.10
  • this version is BSD
  • adds getUserDetailsByEmailAddress(String)
  • extends LDAPUser model to include emailAliases
  • allows emailAliases in LDAP to have nominated prefixes (as found in Active Directory proxyAddresses attribute)

LDAP Util configuration

Although you don't have to specify any LDAP configuration, some choices are available, if you want to change anything you need to unpack the ldaputil jar and edit ldaputils.properties, or provide it programatically at the point of use.

Common configuration

These could be changed if needed

Key Default Valid Values Description
ldaputil.providerType atlassian-user osuser,atlassian-user use Atlassian user config
ldaputil.ldap.narrowingFilterExpression (objectclass=user) any this can be used to restrict the LDAP lookup
ldaputil.ldap.fullNameFormat 0 0,1 0= Lastname, Firstname , 1 = Firstname Lastname (no comma)
ldaputil.ldap.forceUserIDCase 2 0,1,2 0=force lower, 1=force upper, 2=use reflect stored value
ldaputil.ldap.subtreeScope 2 0,1,2 0=object scope, 1=one-level scope, 2=subtree scope
ldaputil.ldap.emailAliasesLdapAttribute proxyAddresses any ldap attribute 'proxyAddresses' is the Active Directory attribute that houses email aliases
ldaputil.ldap.emailAliasesLdapAttributeSearchPrefix n/a comma separated values This prefix will be used to optionally 'pull out email address' from LDAP, I see in Active Directory many entries such as 'smtp:user@company.co.uk'. The values are case sensitive as the comparison is done in Java not LDAP filters, for example 'smtp:,SMTP:'
ldaputil.ldap.emailAliasesLdapAttributeParser n/a implementer of my ILDAPEmailAliasProcessor, eg LDAPUtilsActiveDirectoryEmailAliasExtractor If specified, this class handles the extraction of email aliases from an LDAP lookup NamingEnumeration
ldaputil.ldap.dclistFilterExpression (userAccountControl:1.2.840.113556.1.4.803:=532480) any filter lists all servers that allowed to participate in authentication of users
ldaputil.ldap.initialContextValidationLookupUser AnyOldInvalidUsername if specified, a valid user name that exists used to validate each ldap connection (has to be common)
ldaputil.providerFilenameOverride n/a a valid filename/path e.g. ldaputil-atlassian-user.xml If provided, enables potentially multiple separate LDAP repositories to be setup specifically for ldaputil related use.

Denotes optional field.

Configuration based on 'atlassian-user'

If you are using 'atlassian-user' no changes are required.

Configuration based on 'osuser'

The ldap attribute keys need configuring in the property file (unpack the jar, edit, repack), the existing values are suited to Active Directory - configure as appropriate, and/or comment here for my info. all keys are required.

Key Default Valid Values Description
ldaputil.osuser.providerClass com.opensymphony.user.provider.ldap.LDAPCredentialsProvider any the provider class containing the ldap configuration in osuser.xml
ldaputil.ldap.emailLdapAttribute mail any Mail, this is AD specific, configure as appropriate
ldaputil.ldap.userIdLdapAttribute sAMAccountName any User account ID, this is AD specific, configure as appropriate
ldaputil.ldap.firstNameAttribute givenName any First Name, this is AD specific, configure as appropriate
ldaputil.ldap.lastNameAttribute sn any Surname, this is AD specific, configure as appropriate

Logging

To enable logging for this library, you will need to add the following to log4j.properties in WEB-INF/classes:

#
# LDAP UTILS
#
log4j.logger.com.dolby.confluence.net.ldap=DEBUG, confluencelog
log4j.additivity.com.dolby.confluence.net.ldap=false

log4j.logger.com.dolby.confluence.net.ldap.atlassianuser=DEBUG, confluencelog
log4j.additivity.com.dolby.confluence.net.ldap.atlassianuser=false

log4j.logger.com.dolby.confluence.net.ldap.osuser=DEBUG
log4j.additivity.com.dolby.confluence.net.osuser=false

Manually checking LDAP connectivity

Available only in the current 1.0.12-SNAPSHOT is the ability to check the configuration at the command line. The process to do this is as follows (setup for the WAR distro as that's what I use):

  1. Extract the WAR if applicable, in which case change CONFHOME to ../lib
  2. Copy the ldaputils-xyz.jar to WEB-INF/lib
  3. Navigate to WEB-INF/classes
  4. Copy the text below into a file, eg list.sh in WEB-INF/classes:
    • Linux 
      #!/bin/bash
CONFHOME=../../../confluence/WEB-INF/lib

for aFile in `ls -1 ../lib/*.jar`
do
 CP=$CP:$aFile
done

for aFile in `ls -1 ../../../confluence/WEB-INF/lib/*.jar`
do
 CP=$CP:$aFile
done

java -cp .:$CP com.dolby.confluence.net.ldap.LDAPLookupUtil $1
    • Windows (will need tweaking) 
      @echo off
java -cp ..\lib\ldaputil-1.0.12-SNAPSHOT.jar;..\lib\commons-logging-1.0.4.jar;..\lib\confluence-2.8.2.jar;..\lib/atlassian-core-3.9.jar;..\lib\commons-digester-1.5.jar;..\lib\commons-collections-3.2.jar;..\lib\commons-beanutils-1.6.1.jar;. com.dolby.confluence.net.ldap.LDAPLookupUtil %1
  5. Command line options to these scripts are:
    • userid to lookup
    • -listdc to list the DC's (only applicable to Active Directory servers)
  6. The script may need minor version changes.

See Identifying Active Directory connection details may be useful background reading for users new to LDAP.

Using the library in Confluence

I used this library to create Beanshell macros that allows queries to be made over the underlying LDAP repositories (not multple repositories, just the first to work).

Example configurations

Atlassian-user.xml

This config file only appears to be used in Confluence. The search filter removes disabled users, it can be removed.

<atlassian-user>
    <repositories>
    
    <ldap key="ldapRepository" name="LDAP Repository@test.server.net" cache="true">
			<host>test.server.net</host>
			<port>3268</port>
			<securityPrincipal>CN=auser,OU=something,DC=yourco,DC=net</securityPrincipal>
			<securityCredential>pasword</securityCredential>
			<securityProtocol>plain</securityProtocol>
			<securityAuthentication>simple</securityAuthentication>
			<baseContext>dc=yourco,dc=net</baseContext>
			<baseUserNamespace>dc=yourco,dc=net</baseUserNamespace>
			<baseGroupNamespace>DC=yourco,DC=net</baseGroupNamespace>
			<usernameAttribute>sAMAccountName</usernameAttribute>
			<userSearchFilter>(&amp;(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</userSearchFilter>
			<firstnameAttribute>givenname</firstnameAttribute>
			<surnameAttribute>sn</surnameAttribute>
			<emailAttribute>mail</emailAttribute>
			<groupnameAttribute>sAMAccountName</groupnameAttribute>
			<groupSearchFilter>(&amp;(objectClass=group)(mail=*))</groupSearchFilter>
			<membershipAttribute>member</membershipAttribute>
		</ldap>

		<hibernate name="Hibernate Repository" key="hibernateRepository"  description="Hibernate Repository" />
    
    </repositories>
</atlassian-user>

osuser.xml

This config file can be used with Confluence (but is deprecated) or with Jira (the only format it supports):

<opensymphony-user>

	<authenticator class="com.opensymphony.user.authenticator.SmartAuthenticator" />

	<provider class="com.opensymphony.user.provider.ldap.LDAPCredentialsProvider">
	    	<property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
    		<property name="java.naming.provider.url">ldap://test.server.net:3268</property>
    		<property name="searchBase">DC=yourco,DC=net</property>
    		<property name="uidSearchName">sAMAccountName</property>
    		<property name="java.naming.security.principal">CN=username,OU=something,OU=somethingelse,DC=yourco,DC=net</property>
    		<property name="java.naming.security.credentials">password</property>
		<property name="java.naming.referral">follow</property>
    		<property name="exclusive-access">true</property>
	</provider>

        <authenticator class="com.opensymphony.user.authenticator.SmartAuthenticator" />
	<provider class="com.atlassian.core.ofbiz.osuser.CoreOFBizCredentialsProvider">
		<property name="exclusive-access">true</property>
	</provider>
	<provider class="com.opensymphony.user.provider.ofbiz.OFBizProfileProvider">
		<property name="exclusive-access">true</property>
	</provider>
	<provider class="com.opensymphony.user.provider.ofbiz.OFBizAccessProvider">
		<property name="exclusive-access">true</property>
	</provider>
</opensymphony-user>

Just remove the ldaputil.properties file from the JAR, add to WEB-INF/classes, put the JAR minus config file in WEB-INF/lib, rebuild/deploy and it should just work. In time I hope to set this up a proper plugin via plugin repository.

Screenshot of Beanshell AD/conf user lookup tool

Labels

jira jira Delete
confluence confluence Delete
plugin plugin Delete
library library Delete
ldap ldap Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (55)

 

  1. Sep 26, 2007

    Andy Brook says:

    1.0.7 fixes multi-threaded access to getUser...

    1.0.7 fixes multi-threaded access to getUser...

  2. Dec 18, 2007

    David Peterson [CustomWare] says:

    Hey Andy, Just noticed that this library is GPL-3. GPL in general is incompatib...

    Hey Andy,

    Just noticed that this library is GPL-3. GPL in general is incompatible with being included in a commercial product, or a plugin for a commercial product...

    I believe that LGPL is compatible, otherwise it may be worth considering an alternate license.

    1. Dec 18, 2007

      Andy Brook says:

      I'm not sure I see how this could be used in a commercial product, its geared to...

      I'm not sure I see how this could be used in a commercial product, its geared totally at parsing the atlassian-user and osuser config files, and is equally tied to confluence. Unless someone is reselling confluence I can't see how this could be used commercially!

      Heck its only a sax parser and a XML digester! And it wont work with crowd (yet), so applications are limited.

      However, I'll read the LGPL and if there isn't anything that I disagree with I'll release a new rev under that license.

      1. Feb 04

        David Peterson [CustomWare] says:

        Confluence is a commercial product! Essentially, the GPL requires that anythin...

        Confluence is a commercial product!

        Essentially, the GPL requires that anything which a GPL'd library is used in must also be released under the GPL, unless a specific exemption is allowed for a given application. The 5. NTLM Authenticator for Confluence, Comments 07-08 does exactly that, for exactly that reason. Kind of a pain, since I've had to avoid many a very good 3rd-party library purely because they were GPL'd...

        1. Dec 18, 2007

          Andy Brook says:

          I don't think atlassian will ever use this, it's not an issue for Confluence is ...

          I don't think atlassian will ever use this, it's not an issue for Confluence is it? I see end-users using this, possibly combined with CSUM for instance which is a different kettle of fish. Give me time to get round to it...

          1. Dec 18, 2007

            David Peterson [CustomWare] says:

            It's an issue if anyone else uses it in a plugin. But no rush - just noticed it ...

            It's an issue if anyone else uses it in a plugin. But no rush - just noticed it when I was checking out some LDAP stuff.

            1. May 15, 2008

              Andy Brook says:

              Next rev will be a BSD, I pretty much picked the license without thinking much. ...

              Next rev will be a BSD, I pretty much picked the license without thinking much. This version will also work with a mod I have in the pipes for the Jira AbstractMessageHandler class to do some intelligent determination of userID from emailAddress.

  3. Apr 05

    Neil Crow says:

    Hi Andy, I was trying to get the Jira LDAP User Utility (afa plugin) working fo...

    Hi Andy,

    I was trying to get the Jira LDAP User Utility (afa plugin) working for jira, and was battling with the ldap connection.

    So I ended up changing a copy of that source to use your library.

    However in order to do this I needed a change in your library too, LDAPLookupUtil.searchFor needed to return a list instead of a single user.

    I have attached the changed version to this page LDAPLookupUtil.java.

    The changes that I made are as follows:

    1. searchFor returns a List
    2. I refactored the calls to searchFor to take the first element in the list.
    3. the nested loops in processEnum were driving me loopy, so I extracted a private method createLDAPUser
    4. I changed the implementation of createLDAPUser to only loop through the requiredAttributes for each user rather than loop through all attributes per user.

    I hope you will incorporate my changes into your next version, I will making a similar posting to the afa-plugin page shortly, and if my changes are accepted there, then they'll be depending on this.

    Cheers,

    Neil Crow.

    1. Jun 09, 2008

      Andy Brook says:

      Fine by me! code looks ok, checked into trunk, will build as/when. cheers, andy.

      Fine by me! code looks ok, checked into trunk, will build as/when.
      cheers,
      andy.

  4. Sep 05, 2008

    Andrew Hoover Mannings says:

    Andy, I think that the code that is in the repository does not match the snapsh...

    Andy,

    I think that the code that is in the repository does not match the snapshot jar available in the page. Could you send me the sources that match with it?

    Thanks in advance,

    Andrew

    1. Sep 08, 2008

      Andy Brook says:

      Nope, trunk is up to date. the only thing you need to fixup is the property fil...

      Nope, trunk is up to date. the only thing you need to fixup is the property file. what makes you think its not up to date?

  5. Sep 30, 2008

    Michael Jositz says:

    What am I doing wrong? Try to read out with -listdc :   ..\WEB-INF\classes&...

    What am I doing wrong? Try to read out with -listdc :

     
..\WEB-INF\classes>C:\Programme\Java\jdk1.6.0_07\bin\java.exe -cp ..\lib\ldaputil-1.0.12-SNAPSHOT.jar
;..\lib\commons-logging-1.0.4.jar;..\lib\confluence-2.10-m3.jar;..\lib\atlassian-core-3.14.jar;..\lib\commons-digester-1.5.jar;..\lib\commons-collecti
ons-3.2.jar;..\lib\commons-beanutils-1.6.1.jar com.dolby.confluence.net.ldap.LDAPLookupUtil -listdc
Listing DC's:
Exception in thread "main" java.lang.NoClassDefFoundError: com/atlassian/user/util/ClassLoaderUtils
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.loadConfigFile(LDAPLookupUtil.java:204)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:184)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:132)
Caused by: java.lang.ClassNotFoundException: com.atlassian.user.util.ClassLoaderUtils
        at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
        ... 3 more

    1. Sep 30, 2008

      Andy Brook says:

      When did you get the snapshot? I just uploaded a shiny new one earlier today, wh...

      When did you get the snapshot? I just uploaded a shiny new one earlier today, which Im using in test (Linux) and the -listdc works ok on 2.9.1.

      Its possible there is an API bust in 2.10, will check tomorrow.

    2. Oct 01, 2008

      Andy Brook says:

      I verified the problem under Jira and just uploaded a new snapshot that should w...

      I verified the problem under Jira and just uploaded a new snapshot that should work in 2.10m3, let me know if it works for you.

      1. Oct 01, 2008

        Michael Jositz says:

        Hi Andy, tried the new snapshot, exactly the same error as above. Will try 2.9....

        Hi Andy,

        tried the new snapshot, exactly the same error as above. Will try 2.9.1 later today...

        Maybe it's Java version 1.6.0_07?

        Thank you for your great work !!!

        Oh, another try, the error changed a little bit:

        ..\WEB-INF\classes>java -cp ..\lib\ldaputil-1.0.12-SNAPSHOT.jar;..\lib\commons-logging-1.0.4.jar;..\l
ib\confluence-2.10-m3.jar;..\lib\atlassian-core-3.14.jar;..\lib\commons-digester-1.5.jar;..\lib\commons-collections-3.2.jar;..\lib\commons-beanutils-1
.6.1.jar com.dolby.confluence.net.ldap.LDAPLookupUtil -listdc
Listing DC's:
Exception in thread "main" java.lang.NoClassDefFoundError: com/atlassian/user/util/ClassLoaderUtils
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.loadConfigFile(LDAPLookupUtil.java:204)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:184)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:132)
Caused by: java.lang.ClassNotFoundException: com.atlassian.user.util.ClassLoaderUtils
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClassInternal(Unknown Source)
        ... 3 more

        1. Oct 01, 2008

          Andy Brook says:

          well, all I can think is somehow you dont have the right jar, all references to ...

          well, all I can think is somehow you dont have the right jar, all references to ClassLoaderUtils is gone. The JAR downloaded as of now (new snap new day) is exactly 40270bytes. JRE version would not cause this problem so discount that.

          1. Oct 01, 2008

            Michael Jositz says:

            Redownloaded http://svn.atlassian.com/svn/public/contrib/confluence/libraries/ld...

            Redownloaded http://svn.atlassian.com/svn/public/contrib/confluence/libraries/ldaputil/jars/ldaputil-1.0.12-SNAPSHOT.jar. It is exactly 39.252 Bytes. What am I doing wrong and what version is that? Maybe the company caches some data?!? Try it again at home!

             Crazy, tried it with Firefox, now it's the correct size. IE cached it .

            1. Oct 01, 2008

              Andy Brook says:

              yea, so now it works?

              yea, so now it works?

              1. Oct 01, 2008

                Michael Jositz says:

                Another error, but the atlassian-user.xml is definitely there. The error: 01.10...

                Another error, but the atlassian-user.xml is definitely there. The error:

                01.10.2008 16:19:25 com.dolby.confluence.net.ldap.LDAPLookupUtil loadConfigFile
INFO: loaded LDAPUTIL properties
01.10.2008 16:19:25 com.dolby.confluence.net.ldap.LDAPLookupUtil processCommonConfig
INFO: Processing common config
01.10.2008 16:19:25 com.dolby.confluence.net.ldap.atlassianuser.AUParser parse
INFO: Loading of atlassian-user.xml through ClassLoaderUtils (Confluence) failed (remember JIRA *only* supports osuser!)
01.10.2008 16:19:25 com.dolby.confluence.net.ldap.atlassianuser.AUParser parse
SCHWERWIEGEND: The atlassian-user.xml file could not be found at all.  Bug!
01.10.2008 16:19:25 com.dolby.confluence.net.ldap.atlassianuser.AUParser parse
SCHWERWIEGEND: Problem reading atlassian-user.xml file - The atlassian-user.xml file could not be found at all.  Bug!
java.io.IOException: The atlassian-user.xml file could not be found at all.  Bug!
        at com.dolby.confluence.net.ldap.atlassianuser.AUParser.parse(AUParser.java:196)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.processAtlassianUserConfig(LDAPLookupUtil.java:401)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.init(LDAPLookupUtil.java:257)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:191)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:132)
Exception in thread "main" com.dolby.confluence.net.ldap.LDAPException: Unable to process atlassian-user file, IOProblem: The atlassian-user
.xml file could not be found at all.  Bug!
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.processAtlassianUserConfig(LDAPLookupUtil.java:411)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.init(LDAPLookupUtil.java:257)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:191)
        at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:132)

                1. Oct 01, 2008

                  Andy Brook says:

                  you are running this from the classes folder? ensure that . is in the classpath....

                  you are running this from the classes folder? ensure that . is in the classpath... With now webapp container, its a simple classpath resource load...

                  Checking your post above, you haven't included '.' which is (in theory) where the script should be, and where atlassian-user.xml is.

  6. Oct 02, 2008

    Michael Jositz says:

    It worked fine eith the "." . Thank you! There ist something else, but that ...

    It worked fine eith the "." . Thank you! There ist something else, but that seems to be an internal security restriction problem:

    SCHWERWIEGEND: Naming Problem.  Unable to configure initial context: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext err
or, data 525, vece ]

    1. Oct 02, 2008

      Andy Brook says:

      first guess is that the credentials are wrong in the atlassian-user.xml/osuser.x...

      first guess is that the credentials are wrong in the atlassian-user.xml/osuser.xml file.... Also, check you updated the ldaputil.properties file to identify a known user (commented out line), and that ldaputil jar does not contain an additional ldaputil.properties! Had that fun yesterday when I released 1.0.12

  7. Oct 07, 2008

    Michael Jositz says:

    Hi Andy, it's Michael again... Have a working configuration with version 1.0.11...

    Hi Andy,

    it's Michael again... Have a working configuration with version 1.0.11 and ntlm 0.5.1 . Can't get ntlm 0.5.1 working with ldaputil version 1.0.12, the rest is unchanged, do not know why:

    Cause
javax.servlet.ServletException: Filter execution threw an exception
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:259)


caused by: java.lang.NoSuchMethodError:
com.dolby.confluence.net.ldap.LDAPLookupUtil.getDCServerName()Ljava/lang/String;
    at
com.jnj.confluence.NTLMFilter.lazyInit(NTLMFilter.java:67)



    1. Oct 07, 2008

      Andy Brook says:

      will try and setup test server this evening. the ldaputils stuff is pretty soli...

      will try and setup test server this evening. the ldaputils stuff is pretty solid (in use on Jira3.13/Confluence2.9.1), I need to get the NTLM synched up with it.

      1. Oct 07, 2008

        Michael Jositz says:

        Thank you. I wonder because the atlassian-user file is the same and there in my ...

        Thank you. I wonder because the atlassian-user file is the same and there in my opinion the DC is noted down.

        Another question: Is it possible to have NTLM login avaiable in parallel to the regular Confluence Login? Would need it here because many users here do not belong to our domain and need a normal account created in Confluence.

        1. Oct 07, 2008

          Andy Brook says:

          can we do this on the ntlm page? Also I think there was a related issue on the J...

          can we do this on the ntlm page? Also I think there was a related issue on the Jira server, have a look

          1. Oct 07, 2008

            Michael Jositz says:

            OK fine, all NTLM related things on the NTLM page .

            OK fine, all NTLM related things on the NTLM page .

  8. Oct 28, 2008

    Adam Campbell says:

    Sorry to keep bugging you but I am really striking out here.  I am trying t...

    Sorry to keep bugging you but I am really striking out here.  I am trying to run this from command line but am getting the following error.  I see that the class is in there.

    Exception in thread "main" java.lang.NoClassDefFoundError: com/dolby/confluence/
    net/ldap/LDAPLookupUtil
    Caused by: java.lang.ClassNotFoundException: com.dolby.confluence.net.ldap.LDAPL
    ookupUtil
            at java.net.URLClassLoader$1.run(Unknown Source)
            at java.security.AccessController.doPrivileged(Native Method)
            at java.net.URLClassLoader.findClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClassInternal(Unknown Source)
    Could not find the main class: com.dolby.confluence.net.ldap.LDAPLookupUtil.  Pr
    ogram will exit.

    batch file:

     @echo off
    java -cp ..\lib\ldaputil-1.0.12-SNAPSHOT.jar:..\lib\commons-logging-1.0.4.jar:..\lib\confluence-2.9.2.jar:..\lib/atlassian-core-3.10.jar:..\lib\commons-digester-1.5.jar:..\lib\commons-collections-3.2.jar:..\lib\commons-beanutils-1.6.1.jar:. com.dolby.confluence.net.ldap.LDAPLookupUtil %1

    1. Oct 29, 2008

      Andy Brook says:

      no problem. You need to fix the batch file to include the ldaputil version you ...

      no problem. You need to fix the batch file to include the ldaputil version you are using. eg, get 1.0.13 and modify the script accordingly. Fix addditional errors by checking the versions of the named jars, and fixing as appropriate for your env.

      get 1.0.13, the windows batch would then be something like:

      java -cp ..\lib\ldaputil-1.0.13.jar:..\lib\commons-logging-1.0.4.jar:..\lib\confluence-2.9.2.jar:..\lib/atlassian-core-3.10.jar:..\lib\commons-digester-1.5.jar:..\lib\commons-collections-3.2.jar:..\lib\commons-beanutils-1.6.1.jar:. com.dolby.confluence.net.ldap.LDAPLookupUtil %1

      If running in the location in the instructions the Class will be found. then we can progress.

  9. Oct 29, 2008

    Adam Campbell says:

    I was using the .12 snapshot but I went ahead and changed it to use the .13.&nbs...

    I was using the .12 snapshot but I went ahead and changed it to use the .13.  I have verified that all my versions are correct but am still getting the same error.  Here is everything I have done according to the instructions.  Please correct me if I am doing something wrong.

    Step 1.  Changed the path in confluence-init.properties to confluence.home=E:\confluence\confluence-2.9.2-std\confluence\WEB-INF\lib  (I hope this one is right) 

    Step 2.  Unpacked ldaputil-1.0.13.jar and modified the ldaputil.properties with the proper settings, repacked the jar, and copied it to the WEB-INF\lib directory

                      ----Unpacked using winzip and repacked with the following command:



    Step 3.  Created the following batch file and copied it to \confluence\WEB-INF\classes and that is where I am running if from.

    batch file:

    @echo off
    java -cp ..\lib\ldaputil-1.0.13.jar:..\lib\commons-logging-1.0.4.jar:..\lib\confluence-2.9.2.jar:..\lib/atlassian-core-3.10.jar:..\lib\commons-digester-1.5.jar:..\lib\commons-collections-3.2.jar:..\lib\commons-beanutils-1.6.1.jar:. com.dolby.confluence.net.ldap.LDAPLookupUtil %1

    1. Oct 29, 2008

      Andy Brook says:

      Hi Adam, firstly undo step1, your confluence server will not work if you do this...

      Hi Adam,
      firstly undo step1, your confluence server will not work if you do this, no change to this file is necessary
      secondly, change all the : for ; (sorry, my bad doc).

      cheers

  10. Oct 30, 2008

    Adam Campbell says:

    Here is the error I get now.  It says it found the user wiki but ...

    Here is the error I get now.  It says it found the user wiki but then it can't do the lookup test.  If I run the confluence external ldap test, it comes back good.  Have you seen this error before?

    Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil loadConfigFileINFO: loaded LDAPUTIL properties
    Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processCommonConfigINFO: Processing common config
    Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.atlassianuser.AUParser parseINFO: Loading of atlassian-user.xml was successful
    Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.atlassianuser.AUParser parseINFO: atlassian-user.xml parse completed.
    Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.atlassianuser.AUParser getLdapEnvironmentsINFO: provider host: ad01
    Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processAtlassianUserConfigINFO: ldaputil referral value 'ldaputil.java.naming.referral' detected value is[null] must be in [follow|ignore|throw]
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil initINFO: Checking LDAP server 1/1 : ldap://ad01:389
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil createInitialContextINFO: Creating InitialDirContext for LDAP server: ldap://ad01:389/dc=alamode,dc=com
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil createInitialContextINFO: Context created.
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil initINFO: Lookup user was specified as :wiki
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: getUserDetails('wiki')
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: Searching for user [wiki] based on filter: (sAMAccountName=wiki)
    Oct 29, 2008 5:03:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil searchForINFO: searchFor: (sAMAccountName=wiki)
    Oct 29, 2008 5:03:42 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processEnumINFO: aliasParserClass:com.dolby.confluence.net.ldap.LDAPUtilsActiveDirectoryEmailAliasExtractor
    Oct 29, 2008 5:03:42 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processEnumINFO: Mail alias prefixes: smtp:,SMTP:
    Oct 29, 2008 5:03:45 PM com.dolby.confluence.net.ldap.LDAPLookupUtil searchForINFO: searchFor, returning matches: false
    Oct 29, 2008 5:03:45 PM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: getUserDetails complete, returning values: false
    Oct 29, 2008 5:03:45 PM com.dolby.confluence.net.ldap.LDAPLookupUtil initWARNING: Non fatal - Ldap server 1/1 failed lookup test: ldap://ad01:389

    Exception in thread "main" com.dolby.confluence.net.ldap.LDAPException: LDAP Server failed verification over all availble configurations:
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.init(LDAPLookupUtil.java:344)
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:203)
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:134)

    1. Oct 30, 2008

      Andy Brook says:

      Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processAtl...

      Oct 29, 2008 5:03:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processAtlassianUserConfigINFO: ldaputil referral value 'ldaputil.java.naming.referral' detected value is[null] must be in [follow]

      Set this in ldaptuil.properties to 'follow' (most likely).

      Comment out all references to email alias in ldaputil as well.

      rinse and repeat

  11. Oct 30, 2008

    Adam Campbell says:

    I commented out all the references to email but am still getting the error. ...

    I commented out all the references to email but am still getting the error.  I thought it was strange that I was getting the ldaputil.naming.referral is null becasue it is set to follow.  I saw the line in the config that it might be set by djava.naming.referral.  I think this might be my issue.  I am trying to find where this should be set in confluence.  I saw this article but http://jira.atlassian.com/browse/CONF-9116&nbsp;but when I ran "java -D java.naming.referral=follow as it suggests I got another exception!  Thanks again for all your help!

    config:

    ldaputil.java.naming.referral=follow

     log:

    Oct 30, 2008 9:51:48 AM com.dolby.confluence.net.ldap.LDAPLookupUtil loadConfigFileINFO: loaded LDAPUTIL properties
    Oct 30, 2008 9:51:48 AM com.dolby.confluence.net.ldap.LDAPLookupUtil processCommonConfigINFO: Processing common config
    Oct 30, 2008 9:51:49 AM com.dolby.confluence.net.ldap.atlassianuser.AUParser parseINFO: Loading of atlassian-user.xml was successful
    Oct 30, 2008 9:51:49 AM com.dolby.confluence.net.ldap.atlassianuser.AUParser parseINFO: atlassian-user.xml parse completed.
    Oct 30, 2008 9:51:49 AM com.dolby.confluence.net.ldap.atlassianuser.AUParser getLdapEnvironmentsINFO: provider host: ad01
    Oct 30, 2008 9:51:49 AM com.dolby.confluence.net.ldap.LDAPLookupUtil processAtlassianUserConfigINFO: ldaputil referral value 'ldaputil.java.naming.referral' detected value is[null] must be in [follow|ignore|throw]
    Oct 30, 2008 9:51:50 AM com.dolby.confluence.net.ldap.LDAPLookupUtil initINFO: Checking LDAP server 1/1 : ldap://ad01:389
    Oct 30, 2008 9:51:50 AM com.dolby.confluence.net.ldap.LDAPLookupUtil createInitialContextINFO: Creating InitialDirContext for LDAP server: ldap://ad01:389/dc=alamode,dc=com
    Oct 30, 2008 9:51:50 AM com.dolby.confluence.net.ldap.LDAPLookupUtil createInitialContextINFO: Context created.
    Oct 30, 2008 9:51:50 AM com.dolby.confluence.net.ldap.LDAPLookupUtil initINFO: Lookup user was specified as :wiki
    Oct 30, 2008 9:51:51 AM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: getUserDetails('wiki')
    Oct 30, 2008 9:51:51 AM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: Searching for user [wiki] based on filter: (sAMAccountName=wiki)
    Oct 30, 2008 9:51:51 AM com.dolby.confluence.net.ldap.LDAPLookupUtil searchForINFO: searchFor: (sAMAccountName=wiki)
    Oct 30, 2008 9:51:54 AM com.dolby.confluence.net.ldap.LDAPLookupUtil searchForINFO: searchFor, returning matches: false
    Oct 30, 2008 9:51:55 AM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: getUserDetails complete, returning values: false
    Oct 30, 2008 9:51:55 AM com.dolby.confluence.net.ldap.LDAPLookupUtil initWARNING: Non fatal - Ldap server 1/1 failed lookup test: ldap://ad01:389

    Exception in thread "main" com.dolby.confluence.net.ldap.LDAPException: LDAP Server failed verification over all availble configurations:
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.init(LDAPLookupUtil.java:344)
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:203)
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:134)

    Error I got when running java command:  (and i have tried the command with and without quotes/spaces)

     E:\confluence\confluence-2.9.2-std\confluence\WEB-INF\classes>java -D java.nam
    g.referral=follow

    Exception in thread "main" java.lang.NoClassDefFoundError: java/naming/referra
    follow
    Caused by: java.lang.ClassNotFoundException: java.naming.referral=follow
            at java.net.URLClassLoader$1.run(Unknown Source)
            at java.security.AccessController.doPrivileged(Native Method)
            at java.net.URLClassLoader.findClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClassInternal(Unknown Source)
    Could not find the main class: java.naming.referral=follow.  Program will exit

    1. Oct 30, 2008

      Andy Brook says:

      1. You must not have spaces between the -D and the property=value (issue listed ...

      1. You must not have spaces between the -D and the property=value (issue listed was not a good example )
      2. In the second stack you forgot the classpath and the target class, the stack is not useful.
      3. You will find later (when you get to ntlm) that you must use the FQDN of the ad server, an alias or shortcut will not do, if its just for pasting here, fair enough.
      4. If you use "-Datlassian.java.naming.referral=follow" this will be picked up (should be picked up) by ldaputils as it expects to run in an atlassian environment. If its missing, the ldaputil.properties entry should then be used.

      • Just checked , the null reference was a bug, it printed the wrong value (but isnt in itself 'bad', its just for info).

  12. Oct 30, 2008

    Adam Campbell says:

    If that was just a bug and it is returning the correct value, any idea why I am ...

    If that was just a bug and it is returning the correct value, any idea why I am still getting this then?  What is it trying to do at this stage in the code?  It makes the connection to the AD server, sees the user, then bombs.  

    btw.  I have updated it to use the FQDN.

    Oct 30, 2008 12:10:38 PM com.dolby.confluence.net.ldap.LDAPLookupUtil loadConfigFileINFO: loaded LDAPUTIL properties
    Oct 30, 2008 12:10:38 PM com.dolby.confluence.net.ldap.LDAPLookupUtil processCommonConfigINFO: Processing common config
    Oct 30, 2008 12:10:39 PM com.dolby.confluence.net.ldap.atlassianuser.AUParser parseINFO: Loading of atlassian-user.xml was successful
    Oct 30, 2008 12:10:39 PM com.dolby.confluence.net.ldap.atlassianuser.AUParser parseINFO: atlassian-user.xml parse completed.
    Oct 30, 2008 12:10:39 PM com.dolby.confluence.net.ldap.atlassianuser.AUParser getLdapEnvironmentsINFO: provider host: ad01.alamode.com
    Oct 30, 2008 12:10:39 PM com.dolby.confluence.net.ldap.LDAPLookupUtil initINFO: Checking LDAP server 1/1 : ldap://ad01.alamode.com:389
    Oct 30, 2008 12:10:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil createInitialContextINFO: Creating InitialDirContext for LDAP server: ldap://ad01.alamode.com:389/dc=alamode,dc=com
    Oct 30, 2008 12:10:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil createInitialContextINFO: Context created.
    Oct 30, 2008 12:10:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil initINFO: Lookup user was specified as :wiki
    Oct 30, 2008 12:10:40 PM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: getUserDetails('wiki')
    Oct 30, 2008 12:10:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: Searching for user [wiki] based on filter: (sAMAccountName=wiki)
    Oct 30, 2008 12:10:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil searchForINFO: searchFor: (sAMAccountName=wiki)
    Oct 30, 2008 12:10:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil searchForINFO: searchFor, returning matches: false
    Oct 30, 2008 12:10:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil getUserDetailsINFO: getUserDetails complete, returning values: false
    Oct 30, 2008 12:10:41 PM com.dolby.confluence.net.ldap.LDAPLookupUtil initWARNING: Non fatal - Ldap server 1/1 failed lookup test: ldap://ad01.alamode.com:389

    Exception in thread "main" com.dolby.confluence.net.ldap.LDAPException: LDAP Server failed verification over all availble configurations:
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.init(LDAPLookupUtil.java:344)
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.<init>(LDAPLookupUtil.java:203)
            at com.dolby.confluence.net.ldap.LDAPLookupUtil.main(LDAPLookupUtil.java:134)

    1. Oct 30, 2008

      Andy Brook says:

      it means it cannot find a User with a sAMACcountName value of 'wiki'. Go get th...

      it means it cannot find a User with a sAMACcountName value of 'wiki'. Go get the softerra ldap browser tool, find the user, check the field and value.

  13. Oct 30, 2008

    Adam Campbell says:

    Everything according to the browser matches up.  I know I have to be g...

    Everything according to the browser matches up.  I know I have to be getting annoying by now but do you have debug version or something I can run because I just don't see where the error could be.  
     

    1. Oct 30, 2008

      Andy Brook says:

      well you could turn on debugging as described at the top of the page... several...

      well you could turn on debugging as described at the top of the page...

      several things come in to play, including the 'filter' in ldaputil.properties (try commenting to to broaden matches)...

  14. Oct 30, 2008

    Adam Campbell says:

    Figured it out!  The user has to have a vaild email account set up.&nbs...

    Figured it out!  The user has to have a vaild email account set up.  Since this was just a resource account I didnt create an email. Created the email account and it worked like a charm.  On to NTLM! 

    1. Nov 01, 2008

      Andy Brook says:

      mm, email shouldn't be mandatory for connectivity check, think it was a bug in o...

      mm, email shouldn't be mandatory for connectivity check, think it was a bug in outputting details, should be fixed in next ver

  15. Nov 05, 2008

    Andy Brook says:

    1.0.14-SNAP has a config file property 'ldaputil.providerFilenameOverride' allow...

    1.0.14-SNAP has a config file property 'ldaputil.providerFilenameOverride' allowing predefined config files to be overridden. This means it can be used in situations where the osuser.xml and atlassian-user.xml files don't contain necessary information (eg you are using CROWD), or you need to provide more (eg with NTLM where all Domain Controllers need to be specified).

  16. Jan 05

    Milkman says:

    First of all, thanks for the awsome module, it's exactly what we need! One m...

    First of all, thanks for the awsome module, it's exactly what we need! One minor issue though, can't make full name format First+" "+Last. Setting ldaputil.ldap.fullNameFormat=1 in ldaputils.properties doesn't help.

    1. Jan 13

      Andy Brook says:

      turn on debug logging as described at top of page, create a jira ticket with the...

      turn on debug logging as described at top of page, create a jira ticket with the log and Ill see whats going on.

  17. Jan 12

    Adam Campbell says:

    Do you have any tips on speeding up the query process?  If I run the ldaput...

    Do you have any tips on speeding up the query process?  If I run the ldaputil from a batch file everything goes through successfully with no errors but when it hits the search query, it pauses for about 2 minutes.  If I run the exact same search query from JXplorer it comes through instantly.  I did run a wireshark and did see quite a bit more chatter when running the ldaputil as opposed to the JXplorer.

    1. Jan 13

      Andy Brook says:

      If the ldap lookups are slow its usually configuration, each use sets up an ldap...

      If the ldap lookups are slow its usually configuration, each use sets up an ldap connection which takes maybe 3S, then query time, usually, works within a few seconds.

      Make sure referral is set to follow. The querying is pretty simple, How many users are in your system? are you starting 'at the top' eg DC=this,DC=that or are you looking specifically in a subtree for users? compare your config entered in JXplorer and osuser/atlassian-user.

      Failing that, turn debugging on, create a jira ticket, add the log and a sanitised osuser/atlassian-user file for me to look at.

      cheers,

  18. Jan 13

    Adam Campbell says:

    Well I checked my settings and didn't see anything out of the ordinary so I have...

    Well I checked my settings and didn't see anything out of the ordinary so I have submitted a JIRA ticket.  As always, thanks for the help and keep up the good work!  

  19. Jan 21

    Adam Campbell says:

    Hey Andy I know your busy but have you had a chance to check this out my issue y...

    Hey Andy I know your busy but have you had a chance to check this out my issue yet?

  20. Feb 16

    Vidar Kongsli says:

    I have set up Confluence 2.8 to use NTLM, but it fails for some users. Some user...

    I have set up Confluence 2.8 to use NTLM, but it fails for some users. Some users are able to log in, while some users cannot and cause various error messages in the log:

    1. doFilter NTLM: detected password hash mismatch
    2. doNTLM login failure detail: Access is denied

    Concerning 1) above, it is suggested that alternative DCs should be listed. Is guess this can be achieved with the ldaputil.ldap.dclistFilterExpression parameter. However, I am not able to figure out how the filter for DCs should look like. Could you provide some examples?

    Concerning 2) above, what could be the cause of users getting this error message?

    Thanks.

    1. Feb 16

      Andy Brook says:

      Hi Vidar, 1) In order to try out this feature, you need to copy the atlassian-u...

      Hi Vidar,
      1) In order to try out this feature, you need to copy the atlassian-user.xml file to say 'ntlm-atlassian-user.xml', duplicate the ldap entries, ensuring the keys are unique, and add all your DC's. I have to see though that this stuff is very sketchy. My env doesn't have the problem so I can't test, just guess. You will need to identify the alternate file from within ldaputil.properties, key: ldaputil.providerFilenameOverride, we have to do this as mulitple DC's in the core atlassian-user.xml file causes Confluence to multiply list users in people browser, for starters.
      2) NTLM fails because the password hash that the user provides to the NTLM filter does not match what Confluence retrieves from the given DC (hence my attempt to use alternate DC's that may match).

      Id be interested to know if this solves the problem. There are going to be known performance limitations of this approach though. If it works, perhaps they can be reduced somewhat.

      1. Feb 16

        Vidar Kongsli says:

        Hi Andy Thanks for the reply. I will try your suggestion, but I am just wonderi...

        Hi Andy

        Thanks for the reply. I will try your suggestion, but I am just wondering if this actually would fix the issue. I mean, is it a real scenario that the hash would be different on different DCs? What could cause such a problem?

        1. Feb 16

          Andy Brook says:

          This is the unknown, one scenario is credential change replication: a user does ...

          This is the unknown, one scenario is credential change replication: a user does something as simple as changing their network password, against their local office DC. At HQ, it has yet to get that change - bing, instance hash mismatch.... Even without NTLM this is a problem.

      2. Feb 18

        Vidar Kongsli says:

        So, I tried to update my config like so: - the atlassian-user.xml contains ...

        So, I tried to update my config like so:

        - the atlassian-user.xml contains one reference key="ldapRepository" which points to my AD domain (e.g. foo.com)

        - ntlm.atlassian-user.xml contains two references, key="DC01" and key="DC02" which both points to DC IP addresses

        - ldaputil.providerFilenameOverride=ntlm.atlassian-user.xml

        Still, this change does not seem to kick in. The log still tells me that "...wrong DC so need to check next configured in atlassian-user/osuser...".

        What did I miss?

        1. Feb 18

          Andy Brook says:

          Maybe more DC's need adding. I have to say this is very experimental, as I cann...

          Maybe more DC's need adding. I have to say this is very experimental, as I cannot reproduce the problem Im working blind, You should see in the logs, each DC listed in the 'override' flie being attempted. The fact its still failing for you may mean more DC's need adding or the approach Ive taken is incorrect. Raise an issue in the ntlm project, providing as much infromation about Domain/DC makeup as possible - I hope to get some time for NTLM at the weekend.

  21. Apr 06

    Tobias Anstett says:

    Hi Andy, I just wanted to give you an update on the Jira LDAP User Utility. I r...

    Hi Andy,

    I just wanted to give you an update on the Jira LDAP User Utility. I refactored the plugin to work with Jira 3.13 and use your LDAP Utility library (1.0.16) with the changes you integrated for my plugin (btw Thanks to you and Neil Crow).

    Cheers,
    Tobias