MO
Hello,
we have an old ARIS 7.2 Business Publisher Server with LDAP authentication. It was working fine. Now I have to update it to LDAPS because of a future Windows update (only LDAPS on Domain Controllers). Therefore I changed two settings in the "webappserver.cfg".
old
<ldapproviderurl value="ldap://x.x.x.x:389"/>
<ldapsecurityauthentication value="simple"/>
new
<ldapproviderurl value="ldaps://x.x.x.x:636"/>
<ldapsecurityauthentication value="ssl"/>
But authentication is not working anymore. Message:
"Login was not successful. Please give in correct user name and password."
Any tips?
Thanks and regards,
Michi
Hi Michaela,
Did you restart the Publisher ?
If you manage users via an LDAP system, authentication is performed using this system. To map LDAP user groups to ARIS user groups, you need to customize the configuration file.
Procedure
1. Open ..\BPServer\tomcat\webapps\businesspublisher\config\webappserver.cfg
and specify the required <ldap> settings.
2. Restart ARIS Business Publisher Server
BR
AO
Hi Michaela
Please you have to do a doublecheck in these files again to see all ldap settings.
Checking webappserver.cfg for selected login type
BPServer\tomcat\webapps\businesspublisher\config\webappserver.cfg and find
<LoginModuleSection value="UMCLogin"/>
<!-- ldapproviderurl specifies the LDAP server´s URL -->
<!-- this is the main setting for LDAP-support. If an LDAP-Server is used, this setting must -->
<!-- contain the URL. If LDAP is not being used, this setting MUST be empty (""). -->
<ldapproviderurl value="ldaps://xxxxxx:389"
<ldapdefaultaccount value="CN=Administrator,CN=Users,DC=XX,DC=XX,DC=XX" />
<ldapdefaultpwd value="password" /> PLACE YOUR PW here
<usersearchpath value="OU=XXX-Users,DC=XXX,DC=xxx,DC=XXX"/>
<groupsearchpath value="OU=XXX-HC,OU=Security Group,DC=XXX,DC=XXXX,DC=XX"/>
The LoginModuleSection value = UMC and also check this file:
umcconfig.cfg
If you still have issues, open the Log files to get more details about what is going on...
\businesspublisher\log\externalSystems\ldap-7.XXXX.log
\businesspublisher\log\
\businesspublisher\log\core\issues\
On these folders you have the log 'bpErrorxxxxx.log' and have more details .. you can post here.
Although the configuration is described in quick_start_guide_aris_bpub_s.pdf - available on DVD
BR
AO
Hello André,
here are my settings:
<!-- LoginModuleSection is the section in the JAAS-configuration-file (BPLogin.cfg by default), -->
<!-- which is used for the login process. The configuration-file can contain several sections. -->
<!-- This setting chooses the active one. The other ones are being ignored. -->
<!-- The file originally contains 2 sections: -->
<!-- - NativeLogin uses only BP´s own login mechanism. -->
<!-- - BPLogin uses BP´s own login mechanism only for "root" and anomymous and LDAP for others. -->
<!-- (It is possible to alter the login process by additional login modules and/or configuration sections.) ->
<!-- If the selected module contains the class ABPLdapLogin, the other settings in this <ldap>- -->
<!-- section must be properly specified. If only the class ABPNativeLogin is used, -->
<!-- the other settings in this section are ignored, but ldapproviderurl MUST be "" in this case. -->
<LoginModuleSection value="BPLogin"/>
<!-- LoginModuleSection value="NativeLogin"/> -->
<ldapproviderurl value="ldaps://10.0.3.6:636"/>
<ldapdefaultaccount value="CN=ldap-aris,OU=Benutzer,OU=EDV,OU=Verwaltung,DC=whu,DC=edu"/> is correct
<ldapdefaultpwd value="XXXX"/> is correct
<usersearchpath value="DC=whu,DC=edu"/>
<groupsearchpath value="DC=whu,DC=edu"/>
*****
But I saw a hint in the \businesspublisher\log\externalSystems\ldap-7.XXXX.log
Exception from 'ldaps://10.0.3.6:636'.
javax.naming.CommunicationException: simple bind failed: 10.0.3.6:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
*****
We are using a wildcard certificate for our domain. I think I will have to put it somewhere on the BPSERVER. But I don't find any instructions in the PDF. Can you help me?
Thanks and regards,
Michi
HI Michi
The exception you see means that the Sun JRE does not accept the certificate (e.g. it is a self-signed one or from a non-trusted CA).
There are two ways to solve this:
1) Use a certificate signed by a CA with the correct computername
2) Install the self-signed CA on each clients Java. This means you need to modify any client-installation cacerts-file from the used Java JRE.
Please refer the 'installation_administration_guide.pdf' from DVD for details about to provide the certificate ..
One suggestion test, could check if the ARIS works fine using SSL before to see in ABP side..
BR
AO
