https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225563#M178693 <HTML><HEAD></HEAD><BODY><SPAN>Hi,</SPAN><BR /><BR /><SPAN>if you need to authenticate against an ldap server in the situation where the uid is not in the DN, alfresco will search the DN making a query filterde with (&amp;(objectclass=inetOrgPerson)(uid=entered_username))</SPAN><BR /><BR /><SPAN>To make this query succeeding, your ldap server has to permit the "principal" user in alfresco to query ALL attributes.&nbsp; In a welldown ldap environment, only the attributes you really need should be available, so you get </SPAN><BR /><BR /><SPAN>javax.naming.NoPermissionException: [LDAP: error code 50 - Search not permitted for any attribute]; remaining name 'o=organization, c=be' </SPAN><BR /><BR /><SPAN>i think the code in LDAPUserRegistry.java should be modify to avoid this:</SPAN><BR /><BR /><SPAN>line 874 in method resolveDistinguishedName(String userId)</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; userSearchCtls.setReturningAttributes(new String[] {});</SPAN><BR /><BR /><SPAN>should replaced with</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; userSearchCtls.setReturningAttributes(new String[] {"uid"});</SPAN><BR /><BR /><SPAN>Bernard</SPAN></BODY></HTML> Wed, 14 Jul 2010 08:34:31 GMT bparis 2010-07-14T08:34:31Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225563#M178693 Hi,if you need to authenticate against an ldap server in the situation where the uid is not in the DN, alfresco will search the DN making a query filterde with (&amp;(objectclass=inetOrgPerson)(uid=entered_username))To make this query succeeding, your ldap server has to permit the "principal" user i Wed, 14 Jul 2010 08:34:31 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225563#M178693 bparis 2010-07-14T08:34:31Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225564#M178694 <HTML><HEAD></HEAD><BODY><SPAN>userSearchCtls.setReturningAttributes(new String[] {});</SPAN><BR /><BR /><SPAN>states that we don't want any attributes in our search result. We don't need the uid - we already have it.</SPAN></BODY></HTML> Wed, 14 Jul 2010 09:18:17 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225564#M178694 dward 2010-07-14T09:18:17Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225565#M178695 <HTML><HEAD></HEAD><BODY><SPAN>I know we already have the uid….&nbsp; the idea is simply to ask an attribute we can read (anyone, but uid is certainly readable) instead of ALL attributes.</SPAN><BR /><BR /><SPAN>I just tested that we even could simply comment out the line </SPAN><BR /><SPAN>userSearchCtls.setReturningAttributes(new String[] {});</SPAN><BR /><BR /><SPAN>to avoid the ldap -50 error</SPAN><BR /><BR /><SPAN>B</SPAN></BODY></HTML> Wed, 14 Jul 2010 09:34:23 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225565#M178695 bparis 2010-07-14T09:34:23Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225566#M178696 <HTML><HEAD></HEAD><BODY><SPAN>The javadoc for SearchControls says this</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp;&nbsp; /**<BR />&nbsp;&nbsp;&nbsp;&nbsp; * Specifies the attributes that will be returned as part of the search.<BR />&nbsp;&nbsp;&nbsp;&nbsp; *&lt;p&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp; * null indicates that all attributes will be returned.<BR />&nbsp;&nbsp;&nbsp;&nbsp; * An empty array indicates no attributes are returned.<BR />&nbsp;&nbsp;&nbsp;&nbsp; *<BR />&nbsp;&nbsp;&nbsp;&nbsp; * @param attrs An array of attribute ids identifying the attributes that<BR />&nbsp;&nbsp;&nbsp;&nbsp; * &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; will be returned. Can be null.<BR />&nbsp;&nbsp;&nbsp;&nbsp; * @see #getReturningAttributes<BR />&nbsp;&nbsp;&nbsp;&nbsp; */<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>What LDAP server are you using?</SPAN></BODY></HTML> Wed, 14 Jul 2010 13:01:46 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225566#M178696 dward 2010-07-14T13:01:46Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225567#M178697 <HTML><HEAD></HEAD><BODY><SPAN>well, … strange !</SPAN><BR /><BR /><SPAN>Our server is Sun Directory Server (version 5.2p6) </SPAN><BR /><BR /><SPAN>b</SPAN></BODY></HTML> Wed, 14 Jul 2010 13:20:16 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225567#M178697 bparis 2010-07-14T13:20:16Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225568#M178698 <HTML><HEAD></HEAD><BODY><SPAN>Well it looks like maybe the bug is in Sun Directory Server. But if your workaround helps us interoperate better with it we should probably add it. I don't see how it could break other directory servers. I have logged </SPAN><A href="http://issues.alfresco.com/jira/browse/ALF-3868" rel="nofollow noopener noreferrer">http://issues.alfresco.com/jira/browse/ALF-3868</A><SPAN> .</SPAN></BODY></HTML> Wed, 14 Jul 2010 14:17:37 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225568#M178698 dward 2010-07-14T14:17:37Z https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225569#M178699 <HTML><HEAD></HEAD><BODY><SPAN>from strange to very strange:</SPAN><BR /><BR /><SPAN>doing this</SPAN><BR /><SPAN>userSearchCtls.setReturningAttributes(null);</SPAN><BR /><BR /><SPAN>makes the search successfull !</SPAN><BR /><BR /><SPAN>b</SPAN></BODY></HTML> Wed, 14 Jul 2010 15:06:17 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-error-code-50/m-p/225569#M178699 bparis 2010-07-14T15:06:17Z