Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP: error code 50

bparis
Champ in-the-making
Champ in-the-making

‎07-14-2010 04:34 AM

Hi,

if you need to authenticate against an ldap server in the situation where the uid is not in the DN, alfresco will search the DN making a query filterde with (&(objectclass=inetOrgPerson)(uid=entered_username))

To make this query succeeding, your ldap server has to permit the "principal" user in alfresco to query ALL attributes.  In a welldown ldap environment, only the attributes you really need should be available, so you get

javax.naming.NoPermissionException: [LDAP: error code 50 - Search not permitted for any attribute]; remaining name 'o=organization, c=be'

i think the code in LDAPUserRegistry.java should be modify to avoid this:

line 874 in method resolveDistinguishedName(String userId)

        userSearchCtls.setReturningAttributes(new String[] {});

should replaced with

        userSearchCtls.setReturningAttributes(new String[] {"uid"});

Bernard
Labels:
0 Kudos
6 REPLIES 6

dward
Champ on-the-rise
Champ on-the-rise

‎07-14-2010 05:18 AM

userSearchCtls.setReturningAttributes(new String[] {});

states that we don't want any attributes in our search result. We don't need the uid - we already have it.
0 Kudos

bparis
Champ in-the-making
Champ in-the-making

‎07-14-2010 05:34 AM

I know we already have the uid….  the idea is simply to ask an attribute we can read (anyone, but uid is certainly readable) instead of ALL attributes.

I just tested that we even could simply comment out the line
userSearchCtls.setReturningAttributes(new String[] {});

to avoid the ldap -50 error

B
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎07-14-2010 09:01 AM

The javadoc for SearchControls says this


    /**
     * Specifies the attributes that will be returned as part of the search.
     *<p>
     * null indicates that all attributes will be returned.
     * An empty array indicates no attributes are returned.
     *
     * @param attrs An array of attribute ids identifying the attributes that
     *           will be returned. Can be null.
     * @see #getReturningAttributes
     */

What LDAP server are you using?
0 Kudos

bparis
Champ in-the-making
Champ in-the-making

‎07-14-2010 09:20 AM

well, … strange !

Our server is Sun Directory Server (version 5.2p6)

b
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎07-14-2010 10:17 AM

Well it looks like maybe the bug is in Sun Directory Server. But if your workaround helps us interoperate better with it we should probably add it. I don't see how it could break other directory servers. I have logged http://issues.alfresco.com/jira/browse/ALF-3868 .
0 Kudos

bparis
Champ in-the-making
Champ in-the-making

‎07-14-2010 11:06 AM

from strange to very strange:

doing this
userSearchCtls.setReturningAttributes(null);

makes the search successfull !

b
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC