Posts in Category "LDAP"

LDAP: error code 12 – Unavailable Critical Extension

The issue LDAP: error code 12 – Unavailable Critical Extension commonly occurs when asking an LDAP Server to return paged results but the LDAP doesn’t support the PagedResultsControl extension.

  • SunOne 5.2 and 6.3 don’t support PagedResultsControl extension.
  • Active Directory and other LDAP servers support PagedResultsControl extension.

Working of pagination during LiveCycle sync from an LDAP server
In LiveCycle, users and groups are synched from an LDAP server in batches of 200.
When the results returned from an LDAP server is >= 200, then an AutoDetectionLogic is automatically enabled.
This AutoDetectionLogic seeing that the LDAP server is SunOne, automatically disables paging.
This AutoDetectionLogic seeing that the LDAP server is AD or non-SunOne, automatically enables paging.

There have been cases where an Enterprise has a proxy server in between which acts as Active Directory but the ultimate LDAP server running behind is SunOne.
In such a scenario, the AutoDetectionLogic is forced to enable paging because of the proxy server acting as Active Directory.
Hence, when the communication ultimately happens with SunOne, we get the error and sync fails.

In such a scenario, the AutoDetecitonLogic has to be turned off so that LiveCycle doesn’t send any pagination requests.
One should follow the steps mentioned below to disable paging permanently.

  • Login to AdminUI with administrator credentials.
  • Navigate to Home > Settings > User Management > Configuration > Manual Configuration
  • Export the config.xml to file system.
  • Look for the tag entries starting with <entry key=”enablePaging” value=”…
  • This entry is present under nodes named LDAPUserConfig and LDAPGroupConfig for a particular Enterprise or Hybrid domain.
  • By default the entry is <entry key=”enablePaging” value=”true”/>
  • When using SunOne as LDAP, this entry should be modified to <entry key=”enablePaging” value=”false”/>
  • Save the config.xml and import it back to LiveCycle.
  • No restart of the Application server required.

LifeCycle of LiveCycle Domain Synchronization

A LiveCycle Enterprise Domain is synchronized with users and groups from an external entity.
The external entity can be either of the following,

  • Custom SPI – Custom Service Provider Interface allows one to connect to a external system other than LDAP for fetching users to LiveCycle.
    One can create a Custom SPI by implementing DirectoryUserProvider and DirectoryGroupProvider Interfaces.
    The following document details step by step procedure for creating a Directory Provider,
  • LDAP – Integrating an LDAP with an Enterprise Domain is very clearly detailed in this blog,
    As of LiveCycle ES3, following LDAP servers are supported,

    • Sun ONE 5.2
    • Sun ONE 6.3
    • Microsoft Active Directory 2003
    • Microsoft Active Directory 2008
    • IBM Tivoli Directory Server 6.0
    • Novell eDirectory 8.7.3
    • Lotus Domino v8.x
    • ADAM 1.1.3790.2075
    • OpenLDAP 2.3.43-12.el5_5.3.i386

I’ll talk about the following related to Domain Synchronization,

Working of Domain Synchronization with an LDAP Server

An Enterprise Domain registered with an LDAP server works in 3 steps during a sync,

  • Syncrhonize Users from LDAP
  • Syncrhonize Groups from LDAP
  • Syncrhonize Group Members from LDAP

Let’s take an example where an Enterprise Domain is registered with a Microsoft Active Directory with following specifications,

  • UniqueId for both Users and Groups is set to ObjectGUID.
  • Batch size is by default set to 200, which means that the Users, Groups, Group Members will be fetched from an LDAP in a batch of 200.
  • Let’s consider some test Users from the Active Directory LDAP,
    User 1
    dn: CN=foo,CN=users,DC=example,DC=com
    sAMAccountName: foo
    memberOf: CN=baz,CN=Users,DC=example,DC=com
    objectGUID: 1
    User 2
    dn: CN=bar,CN=users,DC=example,DC=com
    sAMAccountName: bar
    memberOf: CN=baz,CN=Users,DC=example,DC=com
    objectGUID: 2

In an Active Directory LDAP server, the ObjectGUID field is a binary field.
For simplicity sake I’m using it as numeric field.

The user synchronization phase in this example, involves the following steps:

  • Fetch 200 users (configurable batch size via editing config.xml) from LDAP.
  • Determine the value for the unique identifier for each user.
  • Look for a record in LiveCycle user table where the canonicalName matches with the user’s unique identifier.
    • Case A – If the record exists then update the user properties.
    • Case B – If the record does not exist then create a new user record.
    • Case C – If the record exists in LiveCycle Db but marked Obsolete, then mangle the userID of the previous record and continue creating the new record.
  • Once all the users have been fetched, the users present in LiveCycle Db but not modified in the current synch cycle are marked OBSOLETE.

A similar logic is used in the group synchronization phase.
Group membership phase comes into picture only if both the User and Groups synchronization for a Domain are enabled.
Group Membership links the synched User and Group on behalf of the Membership at the LDAP end between both the principals.

UniqueId used in LDAP Synchronization

In the synchronization process, the unique identifier attribute for users and groups plays a very important role.
It serves as the key attribute for helping migrate Principals registered with one LDAP to another.
This LDAP attribute used as UniqueId should fulfill the following requirements in the LiveCycle database,

  • Unique – The identifier should be unique across the whole user/group repository.
  • Immutable – It does not change for a given user/group.
  • Not recycled – The identifier once assigned to a user/group is never reused.

The following LDAP attributes are not a good candidate for a unique identifier:

  • distinguishedName
    For example, consider that a user’s distinguished name (dn) CN=foo, ou=finance, DC=bar,DC=com is used as the unique identifier.
    In this case, if foo moves to different department, then the dn will change.
  • loginId
    A user’s login ID (samAccountName in Active Directory and uid in SunOne) are sometime recycled when an old user leaves and the new user with the same name arrives.
    In this case, the new user is given the same userId.
  • email
    Email is fairly a good candidate. However, it might cause some issues when the emails are recycled or modified.

Therefore, the synchronization logic by default, uses the following LDAP attributes for different LDAP server,

  • objectGUID – for Microsoft Active Directory
  • objectGUID – for ADAM
  • nsuniqueId – for SunOne
  • guid – Novell eDirectory
  • dominoUNID – Lotus Domino
  • ibm-entryuuid – IBM Tivoli

However, these attributes can be replaced with any other attribute of LDAP which fulfills the above mentioned requirements.

User Indentity in LiveCycle

The user identity of a user in LiveCycle is governed by the following rules.
In a LiveCycle domain,

  • A user’s loginid (edcprincipaluserentity.uidstring) is unique but with respect to it’s own domain, i.e. same userId can co-exist in another domain.
  • A user’s canonicalName (edcprincipalentity.canonicalname) is unique  but with respect to it’s own domain, i.e. same canonicalName can co-exist in another domain.
  • Each user and group is assigned an oid (, which is used to refer the user by other systems in LiveCycle.
    It’s unique across all domains.
    Therefore, a process refers to a user using its Oid.
  • A user can be uniquely referred using:
    • User’s LiveCycle DomainName and LoginId
    • User’s LiveCycle DomainName and CanonicalName
    • User’s Oid

Unique Identifier Migration

There are times when an Enterprise needs to migrate it’s users to another LDAP, or let say an Enterprise may have multiple LDAP servers but now wants to consolidate the principals in a single domain.
In broader sense the migration works as follows,

  • Modify the unique identifiers from old one to new ones according to the new LDAP server.
  • The next Synchronization detects that the unique identifier has changed. Therefore, the Synchronization logic is modified.
  • Fetch 200 users from LDAP.
  • For each user, determine the value for the old unique identifier.
  • Look for a record in LiveCycle user table, where the record’s canonicalName matches with the old unique identifier.
    • Case A – If the record exists, update the user properties and the canonicalName.
    • Case B – If the record does not exist, create a new user record with the new canonicalName.
  • Once all the users are fetched, find all the users who have not been modified in the current cycle, and mark them OBSOLETE.
  • In the end, the canonicalName (unique identifier) for all users is changed to the new Unique Id.
  • Ensure that during this Synchronization process, the value for old unique identifier is not changed at the Old LDAP’s end.

Scenario 1

An Enterprise has configured an LDAP DirectoryProvider in LiveCycle, which uses email as the unique identifier.
Due to various reasons mentioned above, an Enterprise may want to move to objectGUID, whereas other details, such as the LDAP server, domain, and so on, remain unchanged.
In this case, after the unique identifier has been changed, the canonical name for all active Users will be migrated to the new one.

Scenario 2

An Enterprise has configured a SunOne LDAP DirectoryProvider, which uses nsuniqueId as the unique identifier.
As a part of an IT exercise all the users at the LDAP end have migrated from SunOne to Active Directory.
This means that all the LiveCycle Users that are a part of the Enterprise Domain registered with Sunone will have to migrate to Active Directory.
Strict care has to be taken to preserve the User’s Identity in such a way that the said User’s work doesn’t get affected.

  • LDAP1 – Old LDAP server, SunOne
  • LDAP2 – New LDAP server, Active Directory

The user accounts will be migrated from LDAP1 to LDAP2.
While doing this, a user account will be active only in one of the LDAP servers.
After the migration, it will be marked inactive in the other one.
As UniqueId will be different between LDAP1 and LDAP2, one needs to change the unique identifier in a way that the user identity is maintained.
i.e. the user identity should be federated between both the LDAPs based on a particular attribute which can also serve as the uniqueId during migration.

The following steps need to be performed to conclude a successful migration,

  • In the Directory Provider configured with LDAP1, change the unique identifier from nsuniqueId to uid.
    It assumes that the value for uid(from SunOne) and samAccountName(from Active Directory) remains same between LDAP1 and LDAP2.
  • Run the Synchronization. It will change the unique identifier from nsuniqueId to uid, and thereby update the canonicalName for the Users in LiveCycle database.
  • During the migration, LDAP1 will have users disabled while the same users will be in active in LDAP2.
    Now, one needs to configure LDAP2 as the new Directory Provider in the same LiveCycle domain with unique identifier set to samAcccountName.
    For example, the user Bob is disabled in LDAP1 and enabled in LDAP2.
    In this case, when the Synchronization runs,

    • It fetches the user Bob from LDAP1, which is inactive, and therefore will be disabled.
    • It fetches the users Bob from LDAP2, which is active. Its unique identifier will be used to look up the user Bob in LiveCycle database.The record will be found (from the Synchronization by LDAP1) and updated.
  • After migration is complete, the new Directory Provider can switch to the commonly used uniuqeId attribute and synchronize again, i.e. objectGuid in this case.

Bookmark and Share

Capturing LDAP Traffic between LiveCycle server and LDAP server

In an Enterprise Domain, principals(users/groups) are synched to LiveCycle from an LDAP server via Directory Providers.
In an Enterprise or Hybrid Domain, the LiveCycle users might be authenticated using an LDAP server.
In both the above cases, it becomes necessary to sniff the traffic if one of the principal hasn’t reached LiveCycle or the sync has broken in between for some unexplained reason.
Or let say authenticating a user through an LDAP server is failing.
The server logs of an Application server detail only the issue occurring at it’s own end,
but can’t trace the issue occurred during the transfer of data or the issue occurred at LDAP server end.

In such cases capturing the log details right from the start of fetching principal to transporting it to LiveCycle server, gives a clear insight into the working of LDAP protocol and the issue occurred.

There are many ways of capturing LDAP traffic

  • Wireshark is a great tool for capturing the LDAP traffic between an LDAP server and LiveCycle server.
  • Snoop is a utility used for capturing traffic on a Solaris machine.
  • TCPDump can be used to capture the LDAP traffic on a Linux machine.
  • LDAPDecoder can be used to capture the traffic by acting as a proxy between the LiveCycle server and the LDAP server.

I prefer using LDAPDecoder because of the following reasons,

      • It’s not always possible to install a Wireshark on customer’s production system.
        Also using a Wireshark needs root access else the LDAP traffic can’t be captured.
        Wireshark doesn’t work on headless unix/linux servers.
      • Snoop and TCPDump help in capturing traffic on headless unix/linux servers but they capture all of the traffic while one may be interested in only the LDAP traffic.
      • LDAPDecoder works well on both UI and non-UI systems.
        On Non-UI systems the LDAPDecoder can work independently as well as in tandem with Snoop and TCPDump.
        The data captured from Snoop and TCPDump can be given the LDAPDecoder in order to interpret LDAP information in specific.
      • LDAPDecoder can be used to capture LDAP traffic between a remote LiveCycle server and remote LDAP server.

LDAPDecoder acts as a proxy between both the LDAP Server and LiveCycle server.
So, the client forwards the request to LDAPDecoder which decodes the request and then forwards it to the server.
Once it gets a response from the LDAP server it decodes it and passes on the LiveCycle server thereby completing the whole flow of LDAP communication.

Okay, enough of theory, let’s get to some practical now,
1. Extract the LDAPDecoder.jar from LDAPDecoder.
2. Start the LDAPDecoder as follows on command line,
java -jar LDAPDecoder.jar -h ldapserver -p 389 -L 390 -f output.log

-h ldapserver -> the host name or ip address of the LDAP server
-p 389 -> the port of the LDAP server
-L 390 -> the port of the LDAPDecoder server which the LiveCycle server should send requests to.
-f output.log -> the file in which the LDAP traffic will be captured, i.e. the request from the LiveCycle server and response from the LDAP server.

Additionally one can specify -s parameter to make communication between LDAP Server and LiveCycle server in SSL mode.
For more such options just type, java -jar LDAPDecoder.jar

3. Open the Enterprise or Hybrid domain in Edit mode.
4. In the server field, mention the hostname or the IPaddress of the machine on which the LDAPDecoder server is running.
5. In the port field, mention the port to which the LDAPDecoder server is listening, i.e. the port specified with -L parameter, e.g. 390.

6. Save the domain.
7. Sync the Domain in case of Enterprise or make authentication calls in case of either Enterprise or Hybrid domain.
8. Check the details of LDAP request response flowing between LiveCycle server and LDAP server in the log file, i.e. the file specified with the -f parameter, e.g. output.log

For more information on LDAPDecoder and how to interpret Snoop and TCMPDump data, refer the following doc,

Bookmark and Share