Troubleshoot LDAP Servers in Adobe Contribute

Configuring Contribute Publishing Services (CPS) to use Lightweight Directory Access Protocol (LDAP) can be confusing. Included in the CPS administration is a testing tab, but before using the tab you will need to obtain the path to the internal LDAP system. Use a LDAP browser to view the directory to gain a better understanding of how LDAP is implemented.

Use an LDAP browser to determine the fully qualified distinguished name (dn) to your user name and group. To discover your LDAP settings use a program such as LDAP Administrator from Softerra.

Contribute Publishing Server uses the following information:

• The user's unique username in LDAP, which is how users are connected to groups
• The user's email address (for notification email)
• The user's name

Note: Using the LDAP browser, you can verify a user's information. The default settings are "uid", "mail", and "cn" respectively for these fields.

The Service Settings panel allows you to specify the User Directory, E-mail, Log, and Website Settings. The two Directory types are flat file and LDAP/Active Directory. For most configurations, you will have to pass the full distinguided name (dn) for the username, but this can vary depending upon your configuration (e.g. Active Directory). If the information is not correct on the Contribute Publishing Server you will not successfully authenticate the user on the Test tab.

LDAP Binding is the most common connection method used in Adobe Contribute.

In order to accommodate the greatest amount of flexibility, the authentication in Contribute is completely independent and self-contained. You'll have to set up your prefix and suffix to create the proper dn from the user id. Authentication uses parameters strictly from the Settings page. User Search is for finding lists of available users and for looking up attributes of users that are authenticating. Please note that after a user passes the authentication module, Contribute ensures their username is in the User Search query. Therefore, if you're using Windows domain authentication but have just a subset of domain users in your Active Directory User Search, only the desired users will pass authentication.

Contribute Publishing Services relies on a group having an attribute containing a list of all users in the group. By default CPS looks for the "member" attribute, but this is customizable in the Group tab. However, CPS does not use the User's "memberOf" attribute.

When Contribute Publishing Services is installed on linux, Solaris or other non-Windows servers, the "Password in windows domain" Authentication type does not apply.

The error messages resulting from testing various settings of LDAP can be rather generic. Longer error messages are often found in the Contribute Publishing Services log files.

By default the log files are found in the following directory:

• \Program Files\Macromedia\Contribute Publishing Services\logs\.

• Error: com.macromedia.contribute.server.exception.DBException: Error in bind() from LDAP source: [server]:[port]
  
  
  
  Cause: This is a very general error, and it means something went wrong when trying to bind to LDAP/AD. Check to see if the LDAP/AD server name and/or port number you have specified is incorrect or an incorrect DN was specified as the administrator username.
  
  
  
  Note: For more detail look at the sub-exception, which can be 1,2,3,4 or 5 below.
• Error: javax.naming.CommunicationException: [server]:[port] [Root exception is java.net.ConnectException: Connection refused: connect]
  
  
  
  Cause: The port name you have specified for the LDAP/AD server is incorrect.
• Error: javax.naming.CommunicationException: [server]:[port] [Root exception is java.net.UnknownHostException: [server]]
  
  
  
  Cause: The LDAP/AD server name you have specified is incorrect.
• Error: javax.naming.NamingException: Cannot parse url: [protocol]://[server]:[port] [Root exception is java.net.MalformedURLException: Not an LDAP URL: [protocol]://[server]:[port]]
  
  
  
  Cause: The protocol you have specified is not correct.
  
  
  
  Note: Currently if you specify anything besides ldap for the protocol, you will receive this error.
• Error: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
  
  
  
  Cause: The DN path or password which you have specified for the administrator is invalid. Any of the below will result in this error:
  • Pointed to non-user DN
  • Pointed to a non-existent user, but in existing DN
  • Pointed to non existent DN
  • Pointed to an existing user, but non existing DN
  • Pointed to an incorrect admin DN, uid instead of cn
  • Pointed to a non administrator user
  • Pointed to a valid admin but password is incorrect
• Error: com.macromedia.contribute.server.exception.DBException: Error in searchForUserList from LDAP plugin: [LDAP: error code 32 - No Such Object]
  
  
  
  Cause: Very general error when there is a problem finding the users in LDAP/AD. Could be that the DN pointing to the users is pointing to the wrong place or is just incorrect and does not exist.
  
  
  
  Note: For more detail look at the sub-exception, which can be 7 below.
• Error: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name '[DN]'
  
  
  
  Cause: The DN path which points to where the users are located in the directory is invalid.
• Error: com.macromedia.contribute.server.exception.DBException: Error in searchForUserList from LDAP plugin: [LDAP: error code 2 - Bad search filter]
  
  
  
  Cause: Invalid search filter passed to the LDAP/AD server.
  
  
  
  Note: For more detail look at the sub-exception, which can be 9, or 10 below.
• Error: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name '[DN]'
  
  
  
  Cause: The filter specified is wrong or CPS constructed a bad filter.
• Error: javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name [DN]
  
  
  
  Cause: You did not have correct opening and closing of parenthesis in your search filter.
• Error: Error in bind from LDAP source: [LDAP: error code 49 - Invalid Credentials] javax.naming.AuthenticationException
  
  
  
  Cause: Could not authenticate the user trying to login. This can be the result of an incorrect username or password, or an incorrect prefix and/or suffix specified in the Settings tab, depending on the type of LDAP/AD system. Could also mean the authentication type is incorrect.
• Error: Error in bind from LDAP source: [LDAP: error code 34 - invalid DN] javax.naming.InvalidNameException
  
  
  
  Cause: This is caused by a bad prefix specified in the Settings tab, on most LDAP/AD systems. This could mean you did not specify a prefix at all, which means the LDAP/AD server did not receive a full DN from CPS or that you did not specify a correct prefix, such as CN instead of UID, which results in the LDAP/AD server not receiving a correct DN from CPS. Can also be caused by a missing comma at the beginning of the suffix or an extra comma at the end of the suffix. This error could also mean the authentication type is incorrect.
• Error: NoSuchAttributeException
  
  
  
  Cause: This is caused by providing a name for an attribute which is not correct or does not exist.

• Error: com.macromedia.contribute.server.exception.DBException: Error in bind() from LDAP source: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece] javax.naming.AuthenticationException
  
  
  
  Cause: The administrator domain name, username, and or password is incorrect in the Settings tab.
• Error: com.macromedia.contribute.server.exception.DBException: Error in searchForUserList from LDAP plugin: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001C6, problem 2001 (NO_OBJECT), data 0, best match of: '[DN]' ] javax.naming.NameNotFoundException
  
  
  
  Cause: A non-existent DN specified in the User Search field.
• Error: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: [server]:[port] [Root exception is java.net.UnknownHostException: [server]]]
  
  
  
  Cause: An incorrect DN was specified in the User Search field.
• Error: com.macromedia.contribute.server.exception.DBException: Error in searchForUserList from LDAP plugin: [DN]: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001B3, problem 2006 (BAD_NAME), data 8350, best match of: '[DN],' ] javax.naming.InvalidNameException
  
  
  
  Cause: An incorrectly formatted DN was specified.
• Error: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100198, problem 2001 (NO_OBJECT), data 0, best match of: '']; remaining name ''
  
  
  
  Cause: This error appears if you do not have Group settings filled in, but have User Search filled in. Some systems do not care, while some systems experience problems with the empty DN.
• Error: Error in bind from LDAP source: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 52e, vece ] javax.naming.AuthenticationException
  
  
  
  Cause: Could not authenticate the user trying to login. This can be the result of an incorrect username or password, or an incorrect prefix and/or suffix specified in the Settings tab, depending on the type of LDAP/AD system. Could also mean the authentication type is incorrect. Also an incorrect username attribute or incorrect name attribute can cause this. Common cause of this error is a user trying to login with DOMAIN\login instead of just login.
• Error: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0 ];
  
  
  
  Cause: The DN specified in the User Search tab is incorrect, wrong, or incorrectly formatted.
• Error: Error 12: Server.ActionProcessException: Error in authenticateUser in user plugin. Error in searchForUser from LDAP plugin: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006C5, problem 5012 (DIR_ERROR), data 0
  
  
  
  Cause: User could not be found. Most likely due to DN settings in the User Search tab or the suffix or prefix fields in the Settings tab.
• Error: com.macromedia.contribute.server.exception.DomainException: Error in authenticateUser in user plugin. Error in searchForUser from LDAP plugin: [LDAP: error code 1 - 000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0] javax.naming.NamingException
  
  
  
  Cause: Most likely caused by a bad username or password. Common cause of this error is a user trying to login with DOMAIN\login instead of just login.

• Error: Error 12: Server.ActionProcessException: Error in authenticateUser in user plugin. No user found for username <username> in user database --- 100.
  
  
  
  Cause: Most likely the result of a bad prefix or suffix in the settings tab or a bad DN or username or name attribute in the User Search attribute.

For additional information on reading LDAP error codes please refer to Sun's LDAP Error Codes.