Logging in with an LDAP account

asdasd · February 26, 2015, 1:56pm

RS2.2.1-5602 is giving me a headache. Specifically, I am unable to log-on using the LDAP imported accounts (the script from here http://blog.datenwerke.net/2013/08/ReportServer-LDAP-ActiveDirectory-authentication.html was amended not to required the objectGUID, because we don’t have AD).
I can see the users and groups (and the memberships) imported.
When I try to log in using a user from LDAP, I get the message: “Login attempt failed”, yet in catalina.out the following message appears:
####### LdapPAM: authenticate notoken (result=AuthenticationResult(false, null, false)
####### LdapPAM: authenticate with local password: fail
####### LdapPAM: authenticate against directory server: success
####### LdapPAM: authenticate success (usr=ldap.user)

There aren’t any other error messages in the logs, and I made sure that ReportServer Access does contain full access both for this user, and the group this user is member of. At the same time, I gave RX rights to the whole filesystem.
Logging on with any other native account (created inside rs) is working ok. What am I doing wrong?

Guest · February 26, 2015, 2:22pm

Hi,

what is the value of rs.authenticator.pams in your reportserver.properties file? For now you have to set this to an empty value to use the ldappam.

I’ll update the blogpost accordingly.

Cheers,
Thorsten

asdasd · February 26, 2015, 2:34pm

it was the default: rs.authenticator.pams = net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative

I have now changed it to:
rs.authenticator.pams =

However, when trying to log-on using an LDAP account, I am getting the following exception:
javax.persistence.NonUniqueResultException: result returns more than one elements
at org.hibernate.ejb.QueryImpl.getSingleResult(QueryImpl.java:293)
at org.hibernate.ejb.criteria.CriteriaQueryCompiler$3.getSingleResult(CriteriaQueryCompiler.java:258)
at net.datenwerke.rs.utils.simplequery.byatt.QueryByAttProcessor.process(QueryByAttProcessor.java:108)
at net.datenwerke.rs.utils.simplequery.byatt.QueryByAttInterceptor.invoke(QueryByAttInterceptor.java:25)
at net.datenwerke.rs.passwordpolicy.service.lostpassword.LostPasswordPreAuthenticateHook.authenticating(LostPasswordPreAuthenticateHook.java:65)
at net.datenwerke.security.service.authenticator.AuthenticatorServiceImpl.authenticate(AuthenticatorServiceImpl.java:73)
at net.datenwerke.rs.authenticator.server.LoginHandlerImpl.authenticate(LoginHandlerImpl.java:65)

Probably important:
the LDAP account is member in multiple LDAP groups:

rs_admins
rs_users
Both have rights for ReportingServer Access

Guest · February 26, 2015, 2:54pm

Hi,

this means there is more than one user with this username. So probably something went wrong when importing the users.

-Thorsten

asdasd · February 26, 2015, 3:16pm

for some reason I don’t see them in the “User Management” section, but they are present in the rs_user table.
What would be the best way to delete them?

asdasd · February 27, 2015, 9:48am

tables cleaned up. Consider this issue resolved. Thanks for the quick response.