By: Sankar Balasubramaniam user 07 Mar 2017 at 10:45 a.m. CST

8 Responses
Sankar Balasubramaniam gravatar
I had raised a similar issue under ticket #3782. I am following the FAQ page (https://gluu.org/docs/ce/latest/operation/faq/) to restore my admin access. I was able to proceed until '/opt/opendj/bin/ldapsearch -h localhost -p 1636 -D "cn=directory manager" -j ~/.pw -Z -X -b "o=gluu" "uid=$newgluuadmin" uid givenName sn cn' step. But the '/opt/opendj/ldif/groups.ldif' file was empty by default. So the next step with following command failed -bash-4.2# head -n1 /opt/opendj/ldif/groups.ldif > $ldiffile head: cannot open ‘/opt/opendj/ldif/groups.ldif’ for reading: No such file or directory -bash-4.2# cat /opt/opendj/ldif/groups.ldif cat: /opt/opendj/ldif/groups.ldif: No such file or directory So the addManagers.ldif didn't have the DN entry and hence resulted in the error -bash-4.2# /opt/opendj/bin/ldapmodify -h localhost -p 1636 -D "cn=directory manager,o=gluu" -j ~/.pw -Z -X -f addManagers.ldif Error at or near line 1 in LDIF file addManagers.ldif: org.opends.server.util.LDIFException: Unable to parse LDIF entry starting at line 1 because the first line does not contain a DN (the first line was "changetype: modify" Any idea why '/opt/opendj/ldif/groups.ldif' file was empty, or how to proceed further with this ?

By Mohib Zico Account Admin 08 Mar 2017 at 3:33 p.m. CST

Mohib Zico gravatar
Let's try [this](https://docs.google.com/document/d/13yYAawUbXczI9Y69WHwwUSbNEDyPYcZYYtJj8pzIM9Y/edit?usp=sharing)?

By Sankar Balasubramaniam user 09 Mar 2017 at 3:53 a.m. CST

Sankar Balasubramaniam gravatar
I guess the second part of the instructions to add a new admin user is what you suggested for my case. I was actually trying the same yesterday and tried the following today as well, 1) Searched for my current admin user -bash-4.2# /opt/opendj/bin/ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'pass' -b o=gluu uid=admin ou=people 1.1 dn: inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!A8F2.DE1E.D7FB,ou=people,o=@! E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu 2) Created a new ldif file as suggested with the below content -bash-4.2# vim ~/neoadmin.ldif ``` dn: inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE1A.D7SB,ou=people,o=@!E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu changetype: add objectClass: top objectClass: gluuPerson inum: @!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE1A.D7SB uid: neoadmin givenName: neo sn: admin userPassword: admin gluuStatus: active displayName: Temp Admin User ``` So i took the inum for current admin user and modified the 'TTF2.DE1A.D7SB' part as suggested. 3) Ran the modify command successfully -bash-4.2# /opt/opendj/bin/ldapmodify -h localhost -p 1636 -Z -X -D "cn=directory manager,o=gluu" -w 'pass' -f ~/neoadmin.ldif Processing ADD request for inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE1A.D7SB,ou=people,o=@!E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu ADD operation successful for DN inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE1A.D7SB,ou=people,o=@!E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu 4) But when I try to login with the 'neoadmin', I get the error 'Incorrect email or password.'Am I missing something here? Do we have to restart the Gluu server after adding this entry?

By Mohib Zico Account Admin 09 Mar 2017 at 4:05 a.m. CST

Mohib Zico gravatar
>> But when I try to login with the 'neoadmin', I get the error 'Incorrect email or password.'Am I missing something here? Please tail oxauth.log when you try to login with this user. It will show why that's failing. >> Do we have to restart the Gluu server after adding this entry? No.

By Sankar Balasubramaniam user 09 Mar 2017 at 5:12 a.m. CST

Sankar Balasubramaniam gravatar
Hi Mohib, I tailed the oxauth log like 'tail -f /opt/gluu/jetty/oxauth/logs/oxauth.log', but the logs aren't very descriptive 2017-03-09 11:59:34,106 INFO [qtp1395089624-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:155) - Authentication failed for 'neoadmin' I also tried another testadmin as below, but same result -bash-4.2# vim ~/testadmin.ldif dn: inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE2A.D7SB,ou=people,o=@!E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu changetype: add objectClass: top objectClass: gluuPerson inum: @!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE2A.D7SB uid: testadmin givenName: test sn: admin userPassword: test123 gluuStatus: active displayName: Temp Admin User -bash-4.2# /opt/opendj/bin/ldapmodify -h localhost -p 1636 -Z -X -D "cn=directory manager,o=gluu" -w 'pass' -f ~/testadmin.ldif Processing ADD request for inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE2A.D7SB,ou=people,o=@!E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu ADD operation successful for DN inum=@!E8AE.369E.A2CA.4B73!0001!0239.8373!0000!TTF2.DE2A.D7SB,ou=people,o=@!E8AE.369E.A2CA.4B73!0001!0239.8373,o=gluu 2017-03-09 12:10:18,861 INFO [qtp1395089624-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:155) - Authentication failed for 'testadmin' Is there something wrong with the way I am defining the password? Not sure why my login is failing.

By Sankar Balasubramaniam user 09 Mar 2017 at 5:32 a.m. CST

Sankar Balasubramaniam gravatar
And when I try to login with my original admin account and the original password, I get the following error 2017-03-09 12:29:05,986 ERROR [qtp1395089624-10] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:176) - Failed to authenticate dn: CN=SO_IT_admin_account,OU=SO1,OU=SE,OU=FunctionalMailboxes,OU=EMUser,DC=emea,DC=adsint,DC=biz org.gluu.site.ldap.persistence.exception.AuthenticationException: Failed to authenticate dn: CN=SO_IT_admin_account,OU=SO1,OU=SE,OU=FunctionalMailboxes,OU=EMUser,DC=emea,DC=adsint,DC=biz Caused by: org.gluu.site.ldap.exception.ConnectionException: Failed to authenticate dn --> 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 Caused by: com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 I hope this ldap call is against localhost and not the actual AD server. Because this admin account is obviously only local to gluu and not in our corporate AD. Any clues here on what could be wrong ?

By Mohib Zico Account Admin 09 Mar 2017 at 5:35 a.m. CST

Mohib Zico gravatar
>> I hope this ldap call is against localhost and not the actual AD server. Yes, it should but it's not happening... >> Failed to authenticate dn: CN=SO_IT_admin_account,OU=SO1,OU=SE,OU=FunctionalMailboxes,OU=EMUser,DC=emea,DC=adsint,DC=biz You need to make sure that you change oxIDPAuthentication which we included in doc.

By Sankar Balasubramaniam user 09 Mar 2017 at 8:32 a.m. CST

Sankar Balasubramaniam gravatar
Hi Mohib, How can I search for 'oxIDPAuthentication' inside ldap ? I tried the following command, but it does not return any response. /opt/opendj/bin/ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'pass' -b o=gluu uid=oxIDPAuthentication

By Mohib Zico Account Admin 15 Mar 2017 at 7:25 a.m. CDT

Mohib Zico gravatar
>> /opt/opendj/bin/ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'pass' -b o=gluu uid=oxIDPAuthentication 'oxIDPAuthentication' is not UID value, it itself an attribute. There are lot of documentations there for OpenLDAP administration and OpenDJ administration which are going to help you a lot.