Thank you so much Stefan for your valuable time. I really appreciate your help.
I have modified the jaas file as you said.
UM {
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
url=“ldap://xx.yy.com:389”
prin=“uid=aa,ou=ServiceAccounts,ou=Global,o=yy.com”
cred=user
userrootdn=“o=yy.com”
uidprop=“CN”
grouprootdn=“cn=integration,cn=usergroups,ou=security,ou=global,o=yy.com”
groupobjclass=“group”
personobjclass=“person”
logLevel=debug
com.softwareag.security.jaas.login.internal.InternalLoginModule sufficient
template_section=INTERNAL
logCallback=true
internalRepository="path/UniversalMessaging/server/um_01/bin/users.txt";
};
I am still not able to connect to EM.
Do i need to do any configurations at EM end ?
Hi Stefan,
I tried to login only with internal repo i.e. users.txt in jaas file and it worked fine :).
Now when i have both LDAP and internal repository its not working.
LDAP setting could be worng you think ?
I believe you are missing the semi-colon after the LDAP login module definition - you should put it after the last property of the module configuration.
Stefan
Hi Stefan,
My Jaas looks like below now. I have added ; and also added use password in quotes “”. I am able to login only with internal repository and not able to login with LDAP credentials.
UM {
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
url=“ldap://xx.yy.com:389”
prin=“uid=aa,ou=ServiceAccounts,ou=Global,o=yy.com”
cred=“user!”
userrootdn=“o=yy.com”
uidprop=“CN”
grouprootdn=“cn=integration,cn=usergroups,ou=security,ou=global,o=yy.com”
groupobjclass=“group”
personobjclass=“person”
logLevel=debug;
com.softwareag.security.jaas.login.internal.InternalLoginModule sufficient
template_section=INTERNAL
logCallback=true
internalRepository=“path/UniversalMessaging/server/um_01/bin/users.txt”;
};
Thank you so much for being with me while fixing this.
Hello Kavitha,
can you upload the UMRealmService.log file - it should be in the UM server bin directory. The system output and error streams are redirected to that file, and that is where the LDAP login module should be dumping the debug log. We should be able to see what’s going wrong there.
Btw, since I saw you have also specified the group root DN, I thought I should let you know that UM currently does not retrieve (or care about) the LDAP group membership - you’d still need to define groups in the ACL lists for authorization purposes.
Stefan
Hello Stefan,
I was about to mail you the good news. After i made changes as you said, i was still getting invalid user credentials.
I checked with my LDAP team if i was able to connect to LDAP server and they said yes.
Later i got my settings verified with them, there was a mistake in groupobjclass and personobjclass and uidprop.
After all the changes, it is working fine as expected.
When same user id is present in both LDAP and users.txt it validates for LDAP credentials only. This is my observation.
But everything is fine now 
I sincerely appreciate your time and patience and all your suggestions.
Many many thanks to you.
Regards,
Kavitha
Cool, great news!
For future reference, here’s a link to the JAAS configuration docs in the Oracle’s tech guide → JAAS Login Configuration File and the more comprehensive apidocs → Configuration (Java Platform SE 8 )
According to the docs the “sufficient” flag means:
The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.
which is why if LDAP succeeds, you don’t go through the users.txt login at all - it’s a sort of a fall back mechanism in case you want to be able to log in even when LDAP is not reachable.
Cheers,
Stefan
That is useful.
Thanks once again Stefan.
Regards,
Kavitha