Get a "No service was found" message when clicking on the Sign in button

[rsaple]

Here's the thing. I have created a trial GSuite account just for testing this particular utility. Did the pre-install gsuite- configuration as described without any issue. Edited the docker-compose.yml to reflect our ldap setup. Ran the docker commands successfully. I can access the homepage on localhost:8181. But when I click on the sign in button I get a terse message saying "No service was found".

Docker trace also throws some errors

identity_1  |   at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) [?:?]
identity_1  |   at java.lang.Thread.run(Thread.java:748) [?:?]
identity_1  | Caused by: org.osgi.service.blueprint.container.ComponentDefinitionException: Error when instantiating bean ldapConnection of class com.unboundid.ldap.sdk.LDAPConnection
identity_1  |   at org.apache.aries.blueprint.container.BeanRecipe.wrapAsCompDefEx(BeanRecipe.java:361) ~[?:?]
identity_1  |   at org.apache.aries.blueprint.container.BeanRecipe.getInstanceFromType(BeanRecipe.java:351) ~[?:?]

2018-06-14T08:46:02,328 | INFO  | features-1-thread-1 | FeaturesServiceImpl              | 10 - org.apache.karaf.features.core - 4.1.5 | Done.
identity_1  | 2018-06-14T08:46:02,330 | INFO  | paxweb-extender-2-thread-1 | HttpServiceContext               | 152 - org.ops4j.pax.web.pax-web-jetty - 6.0.9 | registering JasperInitializer
identity_1  | 2018-06-14T08:46:02,678 | INFO  | paxweb-extender-2-thread-1 | ContextHandler                   | 125 - org.eclipse.jetty.util - 9.3.21.v20170918 | Started HttpServiceContext{httpContext=WebAppHttpContext{eu.hlavki.identity.g-suite-identity-sync-web - 20}}
identity_1  | 2018-06-14T08:51:00,530 | ERROR | Blueprint Extender: 2 | BlueprintContainerImpl           | 32 - org.apache.aries.blueprint.core - 1.8.3 | Unable to start blueprint container for bundle eu.hlavki.identity.g-suite-identity-sync-services/0.3.1 due to unresolved dependencies [(objectClass=eu.hlavki.identity.services.ldap.LdapAccountService)]
identity_1  | java.util.concurrent.TimeoutException: null
identity_1  |   at org.apache.aries.blueprint.container.BlueprintContainerImpl$1.run(BlueprintContainerImpl.java:370) [32:org.apache.aries.blueprint.core:1.8.3]
identity_1  |   at org.apache.aries.blueprint.utils.threading.impl.DiscardableRunnable.run(DiscardableRunnable.java:48) [32:org.apache.aries.blueprint.core:1.8.3]
identity_1  |   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
identity_1  |   at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:?]

identity_1  | 2018-06-14T12:23:11,751 | WARN  | qtp1957879929-71 | ServletController                | 54 - org.apache.cxf.cxf-rt-transports-http - 3.2.2 | Can't find the request for http://localhost:8181/cxf/identity/user's Observer 
identity_1  | 2018-06-14T12:29:00,793 | WARN  | qtp1957879929-72 | ServletController                | 54 - org.apache.cxf.cxf-rt-transports-http - 3.2.2 | Can't find the request for http://localhost:8181/cxf/oidc/rp's Observer 

I guess the issue is with the docker-compose.yml file but I'm not sure. Being a docker noob complicates things further. Can someone help me through this? Thanks

[hlavki]

This looks like problem with LDAP connection. Synchronizer needs to be connected to existing LDAP. Can you send me full log and docker-compose.yml?

[rsaple]

Have a samba server(ldap) sitting on the domain agni.loc which I can access and query(ldapsearch) successfully. Does the ldap domain and the gsuite domain need to be the same for this to work?

services:
  identity:
    image: hlavki/g-suite-identity-sync
    ports:
      - 8181:8181
      - 8101:8101
    environment:
      - SLAPD_BIND_DN=cn=admin admin,cn=Users,dc=agni,dc=loc
      - SLAPD_BASE_DN=dc=agni,dc=loc
      - SLAPD_PASSWORD=*****
      - GSUITE_DOMAIN=agniinfosystems.co.in
      - GSUITE_SERVICE_ACCOUNT_EMAIL=gsuite-services@prefab-pride-207206.iam.gserviceaccount.com
      - GSUITE_SERVICE_ACCOUNT_SUBJECT=rahul@agniinfosystems.co.in
      - GSUITE_CLIENT_ID=234295305813-1fvct7qa7jafgiv3k83h9507nuouepj0.apps.googleusercontent.com
      - GSUITE_CLIENT_SECRET=*Oauth Client secret*
    depends_on:
      - ldap
    volumes:
      - identity-config:/opt/karaf/etc/identity

ldap:
    image: osixia/openldap
    ports:
      - "389:389"
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "Agni Info ltd."
      LDAP_DOMAIN: "agni.loc"
      LDAP_ADMIN_PASSWORD: "*Same as SLAPD_PASSWORD Above*"
      LDAP_CONFIG_PASSWORD: "*Same as SLAPD PASSWORD Above*"
    volumes:
      - ldap-data:/var/lib/ldap
      - ldap-config:/etc/ldap/slapd.d

And here's the full log trace

log_trace.txt

[hlavki]

Hi, this looks like cause of problem:

Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid credentials

When you run:

docker-compose exec identity /opt/karaf/bin/client \
    'config:list "(service.pid=eu.hlavki.identity.ldap)"'

Can you see correct LDAP credentials?

[rsaple]

No the ldap host and user and group base dn are wrong

User Base DN and Group base dn should be "cn=users, dc=agni, dc=loc" Ldap host should be ldap://agni.loc

Sorry to sound dumb but where do I make the change.

Thanks for replying

Logging in as karaf
----------------------------------------------------------------
Pid:            eu.hlavki.identity.ldap
BundleLocation: ?
Properties:
   felix.fileinstall.filename = file:/opt/karaf/etc/identity/eu.hlavki.identity.ldap.cfg
   ldap.baseDN = dc=agni,dc=loc
   ldap.bindDN = cn=admin admin,cn=Users,dc=agni,dc=loc
   ldap.groups.baseDN = ou=groups
   ldap.host = ldap
   ldap.password = *********
   ldap.pool.initSize = 2
   ldap.pool.maxSize = 5
   ldap.port = 389
   ldap.users.baseDN = ou=people
   service.pid = eu.hlavki.identity.ldap

[hlavki]

Definitely not dump question, configuration needs improvements. Anyway one way to change configuration is to create cmd file e.g. ldap.cmd that contains:

config:edit eu.hlavki.identity.ldap
config:property-set ldap.host agni.loc
config:property-set ldap.baseDN dc=agni,dc=loc
config:property-set ldap.users.baseDN cn=users
config:property-set ldap.groups.baseDN cn=users
config:update

Values of ldap.users.baseDN and ldap.groups.baseDN are relative to ldap.baseDN.

then execute:

docker-compose exec -T identity /opt/karaf/bin/client -b < ldap.cmd

[rsaple]

Im still getting the invalid credentials error. I can succesfully execute the below ldap query statement without any invalid credentials error ldapsearch -H "ldap://agni.loc" -D "cn=admin admin, cn=users, dc=agni, dc=loc" -b "dc=agni,dc=loc" -W

Here's the relevant parts of log log_trace1.txt

[rsaple]

I changed config:property-set ldap.host agni.loc to point to my IP rather than my hostname and rebooted my machine and it worked.

Only to get stuck on a different problem. I get an LDAP error when I create an LDAP account. Here's the error

identity_1  | 2018-06-15T10:08:43,525 | INFO  | qtp86591752-77   | LoggingInInterceptor             | 41 - org.apache.cxf.cxf-core - 3.2.2 | Inbound Message
identity_1  | ----------------------------
identity_1  | ID: 39
identity_1  | Address: http://localhost:8181/cxf/identity/account
identity_1  | Encoding: UTF-8
identity_1  | Http-Method: POST
identity_1  | Content-Type: application/json;charset=UTF-8
identity_1  | Headers: {Accept=[application/json, text/plain, */*], accept-encoding=[gzip, deflate], Accept-Language=[en-GB,en;q=0.5], connection=[keep-alive], Content-Length=[118], content-type=[application/json;charset=UTF-8], Cookie=[JSESSIONID=11pr9xnyhx20y11lchk0tsikoa], Host=[localhost:8181], Referer=[http://localhost:8181/], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0]}
identity_1  | Payload: {"email":"rahul@agniinfosystems.co.in","password":"*********","confirmPassword":"*********","saveGSuitePassword":true}
identity_1  | --------------------------------------
identity_1  | 2018-06-15T10:08:44,096 | INFO  | qtp86591752-77   | LdapAccountServiceImpl           | 18 - eu.hlavki.identity.g-suite-identity-sync-services-ldap - 0.3.1 | Creating user with DN uid=rahul@agniinfosystems.co.in,cn=users,dc=agni,dc=loc
identity_1  | 2018-06-15T10:08:44,654 | ERROR | qtp86591752-77   | UserAccountService               | 19 - eu.hlavki.identity.g-suite-identity-sync-services-rest - 0.3.1 | Can't create account
identity_1  | eu.hlavki.identity.services.ldap.LdapSystemException: LDAPException(resultCode=64 (naming violation), errorMessage='00002037: objectclass: Invalid RDN 'UID' for objectclass 'inetOrgPerson'!', diagnosticMessage='00002037: objectclass: Invalid RDN 'UID' for objectclass 'inetOrgPerson'!', ldapSDKVersion=4.0.0, revision='25575')
identity_1  |   at eu.hlavki.identity.services.ldap.impl.LdapAccountServiceImpl.createAccount(LdapAccountServiceImpl.java:114) [18:eu.hlavki.identity.g-suite-identity-sync-services-ldap:0.3.1]
identity_1  |   at Proxyb4e87f66_9357_43c7_aea5_0ee903ade26f.createAccount(Unknown Source) [?:?]
identity_1  |   at eu.hlavki.identity.services.rest.account.UserAccountService.createAccount(UserAccountService.java:96) [19:eu.hlavki.identity.g-suite-identity-sync-services-rest:0.3.1]
identity_1  |   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
identity_1  |   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
identity_1  |   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
identity_1  |   at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
identity_1  |   at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) [41:org.apache.cxf.cxf-core:3.2.2]
identity_1  |   at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) [41:org.apache.cxf.cxf-core:3.2.2]
identity_1  |   at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192) [42:org.apache.cxf.cxf-rt-frontend-jaxrs:3.2.2]
identity_1  |   at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103) [42:org.apache.cxf.cxf-rt-frontend-jaxrs:3.2.2]
identity_1  |   at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) [41:org.apache.cxf.cxf-core:3.2.2]
identity_1  |   at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) [41:org.apache.cxf.cxf-core:3.2.2]
identity_1  |   at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [41:org.apache.cxf.cxf-core:3.2.2]
identity_1  |   at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [41:org.apache.cxf.cxf-core:3.2.2]
identity_1  |   at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) [26:javax.servlet-api:3.1.0]
identity_1  |   at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) [54:org.apache.cxf.cxf-rt-transports-http:3.2.2]
identity_1  |   at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848) [123:org.eclipse.jetty.servlet:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) [123:org.eclipse.jetty.servlet:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:205) [133:org.eclipse.jetty.websocket.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [123:org.eclipse.jetty.servlet:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [123:org.eclipse.jetty.servlet:9.3.21.v20170918]
identity_1  |   at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71) [152:org.ops4j.pax.web.pax-web-jetty:6.0.9]
identity_1  |   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [120:org.eclipse.jetty.security:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:284) [152:org.ops4j.pax.web.pax-web-jetty:6.0.9]
identity_1  |   at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [123:org.eclipse.jetty.servlet:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80) [152:org.ops4j.pax.web.pax-web-jetty:6.0.9]
identity_1  |   at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.Server.handle(Server.java:534) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [122:org.eclipse.jetty.server:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [114:org.eclipse.jetty.io:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) [114:org.eclipse.jetty.io:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [114:org.eclipse.jetty.io:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [125:org.eclipse.jetty.util:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [125:org.eclipse.jetty.util:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [125:org.eclipse.jetty.util:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [125:org.eclipse.jetty.util:9.3.21.v20170918]
identity_1  |   at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [125:org.eclipse.jetty.util:9.3.21.v20170918]
identity_1  |   at java.lang.Thread.run(Thread.java:748) [?:?]
identity_1  | Caused by: com.unboundid.ldap.sdk.LDAPException: 00002037: objectclass: Invalid RDN 'UID' for objectclass 'inetOrgPerson'!
identity_1  |   at com.unboundid.ldap.sdk.LDAPConnection.add(LDAPConnection.java:1971) ~[?:?]
identity_1  |   at com.unboundid.ldap.sdk.LDAPConnection.add(LDAPConnection.java:1917) ~[?:?]
identity_1  |   at eu.hlavki.identity.services.ldap.impl.LdapAccountServiceImpl.createAccount(LdapAccountServiceImpl.java:112) ~[?:?]
identity_1  |   ... 52 more
identity_1  | 2018-06-15T10:08:44,693 | INFO  | qtp86591752-77   | LoggingOutInterceptor            | 41 - org.apache.cxf.cxf-core - 3.2.2 | Outbound Message
identity_1  | ---------------------------
identity_1  | ID: 39
identity_1  | Response-Code: 500
identity_1  | Content-Type: application/json
identity_1  | Headers: {Content-Type=[application/json], Date=[Fri, 15 Jun 2018 10:08:44 GMT]}
identity_1  | Payload: {"code":"LDAP_ERR","message":"LDAPException(resultCode=64 (naming violation), errorMessage='00002037: objectclass: Invalid RDN 'UID' for objectclass 'inetOrgPerson'!', diagnosticMessage='00002037: objectclass: Invalid RDN 'UID' for objectclass 'inetOrgPerson'!', ldapSDKVersion=4.0.0, revision='25575')"}
identity_1  | --------------------------------------

Guess it's because I dont have a uid component, but a CN component in my DN schema. Also CN stores usernames instead of email-ids. How do I make this app reflect this change?

Thanks for replying.

[hlavki]

Can you please create separate issue and describe your requirements? I think this needs some code changes.

[rsaple]

Sure. Thanks