This document explains a way to troubleshoot the LDAP authentication problem that results in error message - "com.censhare.server.rmi.RMIServerException[ldap.sync-party-failed]: Access denied"

Problem

There are cases where the LDAP user is not able to login on the censhare application with their LDAP credentials and below error could be seen in the server logs:

com.censhare.server.rmi.RMIServerException[ldap.sync-party-failed]: Access     denied
-----cause-----
com.censhare.support.transaction.TransactionException:     ORA-02091: transaction rolled back
ORA-00001: unique constraint     (CORPUS.PARTY_UN) violated

at com.censhare.support.transaction.TransactionManagerImpl.commitStep(TransactionManagerImpl.java:374)
at com.censhare.support.transaction.TransactionManagerImpl.commit(TransactionManagerImpl.java:401)
at modules.ldap.SyncParty.syncParty(SyncParty.java:356)
at sun.reflect.GeneratedMethodAccessor312.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)   
CODE

Reason

As can be seen from the error, the LDAP sync has failed.
When a censhare system is setup to be authenticated by LDAP, the user details are synced from LDAP to the party table in censhare database. With this, a unique value which is the "hex of objectGUID" (from LDAP server) is also populated in to the party table under the field "id_extern". On successive logins, censhare compares these two values before synchronisation. If there is a mismatch, we get the above mentioned error.

Troubleshooting

1. Find the value of id_extern either from cached table or the database for the impacted user.

a) Using cached table(AdminClient-in admin mode > Admin > Show cached tables > Party > XML logs). Search for the name of impacted user and you will be able to find the id_extern value.

Look for Party table in cached tables list

Search for the name of impacted user

b) Using database

2. Login on LDAP server and goto the properties of LDAP user and open Attribute Editor tab. Here look for the field 'objectGUID'.

Note: This objectGUID is still not in hexadecimal format

3. Click on view button on the bottom left corner of the properties dialog.

4. Choose Hexadecimal in the Value Format dropdown.

If there is a mismatch, update the id_extern field of party table in database and put the value same as objectGUID(HEX) value.

If the id_extern is missing in party cached table for the affected user either the user needs to be deleted from the censhare db and recreated.
Or the missing value id_extern="<AD ObjectGUID without dashes>"can be requested at IT-internal services and be added by sql statement or by exporting the user in AdminClient, editing the XML and reimport. -> this change is active immediately without further action.