db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-4989) LDAP authentication not working when using network client driver and database level properties
Date Wed, 02 Feb 2011 23:03:29 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12989853#comment-12989853
] 

Dag H. Wanvik commented on DERBY-4989:
--------------------------------------

* I think you can easily check that your policy file is being used by
  inserting some illegal syntax in the policy file. Also, the absence
  of the usual console message that the Derby server gives when using
  the default policy file would be an indication, i.e. the output

  "Security manager installed using the Basic server security policy."

  would be missing.

* As for file permission to access derby.log, you need to make sure
  your customized policy file contains the right contents for these
  lines (for codebase derby.jar):

  permission java.io.FilePermission "/export/home/dag/java/sb/apps/derby-4989","read";
  permission java.io.FilePermission "/export/home/dag/java/sb/apps/derby-4989${/}-", "read,write,delete";

  Substitute your directory path for derby.log for
  "/export/home/dag/java/sb/apps/derby-4989" and see if that helps!

  In the template policy file provided with Derby, these lines are
  given as:

  permission java.io.FilePermission "${derby.system.home}","read";
  permission java.io.FilePermission "${derby.system.home}${/}-", "read,write,delete";

  I expanded those to work for my case as shown above.

* It seems you also need this permission (example for mypolicy which I
  uploaded, you will need another codeBase url of course):

  grant codeBase "file:/export/home/dag/java/sb/sb107/jars/sane/derbynet.jar"
  {
   :
   permission java.net.SocketPermission "*", "accept";

The wildcard should probably be narrowed down, but it's ok for testing
if this is the issue..  note that this permission must be for the
codebase "derbynet.jar". Does this help?

* As for the other permission on derby.jar that allows it to connect
  to the LDAP server, I'll make a note on DERBY-4990 about it, thank
  for noticing.

Hope this helps,
Dag



> LDAP authentication not working when using network client driver and database level properties
> ----------------------------------------------------------------------------------------------
>
>                 Key: DERBY-4989
>                 URL: https://issues.apache.org/jira/browse/DERBY-4989
>             Project: Derby
>          Issue Type: Bug
>          Components: Network Client
>         Environment: Network Server running under Debian 5.0 stable, Win XP Service Pack
3 Client, Derby Version 10.7.1.1, ApacheDS 1.5.7
>            Reporter: Thomas Hill
>         Attachments: LDAPrepro.txt, ldaprepro.tar.gz, mypolicy, screenshot-1.jpg
>
>
> The network server client driver is not recognising LDAP authentication provider configuration
when database properties are being used. 
> When trying to connect with the network client driver error 08004 'userid or password
invalid' is thrown:
> [derby][SQLException <at> 22c95b] java.sql.SQLException
> [derby][SQLException <at> 22c95b] SQL state  = 08004
> [derby][SQLException <at> 22c95b] Error code = 40000
> [derby][SQLException <at> 22c95b] Message    = Connection authentication failure
occurred.  Reason: userid or password invalid.
> The same database level properties when connecting using the embedded driver lead to
a successful login and everything is working as expected with this driver.
> Notes:
> As there are two other options in setting up the LDAP authentication provider, here is
the behaviour observed for the network driver in these scenarios:
> 1) when using system-level properties, socket permission errors are given when running
with the JAVA security manager enabled; so additional configuration in form of setting up
a custom Security Manager is required
> 2) when supplying the properties as command line arguments at server start-up the properties
are recognised (and authorisation is validated as expected without changes required to the
default Basic Security Manager)
> Here is the output of sysinfo for my environment and the script used for setting the
database level properties:
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication',
'true');
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider','LDAP');
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.server','myserver:10389');
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.ldap.searchBase','o=THMB');
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.ldap.searchFilter','derby.user');
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.thill','uid=thill,o=THMB');
> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.sqlAuthorization', 'true');
> sysinfo for the server
> ------------------ Java Information ------------------
> Java Version:    1.6.0_22
> Java Vendor:     Sun Microsystems Inc.
> Java home:       /usr/lib/jvm/java-6-sun-1.6.0.22/jre
> Java classpath:  /var/lib/derby/db-derby-10.7.1.1-bin/lib/derbyrun.jar
> OS name:         Linux
> OS architecture: i386
> OS version:      2.6.26-2-686
> Java user name:  root
> Java user home:  /root
> Java user dir:   /root
> java.specification.name: Java Platform API Specification
> java.specification.version: 1.6
> java.runtime.version: 1.6.0_22-b04
> --------- Derby Information --------
> JRE - JDBC: Java SE 6 - JDBC 4.0
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derby.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbytools.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbynet.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbyclient.jar] 10.7.1.1 - (1040133)
> ------------------------------------------------------
> ----------------- Locale Information -----------------
> Current Locale :  [English/United States [en_US]]
> Found support for locale: [cs]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [de_DE]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [es]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [fr]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [hu]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [it]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [ja_JP]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [ko_KR]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [pl]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [pt_BR]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [ru]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [zh_CN]
> 	 version: 10.7.1.1 - (1040133)
> Found support for locale: [zh_TW]
> 	 version: 10.7.1.1 - (1040133)
> ------------------------------------------------------
> sysinfo for the client
> ------------------ Java-Informationen ------------------
> Java-Version: 1.6.0_23
> Java-Anbieter: Sun Microsystems Inc.
> Java-Home: C:\Programme\Java\jre6
> Java-Klassenpfad: C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbyrun.jar
> Name des Betriebssystems: Windows XP
> Architektur des Betriebssystems: x86
> Betriebssystemversion: 5.1
> Java-Benutzername: Thomas
> Java-Benutzerausgangsverzeichnis: C:\Dokumente und Einstellungen\Thomas
> Java-Benutzerverzeichnis: C:\Daten\derby\keys
> java.specification.name: Java Platform API Specification
> java.specification.version: 1.6
> java.runtime.version: 1.6.0_23-b05
> --------- Derby-Informationen --------
> JRE - JDBC: Java SE 6 - JDBC 4.0
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derby.jar] 10.7.1.1 - (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbytools.jar] 10.7.1.1 - (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbynet.jar] 10.7.1.1 - (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbyclient.jar] 10.7.1.1 - (1040133)
> ------------------------------------------------------
> ----------------- Informationen zur Ländereinstellung -----------------
> Aktuelle Ländereinstellung:  [Deutsch/Deutschland [de_DE]]
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [cs]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [de_DE]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [es]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [fr]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [hu]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [it]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [pl]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [pt_BR]
> 	 Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [ru]
> 	 Version: 10.7.1.1 - (1040133)
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message