db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dag.wan...@oracle.com (Dag H. Wanvik)
Subject Re: Trying to migrate to LDAP (but getting Error 08004)
Date Wed, 19 Jan 2011 14:19:27 GMT

Hi,

Thomas <Thomas.K.Hill@t-online.de> writes:

> java.sql.SQLException: Connection refused : javax.naming.CommunicationException
> : miniserver:10389 [Root exception is java.security.AccessControlException: 
> access denied (java.net.SocketPermission miniserver resolve)]
> 	at org.apache.derby.impl.jdbc.authentication.
> 	JNDIAuthenticationSchemeBase.getLoginSQLException(Unknown Source)
> 	at org.apache.derby.impl.jdbc.authentication.LDAPAuthentication
> 	SchemeImpl.authenticateUser(Unknown Source)

This means that a) you are running with the Java security manager
enabled, and b) you need to add a missing SocketPermission to the
derby.jar codebare in a policy file, cf.

http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservrun.html
http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservcustom.html

You can temporarily run the Derby server without the security manager
enabled (to test the LDAP), by starting the server with the
-noSecurityManager option, cf.

http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservopen.html

Thanks,
Dag

> 	at org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase.
> 	authenticate(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection.checkUserCredentials
> 	(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection30.<init>(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection40.<init>(Unknown Source)
> 	at org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown Source)
> 	at org.apache.derby.jdbc.InternalDriver.connect(Unknown Source)
> 	at org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source)
> 	at org.apache.derby.impl.drda.Database.makeConnection(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseName
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.processCommands
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source)
> Cleanup action completed
> Tue Jan 18 20:44:37 CET 2011 Thread[DRDAConnThread_3,5,main] 
> (DATABASE = ldaptest), (DRDAID = {1}), Connection refused : javax.naming.
> CommunicationException: miniserver:10389 [Root exception is java.security.
> AccessControlException: access denied (java.net.SocketPermission 
> miniserver resolve)]
>
> Here is the derby.properties file used:
> # Licensed to the Apache Software Foundation (ASF) under one or more
> # contributor license agreements.  See the NOTICE file distributed with
> # this work for additional information regarding copyright ownership.
> # The ASF licenses this file to You under the Apache License, Version 2.0
> # (the "License"); you may not use this file except in compliance with
> # the License.  You may obtain a copy of the License at
> #
> #     http://www.apache.org/licenses/LICENSE-2.0
> #
> # Unless required by applicable law or agreed to in writing, software
> # distributed under the License is distributed on an "AS IS" BASIS,
> # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> # See the License for the specific language governing permissions and
> # limitations under the License.
>
> # derby.properties
> #
> # we are using the default properties values for this demo
> #
> derby.language.logQueryPlan=false
> # derby.drda.logConnections=true
> # derby.drda.traceAll=true
> derby.connection.requireAuthentication=true
> derby.authentication.provider=LDAP
> derby.authentication.server=ldap://miniserver:10389/
> derby.authentication.ldap.searchBase=o=THMB
>
> ad 2) I have passed the properties on the command line as suggested (after 
> having removed the derby.properties file). In this scenario the network 
> driver lead to the same results as the embedded driver. Athorisation worked
> as expected; no entries in derby.log.
>
> In summary my testing seems to evidence that the network driver is only
> working in conjunction with LDAP authorization if the required properties
> are passed on the command line when starting up the server. (So there is 
> a way to achieve what I was trying to do.) However, when defining
> the properties as data-base properties, these are ignored by the driver. (which
> I would say is a bug). When defining the properties as system-wide properties 
> in derby.properties, then the< seem to be recognized, but this sceanrio might 
> require modification of the security policy file (which I don't know yet), 
> before this approach will potentially work as well.
>
> Btw: the documentation is lacking details/guidance in this regards
>
> Regards

Mime
View raw message