Return-Path: Delivered-To: apmail-db-derby-user-archive@www.apache.org Received: (qmail 22684 invoked from network); 18 Jan 2011 20:26:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Jan 2011 20:26:52 -0000 Received: (qmail 3730 invoked by uid 500); 18 Jan 2011 20:26:52 -0000 Delivered-To: apmail-db-derby-user-archive@db.apache.org Received: (qmail 3680 invoked by uid 500); 18 Jan 2011 20:26:51 -0000 Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Reply-To: "Derby Discussion" Delivered-To: mailing list derby-user@db.apache.org Received: (qmail 3673 invoked by uid 99); 18 Jan 2011 20:26:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Jan 2011 20:26:51 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of gcaddu-derby-user@m.gmane.org designates 80.91.229.12 as permitted sender) Received: from [80.91.229.12] (HELO lo.gmane.org) (80.91.229.12) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Jan 2011 20:26:43 +0000 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1PfI88-0006A1-Ih for derby-user@db.apache.org; Tue, 18 Jan 2011 21:26:16 +0100 Received: from p4FD3A303.dip.t-dialin.net ([79.211.163.3]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 18 Jan 2011 21:26:16 +0100 Received: from Thomas.K.Hill by p4FD3A303.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 18 Jan 2011 21:26:16 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: derby-user@db.apache.org From: Thomas Subject: Re: Trying to migrate to LDAP (but getting Error 08004) Date: Tue, 18 Jan 2011 20:26:03 +0000 (UTC) Lines: 103 Message-ID: References: <4D346AFE.8090809@gmail.com> <4D350F7B.9020902@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 79.211.163.3 (Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.19) Gecko/20080528 Epiphany/2.22) I have now tested the following two scenarios in conjunction with the network driver: 1) using system-wide properties rather than data-base level properties 2) as you suggested, supply the properties as command line parameters ad 1) when trying to connect using IJ I continue to receive error 08004, however now the following messages are written to derby.log (which I have to admit do not tell me much at this stage - but at least it looks like the network driver has recognized the "LDAP" related properties. Note: I had started IJ on the same machine where Derby and directory server are running) me much : Tue Jan 18 20:44:36 CET 2011: Booting Derby version The Apache Software Foundation - Apache Derby - 10.7.1.1 - (1040133): instance a816c00e-012d-9aa7-e0cc-00005302821d on database directory /var/lib/derby/db-derby-10.7.1.1-data/ldaptest with class loader sun.misc.Launcher$AppClassLoader@7d772e Loaded from file:/var/lib/derby/db-derby-10.7.1.1-bin/lib/derby.jar java.vendor=Sun Microsystems Inc. java.runtime.version=1.6.0_22-b04 Database Class Loader started - derby.database.classpath='' Tue Jan 18 20:44:37 CET 2011 Thread[DRDAConnThread_3,5,main] (XID = 13), (SESSIONID = 0), (DATABASE = ldaptest), (DRDAID = {1}), Cleanup action starting java.sql.SQLException: Connection refused : javax.naming.CommunicationException : miniserver:10389 [Root exception is java.security.AccessControlException: access denied (java.net.SocketPermission miniserver resolve)] at org.apache.derby.impl.jdbc.authentication. JNDIAuthenticationSchemeBase.getLoginSQLException(Unknown Source) at org.apache.derby.impl.jdbc.authentication.LDAPAuthentication SchemeImpl.authenticateUser(Unknown Source) at org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase. authenticate(Unknown Source) at org.apache.derby.impl.jdbc.EmbedConnection.checkUserCredentials (Unknown Source) at org.apache.derby.impl.jdbc.EmbedConnection.(Unknown Source) at org.apache.derby.impl.jdbc.EmbedConnection30.(Unknown Source) at org.apache.derby.impl.jdbc.EmbedConnection40.(Unknown Source) at org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown Source) at org.apache.derby.jdbc.InternalDriver.connect(Unknown Source) at org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source) at org.apache.derby.impl.drda.Database.makeConnection(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseName (Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword (Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection (Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.processCommands (Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source) Cleanup action completed Tue Jan 18 20:44:37 CET 2011 Thread[DRDAConnThread_3,5,main] (DATABASE = ldaptest), (DRDAID = {1}), Connection refused : javax.naming. CommunicationException: miniserver:10389 [Root exception is java.security. AccessControlException: access denied (java.net.SocketPermission miniserver resolve)] Here is the derby.properties file used: # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # derby.properties # # we are using the default properties values for this demo # derby.language.logQueryPlan=false # derby.drda.logConnections=true # derby.drda.traceAll=true derby.connection.requireAuthentication=true derby.authentication.provider=LDAP derby.authentication.server=ldap://miniserver:10389/ derby.authentication.ldap.searchBase=o=THMB ad 2) I have passed the properties on the command line as suggested (after having removed the derby.properties file). In this scenario the network driver lead to the same results as the embedded driver. Athorisation worked as expected; no entries in derby.log. In summary my testing seems to evidence that the network driver is only working in conjunction with LDAP authorization if the required properties are passed on the command line when starting up the server. (So there is a way to achieve what I was trying to do.) However, when defining the properties as data-base properties, these are ignored by the driver. (which I would say is a bug). When defining the properties as system-wide properties in derby.properties, then the< seem to be recognized, but this sceanrio might require modification of the security policy file (which I don't know yet), before this approach will potentially work as well. Btw: the documentation is lacking details/guidance in this regards Regards