Return-Path: 
 <derby-user-return-13343-apmail-db-derby-user-archive=db.apache.org@db.apache.org>
Delivered-To: apmail-db-derby-user-archive@www.apache.org
Received: (qmail 11245 invoked from network); 19 Jan 2011 14:20:46 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 19 Jan 2011 14:20:46 -0000
Received: (qmail 65504 invoked by uid 500); 19 Jan 2011 14:20:46 -0000
Delivered-To: apmail-db-derby-user-archive@db.apache.org
Received: (qmail 65127 invoked by uid 500); 19 Jan 2011 14:20:41 -0000
Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:derby-user-help@db.apache.org>
list-unsubscribe: <mailto:derby-user-unsubscribe@db.apache.org>
List-Post: <mailto:derby-user@db.apache.org>
List-Id: <derby-user.db.apache.org>
Reply-To: "Derby Discussion" <derby-user@db.apache.org>
Delivered-To: mailing list derby-user@db.apache.org
Received: (qmail 65114 invoked by uid 99); 19 Jan 2011 14:20:40 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Jan 2011 14:20:40 +0000
X-ASF-Spam-Status: No, hits=-2.3 required=10.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS,UNPARSEABLE_RELAY
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [148.87.113.121] (HELO rcsinet10.oracle.com) (148.87.113.121)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Jan 2011 14:20:30 +0000
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227])
	by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id
 p0JEK7QT012956
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <derby-user@db.apache.org>; Wed, 19 Jan 2011 14:20:08 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154])
	by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id
 p0J92tYY018642
	for <derby-user@db.apache.org>; Wed, 19 Jan 2011 14:20:06 GMT
Received: from abhmt014.oracle.com by acsmt355.oracle.com
	with ESMTP id 973118391295446771; Wed, 19 Jan 2011 06:19:31 -0800
Received: from localhost (/129.150.116.109)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Wed, 19 Jan 2011 06:19:30 -0800
From: dag.wanvik@oracle.com (Dag H. Wanvik)
To: "Derby Discussion" <derby-user@db.apache.org>
Subject: Re: Trying to migrate to LDAP (but getting Error 08004)
References: <loom.20110116T204604-244@post.gmane.org>
	<4D346AFE.8090809@gmail.com> <loom.20110117T203209-765@post.gmane.org>
	<4D350F7B.9020902@gmail.com> <loom.20110118T212534-877@post.gmane.org>
Date: Wed, 19 Jan 2011 15:19:27 +0100
In-Reply-To: <loom.20110118T212534-877@post.gmane.org> (Thomas's message of
	"Tue, 18 Jan 2011 20:26:03 +0000 (UTC)")
Message-ID: <x6oc7dou1c.fsf@oracle.com>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Checked: Checked by ClamAV on apache.org


Hi,

Thomas <Thomas.K.Hill@t-online.de> writes:

> java.sql.SQLException: Connection refused : javax.naming.CommunicationException
> : miniserver:10389 [Root exception is java.security.AccessControlException: 
> access denied (java.net.SocketPermission miniserver resolve)]
> 	at org.apache.derby.impl.jdbc.authentication.
> 	JNDIAuthenticationSchemeBase.getLoginSQLException(Unknown Source)
> 	at org.apache.derby.impl.jdbc.authentication.LDAPAuthentication
> 	SchemeImpl.authenticateUser(Unknown Source)

This means that a) you are running with the Java security manager
enabled, and b) you need to add a missing SocketPermission to the
derby.jar codebare in a policy file, cf.

http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservrun.html
http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservcustom.html

You can temporarily run the Derby server without the security manager
enabled (to test the LDAP), by starting the server with the
-noSecurityManager option, cf.

http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservopen.html

Thanks,
Dag

> 	at org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase.
> 	authenticate(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection.checkUserCredentials
> 	(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection30.<init>(Unknown Source)
> 	at org.apache.derby.impl.jdbc.EmbedConnection40.<init>(Unknown Source)
> 	at org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown Source)
> 	at org.apache.derby.jdbc.InternalDriver.connect(Unknown Source)
> 	at org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source)
> 	at org.apache.derby.impl.drda.Database.makeConnection(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseName
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.processCommands
> 	(Unknown Source)
> 	at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source)
> Cleanup action completed
> Tue Jan 18 20:44:37 CET 2011 Thread[DRDAConnThread_3,5,main] 
> (DATABASE = ldaptest), (DRDAID = {1}), Connection refused : javax.naming.
> CommunicationException: miniserver:10389 [Root exception is java.security.
> AccessControlException: access denied (java.net.SocketPermission 
> miniserver resolve)]
>
> Here is the derby.properties file used:
> # Licensed to the Apache Software Foundation (ASF) under one or more
> # contributor license agreements.  See the NOTICE file distributed with
> # this work for additional information regarding copyright ownership.
> # The ASF licenses this file to You under the Apache License, Version 2.0
> # (the "License"); you may not use this file except in compliance with
> # the License.  You may obtain a copy of the License at
> #
> #     http://www.apache.org/licenses/LICENSE-2.0
> #
> # Unless required by applicable law or agreed to in writing, software
> # distributed under the License is distributed on an "AS IS" BASIS,
> # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> # See the License for the specific language governing permissions and
> # limitations under the License.
>
> # derby.properties
> #
> # we are using the default properties values for this demo
> #
> derby.language.logQueryPlan=false
> # derby.drda.logConnections=true
> # derby.drda.traceAll=true
> derby.connection.requireAuthentication=true
> derby.authentication.provider=LDAP
> derby.authentication.server=ldap://miniserver:10389/
> derby.authentication.ldap.searchBase=o=THMB
>
> ad 2) I have passed the properties on the command line as suggested (after 
> having removed the derby.properties file). In this scenario the network 
> driver lead to the same results as the embedded driver. Athorisation worked
> as expected; no entries in derby.log.
>
> In summary my testing seems to evidence that the network driver is only
> working in conjunction with LDAP authorization if the required properties
> are passed on the command line when starting up the server. (So there is 
> a way to achieve what I was trying to do.) However, when defining
> the properties as data-base properties, these are ignored by the driver. (which
> I would say is a bug). When defining the properties as system-wide properties 
> in derby.properties, then the< seem to be recognized, but this sceanrio might 
> require modification of the security policy file (which I don't know yet), 
> before this approach will potentially work as well.
>
> Btw: the documentation is lacking details/guidance in this regards
>
> Regards