From dev-return-22938-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Fri Dec 21 16:15:35 2007 Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 66012 invoked from network); 21 Dec 2007 16:15:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Dec 2007 16:15:34 -0000 Received: (qmail 79248 invoked by uid 500); 21 Dec 2007 16:15:23 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 79220 invoked by uid 500); 21 Dec 2007 16:15:23 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 79209 invoked by uid 99); 21 Dec 2007 16:15:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Dec 2007 08:15:23 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of akarasulu@gmail.com designates 64.233.162.232 as permitted sender) Received: from [64.233.162.232] (HELO nz-out-0506.google.com) (64.233.162.232) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Dec 2007 16:15:01 +0000 Received: by nz-out-0506.google.com with SMTP id o1so182097nzf.10 for ; Fri, 21 Dec 2007 08:15:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; bh=WdHbMg68iodbNWyMjpf35R8960gHIRA0cycLJOXOpz0=; b=b60Oq0AcrTjtG9ho3f7C7UxK5mnuJTZiJegXEASZXcyNwLusw5VaVUj83g4FMOImgd69TepsI6VNVED3CCl7KTU2ZE5OE43cL/gdL+mUVAO5Ve+jeDXAbZ0r6Ch1QZ9WCoiVVPItuEHVeZjNxkUv3Jy6oMbgblq1fB8ARzoiMz4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=fkMItyrRn1usc98OXj+o3uySCzfVdH/MczG3r7B1IFen+OgRwHIlB0pm6V1Euq3IKnHRwgbwOFfeENRMBsLDdNhJzUZd0BNRY4phrSsoOw0Ea+IEgwp1s07ItYc7ZPlUwhj7WELRu+7HZbp8Lq3/ex6QUVjDXGkLbtcIlnXLgIA= Received: by 10.142.111.14 with SMTP id j14mr727223wfc.22.1198253704441; Fri, 21 Dec 2007 08:15:04 -0800 (PST) Received: by 10.143.166.2 with HTTP; Fri, 21 Dec 2007 08:15:04 -0800 (PST) Message-ID: Date: Fri, 21 Dec 2007 11:15:04 -0500 From: "Alex Karasulu" Sender: akarasulu@gmail.com To: "Apache Directory Developers List" Subject: Re: 1.5.2 ApacheDS() loadLdifs Problem In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_1066_23107952.1198253704433" References: X-Google-Sender-Auth: 60cb91ceec52d774 X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_1066_23107952.1198253704433 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline There was another thread on exactly this problem. I recommend you proceed like so for now: (1) get a handle on the DirectoryService (2) access the attributeType registry via directoryService.getRegistries ().getAttributeTypeRegistry() (3) from the attribute type registry access the normalizer map getNormalizerMap() or something like that (4) feed this into the dn.normalize() method of the dn you feed into LdapPrincipal The reason for all this is that a normalized DN is required in the LdapPrincipal so the server can properly check and compare DNs for various housekeeping operations and things like authorization and authentication. If the DN is not normalized then these operations will not correctly evaluate. This is why an exception is thrown to stop unsuspecting users. We do need to figure out a better way to handle this but until then this sequence above should work. Alex On Dec 21, 2007 6:26 AM, wrote: > Update: > > Changing the code to this seems to work: > > LdapDN dn = new LdapDN(); > dn.add( ServerDNConstants.ADMIN_SYSTEM_DN ); > LdapPrincipal admin = new LdapPrincipal( dn, AuthenticationLevel.STRONG); > this is because the empty constructor sets isNormailized to true! > > This smells like a work-around not a fix... anyone care to comment? > > Thanks > > - SimonT > > *21 December 2007 10:52 > To: dev@directory.apache.org > cc: > From: Simon.Temple@saaconsultants.com > Subject: 1.5.2 ApacheDS() loadLdifs Problem* > > Hi > > I can't start a 1.5.2 server via the ApacheDS class: > > LdapPrincipal admin = new LdapPrincipal( new LdapDN( > ServerDNConstants.ADMIN_SYSTEM_DN ), AuthenticationLevel.STRONG ); > > java.lang.IllegalStateException: Names used for principals must be > normalized! > at org.apache.directory.server.core.authn.LdapPrincipal.( > LdapPrincipal.java:72) > at org.apache.directory.server.configuration.ApacheDS.loadLdifs( > ApacheDS.java:321) > at org.apache.directory.server.configuration.ApacheDS.startup( > ApacheDS.java:95) > > Will it work if the code is changed to use > ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED? > > > - SimonT > ------=_Part_1066_23107952.1198253704433 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline There was another thread on exactly this problem.  I recommend you proceed like so for now:

(1) get a handle on the DirectoryService
(2) access the attributeType registry via directoryService.getRegistries().getAttributeTypeRegistry()
(3) from the attribute type registry access the normalizer map getNormalizerMap() or something like that
(4) feed this into the dn.normalize() method of the dn you feed into LdapPrincipal

The reason for all this is that a normalized DN is required in the LdapPrincipal so the server can properly check and compare DNs for various housekeeping operations and things like authorization and authentication.  If the DN is not normalized then these operations will not correctly evaluate.  This is why an exception is thrown to stop unsuspecting users.

We do need to figure out a better way to handle this but until then this sequence above should work.

Alex

On Dec 21, 2007 6:26 AM, < Simon.Temple@saaconsultants.com> wrote:
Update:
 
Changing the code to this seems to work:
 
 LdapDN dn = new LdapDN();
 dn.add( ServerDNConstants.ADMIN_SYSTEM_DN );
 LdapPrincipal admin = new LdapPrincipal( dn, AuthenticationLevel.STRONG );
this is because the empty constructor sets isNormailized to true!
 
This smells like a work-around not a fix... anyone care to comment?
 
Thanks
 
- SimonT
 
21 December 2007 10:52
To: dev@directory.apache.org
cc:
From: Simon.Temple@saaconsultants.com
Subject: 1.5.2 ApacheDS() loadLdifs Problem

Hi
 
I can't start a 1.5.2 server via the ApacheDS class:
 
LdapPrincipal admin = new LdapPrincipal( new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN ), AuthenticationLevel.STRONG );
 
java.lang.IllegalStateException: Names used for principals must be normalized!
 at org.apache.directory.server.core.authn.LdapPrincipal.<init>(LdapPrincipal.java:72)
 at org.apache.directory.server.configuration.ApacheDS.loadLdifs(ApacheDS.java:321)
 at org.apache.directory.server.configuration.ApacheDS.startup(ApacheDS.java:95)
 
Will it work if the code is changed to use ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED?
 
 
- SimonT

------=_Part_1066_23107952.1198253704433--