tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 9705] New: - Extra LDAP searches occur during JNDIRealm authentication
Date Fri, 07 Jun 2002 21:12:02 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9705>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9705

Extra LDAP searches occur during JNDIRealm authentication

           Summary: Extra LDAP searches occur during JNDIRealm
                    authentication
           Product: Tomcat 4
           Version: 4.1.3
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jemiller@uchicago.edu


I'm using JNDIRealm with the following setup.

<Realm className="org.apache.catalina.realm.JNDIRealm"
	debug="99"
	connectionName="cn=Directory Manager"
	connectionPassword="mypassword"
	connectionURL="ldap://myldapserver"
	userPattern="uid={0}, ou=People, dc=mydomain"
	userRoleName="ou"/>

I noticed that JNDIRealm is performing an extra query with a search base of "" 
and a filter of "(objectClass=*)". If I perform this search using ldapsearch, 
I receive an error of "ldap_search: No such object", so, it appears that that 
search isn't returning any meaningful information.

The following is what gets logged when using iPlanet Directory Server 5.1.

[07/Jun/2002:15:41:36 -0500] conn=23 op=12 BIND dn="cn=Directory Manager" 
method=128 version=3
[07/Jun/2002:15:41:36 -0500] conn=23 op=12 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=directory manager"
[07/Jun/2002:15:41:36 -0500] conn=23 op=13 SRCH base="uid=jemiller, ou=People, 
dc=mydomain" scope=0 filter="(objectClass=*)" attrs="ou"
[07/Jun/2002:15:41:36 -0500] conn=23 op=13 RESULT err=0 tag=101 nentries=1 
etime=0
[07/Jun/2002:15:41:36 -0500] conn=23 op=14 BIND dn="uid=jemiller, ou=People, 
dc=mydomain" method=128 version=3
[07/Jun/2002:15:41:36 -0500] conn=23 op=14 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=jemiller,ou=people,dc=mydomain"
[07/Jun/2002:15:41:36 -0500] conn=23 op=15 SRCH base="" scope=0 
filter="(objectClass=*)" attrs=ALL
[07/Jun/2002:15:41:36 -0500] conn=23 op=15 RESULT err=0 tag=101 nentries=1 
etime=0

Another possible optimization could be implemented for the following setup. 
With this setup connectionName and connectionPassword are left unspecified. As 
a result, an anonymous bind occurs when querying for the userRoleName. This 
works as long as the attribute that is being queried for is readable by the 
anonymous user.

<Realm className="org.apache.catalina.realm.JNDIRealm"
	debug="99"
	connectionURL="ldap://myldapserver"
	userPattern="uid={0}, ou=People, dc=mydomain"
	userRoleName="ou"/>

This is what the log looks like. As you can see, it's the same as above. In 
this case, really all you need to do is bind as the user that you are 
authenticating. IMHO, if the connectionName and connectionPassword are left 
unspecified, it shouldn't perform the extra bind.

[07/Jun/2002:15:54:05 -0500] conn=26 op=0 BIND dn="" method=128 version=3
[07/Jun/2002:15:54:05 -0500] conn=26 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[07/Jun/2002:15:54:26 -0500] conn=26 op=1 SRCH base="uid=jemiller, ou=People, 
dc=mydomain" scope=0 filter="(objectClass=*)" attrs="ou"
[07/Jun/2002:15:54:26 -0500] conn=26 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[07/Jun/2002:15:54:26 -0500] conn=26 op=2 BIND dn="uid=jemiller, ou=People, 
dc=mydomain" method=128 version=3
[07/Jun/2002:15:54:26 -0500] conn=26 op=2 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=jemiller,ou=people,dc=mydomain"
[07/Jun/2002:15:54:26 -0500] conn=26 op=3 SRCH base="" scope=0 
filter="(objectClass=*)" attrs=ALL
[07/Jun/2002:15:54:26 -0500] conn=26 op=3 RESULT err=0 tag=101 nentries=1 
etime=0

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message