tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 28636] New: - JNDI Authorization Broken.
Date Tue, 27 Apr 2004 19:45:40 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28636>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28636

JNDI Authorization Broken.

           Summary: JNDI Authorization Broken.
           Product: Tomcat 4
           Version: 4.1.30
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: randy.watson@guidant.com


I have successfully used both JDBC and JNDI (backed by Active Directory) on
tomcat 4.1.27, 4.1.29, and can toggle between them easily.  I upgraded to
4.1.30, and the authentication portion works, but the authorization breaks.  It
retreives the roles successfully from the AD server.  FWIW, JDBC realms work as
expected.

Here is the logfile from the 4.1.30 instance:
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Searching for USER
2004-04-27 14:20:58 JNDIRealm[Standalone]:   base: OU=Users, OU=CITY,OU=USA,
DC=ad,DC=COMPANY,DC=com  filter: (sAMAccountName=USER)
2004-04-27 14:20:58 JNDIRealm[Standalone]:   entry found for USER with dn
CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:20:58 JNDIRealm[Standalone]:   retrieving values for attribute
memberOf
2004-04-27 14:20:58 JNDIRealm[Standalone]:   validating credentials by binding
as the user
2004-04-27 14:20:58 JNDIRealm[Standalone]:   binding as
CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:20:58 JNDIRealm[Standalone]: Username USER successfully authenticated
2004-04-27 14:20:58 JNDIRealm[Standalone]:  
getRoles(CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com)
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Searching role base 'OU=Groups,
OU=CITY, OU=USA, DC=ad,DC=COMPANY,DC=com' for attribute 'cn'
2004-04-27 14:20:58 JNDIRealm[Standalone]:   With filter expression
'\28member=CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com\29'
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Returning 68 roles
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Found role
CN=MatlibUser,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Found role
CN=MatlibSysAdmin,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Found role
CN=MatlibDataAdmin,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:20:58 JNDIRealm[Standalone]:   Found role CN=STP RND DEV
Hippo,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:20:58 JNDIRealm[Standalone]: Username USER does NOT have role
MatlibUser
2004-04-27 14:20:58 JNDIRealm[Standalone]: Username USER does NOT have role STP
RND AARDVARK
2004-04-27 14:20:58 JNDIRealm[Standalone]: Username USER does NOT have role STP
RND DEV AEG
2004-04-27 14:20:58 JNDIRealm[Standalone]: Username USER does NOT have role all


Note that it successfully retreives the roles, but for some reason claims the
USER is not in the role (ie STP RND AARDVARK, STP RND DEV AEG, and MatlibUser
specifically).

If I use the same webapp war file, the same JNDI realm, same (cp/paste) realm
config in a 4.1.29 instance, it works well.

Here is the log from that:
2004-04-27 14:10:37 JNDIRealm[Standalone]: Connecting to URL
ldap://LDAPSERVER.COMPANY.com
2004-04-27 14:14:10 JNDIRealm[Standalone]:   Searching for USER
2004-04-27 14:14:10 JNDIRealm[Standalone]:   base: OU=Users, OU=CITY, OU=USA,
DC=ad,DC=COMPANY,DC=com  filter: (sAMAccountName=USER)
2004-04-27 14:14:10 JNDIRealm[Standalone]:   entry found for USER with dn
CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:10 JNDIRealm[Standalone]:   retrieving values for attribute
memberOf
2004-04-27 14:14:10 JNDIRealm[Standalone]:   validating credentials by binding
as the user
2004-04-27 14:14:10 JNDIRealm[Standalone]:   binding as
CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:10 JNDIRealm[Standalone]: Username USER successfully authenticated
2004-04-27 14:14:11 JNDIRealm[Standalone]:  
getRoles(CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com)
2004-04-27 14:14:11 JNDIRealm[Standalone]:   Searching role base 'OU=Groups,
OU=CITY, OU=USA, DC=ad,DC=COMPANY,DC=com' for attribute 'cn'
2004-04-27 14:14:11 JNDIRealm[Standalone]:   With filter expression
'(member=CN=USER,OU=Users,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com)'
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   retrieving values for attribute cn
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Returning 90 roles
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role
CN=MatlibUser,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role
CN=MatlibSysAdmin,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role
CN=MatlibDataAdmin,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role CN=STP RND
AARDVARK,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role CN=STP RND DEV
AEG,OU=Groups,OU=CITY,OU=USA,DC=ad,DC=COMPANY,DC=com
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role MatlibDataAdmin
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role MatlibSysAdmin
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role MatlibUser
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role STP RND AARDVARK
2004-04-27 14:14:14 JNDIRealm[Standalone]:   Found role STP RND DEV AEG
2004-04-27 14:14:14 JNDIRealm[Standalone]: Username USER has role MatlibUser
2004-04-27 14:14:14 JNDIRealm[Standalone]: Username USER has role MatlibUser
2004-04-27 14:14:14 JNDIRealm[Standalone]: Username USER has role MatlibUser
2004-04-27 14:14:19 JNDIRealm[Standalone]: Username USER has role STP RND AARDVARK
2004-04-27 14:14:19 JNDIRealm[Standalone]: Username USER has role STP RND DEV AEG
2004-04-27 14:14:19 JNDIRealm[Standalone]: Username USER does NOT have role all
2004-04-27 14:14:19 JNDIRealm[Standalone]: Username USER does NOT have role min

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message