tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: JNDIRealm userPattern DOMAIN/username
Date Fri, 04 Feb 2011 18:38:31 GMT
Christopher Schultz wrote:
> Hash: SHA1
> Brandon,
> On 2/3/2011 5:36 PM, Brandon DuRette wrote:
>> One of our customers had configured JNDIRealm to authenticate against Active
>> Directory using the userPattern="DOMAIN/{0}". This was working great with
>> Tomcat 6.0.20 (with my patch for 42579 applied (IIRC, the first time it was
>> applied in the trunk it was misapplied)). However, when we upgraded to
>> 6.0.29 this began failing:
>> javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34 -
>> 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
>> vece ]; remaining name 'DOMAIN\username
>> I've gone through the code trying to figure out if anything has changed in
>> JNDIRealm that would affect this, but I couldn't see anything. Has anyone
>> had success with this configuration or have any idea what might be causing
>> this error?
> Take a look at the Changelog: there have been a number of changes to the
> JNDIRealm betwene 6.0.20 and 6.0.29, including this one:
> "
> Various JNDI realm improvements for Active Directory. These include the
> ability to specify a default role, optional handling for nested roles
> and an option to ignore PartialResultExceptions (markt).
> "
> Unfortunately, there's no bug number listed and no revision number
> mentioned, either, so you might have to dig through the svn logs to find
> the appropriate update and see what changed.
> I did notice this one, too:
> "
> Provide debug logging for JNDI lookups. (markt)
> "
> Have you enabled debug logging for JNDI lookups? It's not clear from the
> description if this is for JNDIRealm or for other types of JNDI lookups
> (like for DataSources).

It may be worth also having a look at this :

Error code 34 says "invalid DN syntax".

I am no LDAP specialist, but are you sure that the above "DOMAIN\username" is a valid way

of specifying the username ? It probably is so, in the Microsoft Active Directory version

of LDAP, but maybe they have replaced the server or changed its settings  ?

Note also that if this is part of an SSO system which obtains the user's Windows Domain 
userid, and then checks it with an AD or LDAP server : usually, you can obtain the user-id

in several forms, and the form "" may be more appropriate here.

Basically what I mean is that the error message above looks to me as if it is really an 
error returned by the LDAP server, and which the Java part is just reflecting.
That may be why you are not finding any code changes that may explain the issue.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message