tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugène Adell <Eugene.Ad...@d2-si.eu>
Subject JNDI property roleSearchAsUser not working as expected
Date Wed, 13 Mar 2013 20:46:43 GMT
Hello

I am running the following :
  java version "1.6.0_25"
  Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
  Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
  Tomcat 7.0.37
  CentOS release 6.3

with this REALM  configuration in server.xml :
                        <Realm className="org.apache.catalina.realm.JNDIRealm"
                          connectionURL="ldap://***.***.***.***:389"
                          userPattern="cn={0},ou=users,dc=example,dc=com"
                          roleBase="ou=groups,dc=example,dc=com"
                          roleSubtree="true"
                          roleNested="true"
                          roleName="cn"
                          roleSearchAsUser="true"
                          roleSearch="(uniqueMember={0})" />

and this triggers this error during the startup :
Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.InitialContext.<init>(InitialContext.java:197)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
        at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
        at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
        at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
org.apache.catalina.LifecycleException: Failed to start component [StandardServer[8005]]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardService[Catalina]]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        ... 7 more
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina]]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        ... 9 more
Caused by: org.apache.catalina.LifecycleException: Failed to start component [Realm[JNDIRealm]]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
        at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        ... 11 more
Caused by: org.apache.catalina.LifecycleException: Exception opening directory server connection
        at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2243)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        ... 14 more
Caused by: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException:
Connection refused]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:200)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:53)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.InitialContext.<init>(InitialContext.java:197)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
        at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2160)
        at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
        ... 15 more
Caused by: java.net.ConnectException: Connection refused
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
        at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
        at java.net.Socket.connect(Socket.java:529)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:339)
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:187)
        ... 27 more
Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 34 ms


>From what I understand, roleSearchAsUser property was designed for people who need to
bind on any LDAP where anonymous bind is not authorized. But it's just impossible to do this
if the JNDI Realm tries to authenticate anonymously by itself during the startup.

I suppose it's necessary to investigate further this bug :
https://issues.apache.org/bugzilla/show_bug.cgi?id=19444 


Thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message