Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B568EE741 for ; Thu, 14 Mar 2013 06:54:58 +0000 (UTC) Received: (qmail 59991 invoked by uid 500); 14 Mar 2013 06:54:55 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 59931 invoked by uid 500); 14 Mar 2013 06:54:54 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 59873 invoked by uid 99); 14 Mar 2013 06:54:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 06:54:51 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Eugene.Adell@d2-si.eu designates 216.32.180.185 as permitted sender) Received: from [216.32.180.185] (HELO co1outboundpool.messaging.microsoft.com) (216.32.180.185) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 06:54:45 +0000 Received: from mail204-co1-R.bigfish.com (10.243.78.232) by CO1EHSOBE015.bigfish.com (10.243.66.78) with Microsoft SMTP Server id 14.1.225.23; Thu, 14 Mar 2013 06:54:24 +0000 Received: from mail204-co1 (localhost [127.0.0.1]) by mail204-co1-R.bigfish.com (Postfix) with ESMTP id 1768B80064; Thu, 14 Mar 2013 06:54:24 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.248.37;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0410HT005.eurprd04.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: -3 X-BigFish: PS-3(z38daoz9371Ic89bh11efR1432I62a3I853kzz1ee6h1d18h1202h1e76h1d2ahzz8275dhz2fh2a8h668h839h947hd25hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1155h) Received-SPF: pass (mail204-co1: domain of d2-si.eu designates 157.56.248.37 as permitted sender) client-ip=157.56.248.37; envelope-from=Eugene.Adell@d2-si.eu; helo=AMSPRD0410HT005.eurprd04.prod.outlook.com ;.outlook.com ; Received: from mail204-co1 (localhost.localdomain [127.0.0.1]) by mail204-co1 (MessageSwitch) id 1363244062154611_21264; Thu, 14 Mar 2013 06:54:22 +0000 (UTC) Received: from CO1EHSMHS028.bigfish.com (unknown [10.243.78.248]) by mail204-co1.bigfish.com (Postfix) with ESMTP id 2396A740055; Thu, 14 Mar 2013 06:54:22 +0000 (UTC) Received: from AMSPRD0410HT005.eurprd04.prod.outlook.com (157.56.248.37) by CO1EHSMHS028.bigfish.com (10.243.66.38) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 14 Mar 2013 06:54:21 +0000 Received: from AMSPRD0410MB349.eurprd04.prod.outlook.com ([169.254.3.186]) by AMSPRD0410HT005.eurprd04.prod.outlook.com ([10.255.41.40]) with mapi id 14.16.0275.006; Thu, 14 Mar 2013 06:54:19 +0000 From: =?iso-8859-1?Q?Eug=E8ne_Adell?= To: Martin Gainty , "users@tomcat.apache.org" Subject: RE:JNDI property roleSearchAsUser not working as expected Thread-Topic: JNDI property roleSearchAsUser not working as expected Thread-Index: Ac4gKcYrnMy72OSiRNaGgA5ittaYpgAJV5+AAAu3gdg= Date: Thu, 14 Mar 2013 06:54:18 +0000 Message-ID: References: , In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [88.177.248.80] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: d2-si.eu X-Virus-Checked: Checked by ClamAV on apache.org Hello there is an LDAP listening but I did not give the credentials here for secu= rity reasons (I could start one LDAP server with public credentials for you= if needed). The LDAP log for this Tomcat startup failure is : 51416e66 conn=3D1004 fd=3D14 ACCEPT from IP=3D46.218.139.243:48297 (IP=3DXX= XXXXXX:XXX) 51416e66 conn=3D1004 op=3D0 BIND dn=3D"" method=3D128 51416e66 conn=3D1004 op=3D0 RESULT tag=3D97 err=3D48 text=3Danonymous bind = disallowed 51416e66 conn=3D1004 fd=3D14 closed (connection lost) When allowing the anonymous bind, Tomcat can start normally with a first an= onymous bind : 514170c5 conn=3D1000 fd=3D14 ACCEPT from IP=3D46.218.139.243:48663 (IP=3DXX= XXXXXX:XXX) 514170c5 conn=3D1000 op=3D0 BIND dn=3D"" method=3D128 514170c5 conn=3D1000 op=3D0 RESULT tag=3D97 err=3D0 text=3D And after the startup, the LDAP binds are no more anonymous (the parameter = roleSearchAsUser is working there) : 514171e4 conn=3D1000 op=3D1 SRCH base=3D"cn=3Deadell,ou=3Dusers,dc=3DXXX,dc= =3Dcom" scope=3D0 deref=3D3 filter=3D"(objectClass=3D*)" 514171e4 conn=3D1000 op=3D1 SRCH attr=3D1.1 514171e4 conn=3D1000 op=3D1 SEARCH RESULT tag=3D101 err=3D0 nentries=3D1 te= xt=3D 514171e4 conn=3D1000 op=3D2 BIND dn=3D"cn=3Deadell,ou=3Dusers,dc=3DXXX,dc= =3Dcom" method=3D128 514171e4 conn=3D1000 op=3D2 BIND dn=3D"cn=3Deadell,ou=3Dusers,dc=3DXXX,dc= =3Dcom" mech=3DSIMPLE ssf=3D0 514171e4 conn=3D1000 op=3D2 RESULT tag=3D97 err=3D0 text=3D 514171e4 conn=3D1000 op=3D3 SRCH base=3D"" scope=3D0 deref=3D3 filter=3D"(o= bjectClass=3D*)" 514171e4 conn=3D1000 op=3D3 SEARCH RESULT tag=3D101 err=3D0 nentries=3D1 te= xt=3D 514171e4 conn=3D1000 op=3D4 BIND anonymous mech=3Dimplicit ssf=3D0 514171e4 conn=3D1000 op=3D4 BIND dn=3D"" method=3D128 514171e4 conn=3D1000 op=3D4 RESULT tag=3D97 err=3D0 text=3D 514171e4 conn=3D1000 op=3D5 SRCH base=3D"ou=3Dgroups,dc=3DXXXX,dc=3Dcom" sc= ope=3D2 deref=3D3 filter=3D"(uniqueMember=3Dcn=3Deadell,ou=3Dusers,dc=3DXXX= X,dc=3Dcom)" 514171e4 conn=3D1000 op=3D5 SRCH attr=3Dcn 514171e4 <=3D bdb_equality_candidates: (uniqueMember) not indexed 514171e4 conn=3D1000 op=3D5 SEARCH RESULT tag=3D101 err=3D0 nentries=3D1 te= xt=3D 514171e4 conn=3D1000 op=3D6 SRCH base=3D"ou=3Dgroups,dc=3DXXXX,dc=3Dcom" sc= ope=3D2 deref=3D3 filter=3D"(uniqueMember=3Dcn=3DXXX,ou=3Dgroups,dc=3DXXXX,= dc=3Dcom)" 514171e4 conn=3D1000 op=3D6 SRCH attr=3Dcn 514171e4 <=3D bdb_equality_candidates: (uniqueMember) not indexed 514171e4 conn=3D1000 op=3D6 SEARCH RESULT tag=3D101 err=3D0 nentries=3D0 te= xt=3D This is why I think there is a problem with the Tomcat startup when using a= JNDI Realm : it always tries to bind anonymously to the LDAP server with o= r without the roleSearchAsUser parameter. With a startup failure, this para= meter becomes useless in real life because most LDAP directories doesn't al= low anonymous binds and they cannot know if a request comes from a Tomcat s= tartup or for a real request. Please help :) De : Martin Gainty [mgainty@hotmail.com] Envoy=E9 : jeudi 14 mars 2013 01:59 =C0 : Eug=E8ne Adell Objet : RE: JNDI property roleSearchAsUser not working as expected Hello Eugene what you have supplied is the distinguished-name here is a partial example = i have used in the past=20 String distinguishedName =3D "ou=3DU,cn=3DBank,o=3DS,c=3DUS,o=3Dgrupo santa= nder"; what you need to supply are: IP of the LDAP host Port (usually 389) Authentication-scheme (so that your client code can connect to an LDAP Listener) //I have a piece of code that uses a client connect to LDAP server *listeni= ng on Port 389* which looks like log.debug("doLdap ipAddress=3D"+ipAddress); log.debug("doLdap port=3D"+port); log.debug("doLdap authMechanism=3D"+authMechanism); javax.naming.directory.DirContext context =3D test.createLdapContext(ipAddr= ess, port, authMechanism); =20 String costCenterKey =3D "C"; String commonName =3D "x123456"; =20 //then I can do a 'attribute search' based on CostCenterKey of 'C' costCenter =3D test.doUserAttributeSearch(context, distinguishedName, commo= nName, costCenterKey); The problem is that none of this would work if there is no listener listeni= ng on Port 389 of the supplied IP First step is to verify the LDAP server is running netstat -ab | grep 389 Viel Gluck/Bon Chance Martin =20 > From: Eugene.Adell@d2-si.eu > To: users@tomcat.apache.org > Subject: JNDI property roleSearchAsUser not working as expected > Date: Wed, 13 Mar 2013 20:46:43 +0000 >=20 > Hello >=20 > I am running the following : > java version "1.6.0_25" > Java(TM) SE Runtime Environment (build 1.6.0_25-b06) > Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing) > Tomcat 7.0.37 > CentOS release 6.3 >=20 > with this REALM configuration in server.xml : > connectionURL=3D"ldap://***.***.***.***:389" > userPattern=3D"cn=3D{0},ou=3Dusers,dc=3Dexample,dc=3Dcom" > roleBase=3D"ou=3Dgroups,dc=3Dexample,dc=3Dcom" > roleSubtree=3D"true" > roleNested=3D"true" > roleName=3D"cn" > roleSearchAsUser=3D"true" > roleSearch=3D"(uniqueMember=3D{0})" /> >=20 > and this triggers this error during the startup : > Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open > WARNING: Exception performing authentication > javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - = anonymous bind disallowed] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.jav= a:136) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java= :66) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:66= 7) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at javax.naming.InitialContext.(InitialContext.java:197) > at javax.naming.directory.InitialDirContext.(InitialDirContext.java= :82) > at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150) > at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.jav= a:1109) > at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.j= ava:302) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.core.StandardService.startInternal(StandardService= .java:443) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.core.StandardServer.startInternal(StandardServer.j= ava:732) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.startup.Catalina.start(Catalina.java:684) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j= ava:39) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess= orImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456) > Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start > SEVERE: Catalina.start: > org.apache.catalina.LifecycleException: Failed to start component [Standa= rdServer[8005]] > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) > at org.apache.catalina.startup.Catalina.start(Catalina.java:684) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j= ava:39) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess= orImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456) > Caused by: org.apache.catalina.LifecycleException: Failed to start compon= ent [StandardService[Catalina]] > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) > at org.apache.catalina.core.StandardServer.startInternal(StandardServer.j= ava:732) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > ... 7 more > Caused by: org.apache.catalina.LifecycleException: Failed to start compon= ent [StandardEngine[Catalina]] > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) > at org.apache.catalina.core.StandardService.startInternal(StandardService= .java:443) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > ... 9 more > Caused by: org.apache.catalina.LifecycleException: Failed to start compon= ent [Realm[JNDIRealm]] > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) > at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.jav= a:1109) > at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.j= ava:302) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > ... 11 more > Caused by: org.apache.catalina.LifecycleException: Exception opening dire= ctory server connection > at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2243) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > ... 14 more > Caused by: javax.naming.CommunicationException: localhost:389 [Root excep= tion is java.net.ConnectException: Connection refused] > at com.sun.jndi.ldap.Connection.(Connection.java:200) > at com.sun.jndi.ldap.LdapClient.(LdapClient.java:118) > at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java= :53) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:66= 7) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at javax.naming.InitialContext.(InitialContext.java:197) > at javax.naming.directory.InitialDirContext.(InitialDirContext.java= :82) > at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2160) > at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241) > ... 15 more > Caused by: java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351) > at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213) > at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366) > at java.net.Socket.connect(Socket.java:529) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j= ava:39) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess= orImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at com.sun.jndi.ldap.Connection.createSocket(Connection.java:339) > at com.sun.jndi.ldap.Connection.(Connection.java:187) > ... 27 more > Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start > INFO: Server startup in 34 ms >=20 >=20 > From what I understand, roleSearchAsUser property was designed for people= who need to bind on any LDAP where anonymous bind is not authorized. But i= t's just impossible to do this if the JNDI Realm tries to authenticate anon= ymously by itself during the startup. >=20 > I suppose it's necessary to investigate further this bug : > https://issues.apache.org/bugzilla/show_bug.cgi?id=3D19444=20 >=20 >=20 > Thanks >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > = --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org