JNDIRealm is for authenticating users from an LDAP Directory. It fails with InvalidNameException for users with a slash or double quote character in the users LDAP DN, like for example: cn=Test User,ou=Department A/B,dc=example,dc=de This applies to Tomcat 5.0.29, 5.0.28 and all version using the same JNDIRealm code. Background: Slash characters are perfectly valid characters for LDAP attribute string and don't have to be escaped. Double quotes have to be escaped but should not be a problem either. There may be more character problems which should be fixed by the patch. The problem is caused by the JNDI API where searchResult.getName() does not return a string representation of an LDAP relative distinguished name but a string representation of a CompositeName, containing one or more LdapNames. This is not documented. Fix idea in short: replace Name entryName = parser.parse(result.getName()); with Name entryName = parser.parse(new CompositeName(result.getName()).get(0)); Frerk Meyer
Created attachment 13478 [details] Fix InvalidNameException if LDAP DN contains slash character Tested with Tomcat 5.0.28 and 5.0.29
Done for 5.0.30.
And for 5.5.5. Thank you for submitting this patch.
The first login attempt each day fails because the LDAP server has closed the connection which has been idle for a time. Obviously the previous fix only fixed it for some situations or something has changed. We are running Tomcat 5.5.15 Apr 17, 2007 8:18:38 AM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.ServiceUnavailableException: public.ldap.uq.edu.au:389; socket closed; remaining name 'ou=People,o=xxx,c=AU' at com.sun.jndi.ldap.Connection.readReply(Connection.java:410) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:170) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2546) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2520) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1901) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1806) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java: 338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java: 321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1055) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595)
(In reply to comment #4) > The first login attempt each day fails because the LDAP server has closed the connection which has > been idle for a time. Obviously the previous fix only fixed it for some situations or something has > changed. We are running Tomcat 5.5.15 > > Apr 17, 2007 8:18:38 AM org.apache.catalina.realm.JNDIRealm authenticate > SEVERE: Exception performing authentication > javax.naming.ServiceUnavailableException: public.ldap.uq.edu.au:389; socket closed; remaining name > 'ou=People,o=xxx,c=AU' > at com.sun.jndi.ldap.Connection.readReply(Connection.java:410) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:170) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) > at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2546) > at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2520) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1901) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1806) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java: > 338) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java: > 321) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) > at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1055) > at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java: 257) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) > at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) > at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) > at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) > at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684) > at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876) > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) > at java.lang.Thread.run(Thread.java:595) > Sorry filed incorrectly JZ