Bug 32269 - [PATCH] JNDIRealm fails with InvalidNameException to authenticate users if LDAP distinguished name (DN) contains slash or double quote character(s)
Summary: [PATCH] JNDIRealm fails with InvalidNameException to authenticate users if LD...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina:Modules (show other bugs)
Version: 5.0.29
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2004-11-17 11:01 UTC by Frerk Meyer
Modified: 2007-04-17 17:04 UTC (History)
0 users



Attachments
Fix InvalidNameException if LDAP DN contains slash character (858 bytes, patch)
2004-11-17 11:03 UTC, Frerk Meyer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Frerk Meyer 2004-11-17 11:01:00 UTC
JNDIRealm is for authenticating users from an LDAP Directory.

It fails with InvalidNameException for users with a slash or
double quote character in the users LDAP DN, like for example:

cn=Test User,ou=Department A/B,dc=example,dc=de

This applies to Tomcat 5.0.29, 5.0.28 and all version using
the same JNDIRealm code.

Background:
Slash characters are perfectly valid characters for LDAP attribute
string and don't have to be escaped.
Double quotes have to be escaped but should not be a problem either.
There may be more character problems which should be fixed by the patch.

The problem is caused by the JNDI API where searchResult.getName()
does not return a string representation of an LDAP relative distinguished
name but a string representation of a CompositeName, containing one
or more LdapNames. This is not documented.

Fix idea in short:
replace 
 Name entryName = parser.parse(result.getName());
with
 Name entryName = parser.parse(new CompositeName(result.getName()).get(0));

Frerk Meyer
Comment 1 Frerk Meyer 2004-11-17 11:03:09 UTC
Created attachment 13478 [details]
Fix InvalidNameException if LDAP DN contains slash character

Tested with Tomcat 5.0.28 and 5.0.29
Comment 2 Yoav Shapira 2004-11-19 16:01:44 UTC
Done for 5.0.30.
Comment 3 Yoav Shapira 2004-11-19 16:08:39 UTC
And for 5.5.5.  Thank you for submitting this patch.
Comment 4 John Zornig 2007-04-17 17:01:59 UTC
The first login attempt each day fails because the LDAP server has closed the connection which has 
been idle for a time. Obviously the previous fix only fixed it for some situations or something has 
changed. We are running Tomcat 5.5.15

Apr 17, 2007 8:18:38 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.ServiceUnavailableException: public.ldap.uq.edu.au:389; socket closed; remaining name 
'ou=People,o=xxx,c=AU'
        at com.sun.jndi.ldap.Connection.readReply(Connection.java:410)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:170)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
        at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2546)
        at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2520)
        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1901)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1806)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:
338)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:
321)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
        at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1055)
        at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808)
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
Comment 5 John Zornig 2007-04-17 17:04:39 UTC
(In reply to comment #4)
> The first login attempt each day fails because the LDAP server has closed the connection which has 
> been idle for a time. Obviously the previous fix only fixed it for some situations or something has 
> changed. We are running Tomcat 5.5.15
> 
> Apr 17, 2007 8:18:38 AM org.apache.catalina.realm.JNDIRealm authenticate
> SEVERE: Exception performing authentication
> javax.naming.ServiceUnavailableException: public.ldap.uq.edu.au:389; socket closed; remaining 
name 
> 'ou=People,o=xxx,c=AU'
>         at com.sun.jndi.ldap.Connection.readReply(Connection.java:410)
>         at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)
>         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:170)
>         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
>         at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2546)
>         at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2520)
>         at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1901)
>         at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1806)
>         at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
>         at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
>         at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:
> 338)
>         at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:
> 321)
>         at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
>         at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1055)
>         at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958)
>         at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907)
>         at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808)
>         at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:
257)
>         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
>         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
>         at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
>         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
>         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
>         at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
>         at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
>         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
>         at java.lang.Thread.run(Thread.java:595)
> 

Sorry filed incorrectly

JZ