[#DIRSERVER-200] Attempting to bind as non-existent user causes infinite loop

Directory ApacheDS

Attempting to bind as non-existent user causes infinite loop

Created: 09/Dec/05 04:00 AM Updated: 21/Apr/07 11:20 AM

Return to search

Component/s:

ldap

Affects Version/s:

pre-1.0

Fix Version/s:

pre-1.0

Time Tracking:

Not Specified

Issue Links:

Cloners

This issue is a clone of:

~~DIRSERVER-252~~ Stack trace overflow when trying to connect with a bad DN

Resolution Date:

20/Jan/06 07:35 AM

Description

« Hide

If the following test method is added to the end of SimpleAuthenticationTest in the core-tests module, the code goes into an infinite loop.

    public void test11NonExistentUser()
    {
        Hashtable env = new Hashtable( configuration.toJndiEnvironment() );
        env.put( Context.PROVIDER_URL, "ou=system" );
        env.put( Context.SECURITY_PRINCIPAL, "uid=idontexist,ou=users,ou=system" );
        env.put( Context.SECURITY_CREDENTIALS, "test" );
        env.put( Context.SECURITY_AUTHENTICATION, "simple" );
        env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.ldap.server.jndi.CoreContextFactory" );
        try {
            new InitialContext( env );
            fail("Authenticated as non-existent user");
        } catch(Exception expected) {
        }
    }

Line 139 of org.apache.ldap.server.jndi.ServerContext is

        if ( ! nexusProxy.hasEntry( dn ) )
        {
            throw new NameNotFoundException( dn + " does not exist" );
        }

But the call to hasEntry(dn) results in an authenticate() call. SimpleAuthenticator then performs a "lookup" operation on the given dn. When the call reaches the ExceptionService, it calls assertHasEntry() on itself:

line 372:
        if ( !nextInterceptor.hasEntry( dn ) )
        {
            LdapNameNotFoundException e = null;

            if ( msg != null )
            {
                e = new LdapNameNotFoundException( msg + dn );
            }
            else
            {
                e = new LdapNameNotFoundException( dn.toString() );
            }

            e.setResolvedName( proxy.getMatchedName( dn, false ) );
            throw e;
        }

The hasEntry call here fails as expected. However, the subsequent call to getMatchedName results in another call through the interceptor stack, another authenticate(), another lookup from SimpleAuthenticator and then we're stuck.

Description

If the following test method is added to the end of SimpleAuthenticationTest in the core-tests module, the code goes into an infinite loop. public void test11NonExistentUser() { Hashtable env = new Hashtable( configuration.toJndiEnvironment() ); env.put( Context.PROVIDER_URL, "ou=system" ); env.put( Context.SECURITY_PRINCIPAL, "uid=idontexist,ou=users,ou=system" ); env.put( Context.SECURITY_CREDENTIALS, "test" ); env.put( Context.SECURITY_AUTHENTICATION, "simple" ); env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.ldap.server.jndi.CoreContextFactory" ); try { new InitialContext( env ); fail("Authenticated as non-existent user"); } catch(Exception expected) { } } Line 139 of org.apache.ldap.server.jndi.ServerContext is if ( ! nexusProxy.hasEntry( dn ) ) { throw new NameNotFoundException( dn + " does not exist" ); } But the call to hasEntry(dn) results in an authenticate() call. SimpleAuthenticator then performs a "lookup" operation on the given dn. When the call reaches the ExceptionService, it calls assertHasEntry() on itself: line 372: if ( !nextInterceptor.hasEntry( dn ) ) { LdapNameNotFoundException e = null; if ( msg != null ) { e = new LdapNameNotFoundException( msg + dn ); } else { e = new LdapNameNotFoundException( dn.toString() ); } e.setResolvedName( proxy.getMatchedName( dn, false ) ); throw e; } The hasEntry call here fails as expected. However, the subsequent call to getMatchedName results in another call through the interceptor stack, another authenticate(), another lookup from SimpleAuthenticator and then we're stuck.

Show »

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Emmanuel Lecharny added a comment - 09/Dec/05 04:54 AM

This problem is known, and is actually under heavy investigation.

Thanks for the report !

Emmanuel Lecharny made changes - 09/Dec/05 04:54 AM

Field	Original Value	New Value
Link		This issue is a clone of DIREVE-314 [ DIREVE-314 ]

[ Permlink | « Hide ]

Emmanuel Lecharny added a comment - 09/Dec/05 04:55 AM

(see DIREVE-314 : http://issues.apache.org/jira/browse/DIREVE-314 ).

[ Permlink | « Hide ]

Emmanuel Lecharny added a comment - 20/Jan/06 07:34 AM

see DIRLDAP-79

Emmanuel Lecharny made changes - 20/Jan/06 07:34 AM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Duplicate [ 3 ]

[ Permlink | « Hide ]

Emmanuel Lecharny added a comment - 20/Jan/06 07:34 AM

bad link to DIRLDAP-86

Emmanuel Lecharny made changes - 20/Jan/06 07:34 AM

Resolution	Duplicate [ 3 ]
Status	Resolved [ 5 ]	Reopened [ 4 ]

[ Permlink | « Hide ]

Emmanuel Lecharny added a comment - 20/Jan/06 07:35 AM

Duplicate of DIREVE-314

Emmanuel Lecharny made changes - 20/Jan/06 07:35 AM

Resolution		Duplicate [ 3 ]
Status	Reopened [ 4 ]	Resolved [ 5 ]

Alex Karasulu made changes - 07/Feb/06 02:41 PM

Fix Version/s		pre-1.0 [ 12310782 ]
Key	DIRLDAP-79	~~DIRSERVER-200~~
Project	Directory LDAP [ 10514 ]	ApacheDS [ 12310260 ]
Component/s		ldap [ 12310715 ]
Affects Version/s		pre-1.0 [ 12310782 ]

[ Permlink | « Hide ]

Emmanuel Lecharny added a comment - 21/Apr/07 11:20 AM

Closing all issues created in 2005 and before which are marked resolved

Emmanuel Lecharny made changes - 21/Apr/07 11:20 AM

Status

Resolved [ 5 ]

Closed [ 6 ]