Geronimo
  1. Geronimo
  2. GERONIMO-4997

Can not connect to a ldap server in an anonymous way

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.1.4, 2.2
    • Fix Version/s: 2.1.5, 2.2.1, 3.0.0
    • Component/s: security
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Environment:

      OS:Windows XP SP2
      Server: Geronimo 2.2
      JDK:1.6

      Description

      I tried to deploy an web application which uses Apache Directory Server for user authentication.
      So I created a realm file as follows and add a reference to this realm file in deploy plan

      <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
      <environment>
      <moduleId>
      <groupId>console.realm</groupId>
      <artifactId>testLDAP</artifactId>
      <version>1.0</version>
      <type>car</type>
      </moduleId>
      <dependencies>
      <dependency>
      <groupId>org.apache.geronimo.framework</groupId>
      <artifactId>j2ee-security</artifactId>
      <type>car</type>
      </dependency>
      </dependencies>
      </environment>
      <gbean name="testLDAP" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <attribute name="realmName">testLDAP</attribute>
      <reference name="ServerInfo">
      <name>ServerInfo</name>
      </reference>
      <xml-reference name="LoginModuleConfiguration">
      <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
      <log:login-module control-flag="REQUIRED" wrap-principals="false">
      <log:login-domain-name>testLDAP</log:login-domain-name>
      <log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class>
      <log:option name="connectionURL">ldap://pages.test.com:389</log:option>
      <log:option name="roleBase">ou=members,ou=testgroups,o=test.com</log:option>
      <log:option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</log:option>
      <log:option name="roleName">cn</log:option>
      <log:option name="roleSearchMatching">uniquemember=

      {0}</log:option>
      <log:option name="roleSearchSubtree">false</log:option>
      <log:option name="userRoleName">uniquemember={0}

      </log:option>
      <log:option name="authentication">simple</log:option>
      <log:option name="userSearchSubtree">true</log:option>
      <log:option name="userBase">ou=users,o=test.com</log:option>
      <log:option name="userSearchMatching">(mail=

      {0}

      )</log:option>
      </log:login-module>
      </log:login-config>
      </xml-reference>
      </gbean>
      </module>

      It provides no connectionUsername and password ,because I intend to connect the ldap server anonymously.
      Eache time,I login the web application ,it will try to connect the Apache directory server to authenticate users.
      But a NullPointerException will always occur.
      Caused by:
      java.lang.NullPointerException
      at java.util.Hashtable.put(Hashtable.java:770)
      at org.apache.geronimo.security.realm.providers.LDAPLoginModule.open(LDAPLoginModule.java:455)
      at org.apache.geronimo.security.realm.providers.LDAPLoginModule.authenticate(LDAPLoginModule.java:267)
      at org.apache.geronimo.security.realm.providers.LDAPLoginModule.login(LDAPLoginModule.java:186)
      ... 28 more

        Issue Links

          Activity

          Hide
          Ivan added a comment -

          Commit changes to 2.1 at rev 893429. 2.2.1-snapshot at rev 893431, trunk at rev 893433

          Show
          Ivan added a comment - Commit changes to 2.1 at rev 893429. 2.2.1-snapshot at rev 893431, trunk at rev 893433
          Hide
          Rex Wang added a comment -

          closing it.

          Show
          Rex Wang added a comment - closing it.
          Hide
          Lu Jiang added a comment -

          Fail to verify it on latest 2.1.5 and 2.2.1-SNAPSHOT build.
          But if use g 2.1.4 and replace geronimo-security-2.1.4.jar under Geronimo_HOME/repository/org/apache/geronimo/framework/geronimo-security with the one in the attachment(this jar file is provided by Ivan),I can connect to a ldap server anonymously.

          Show
          Lu Jiang added a comment - Fail to verify it on latest 2.1.5 and 2.2.1-SNAPSHOT build. But if use g 2.1.4 and replace geronimo-security-2.1.4.jar under Geronimo_HOME/repository/org/apache/geronimo/framework/geronimo-security with the one in the attachment(this jar file is provided by Ivan),I can connect to a ldap server anonymously.
          Hide
          Lu Jiang added a comment -

          Oops,the userBase and roleBase I used in the security realm file are "userBase=ou=users,ou=system",
          "roleBase=ou=groups,ou=system".
          but Apache DS has a few minimal built-in rules for protecting users and groups.
          Users except the adminr user cannot access or search the 'ou=users,ou=system' and "ou=groups,ou=system"entry. They are protected from access or alteration by anyone other than the admin user. So when try to access anonymously,authentication error will occur.
          In order to connect to Apache DS successfully,we should create a new directory instead of a default "ou=users,ou=system","ou=groups,ou=system"and put user info there.
          Thanks Ivan for reviewing this issue and pointing this out.

          Show
          Lu Jiang added a comment - Oops,the userBase and roleBase I used in the security realm file are "userBase=ou=users,ou=system", "roleBase=ou=groups,ou=system". but Apache DS has a few minimal built-in rules for protecting users and groups. Users except the adminr user cannot access or search the 'ou=users,ou=system' and "ou=groups,ou=system"entry. They are protected from access or alteration by anyone other than the admin user. So when try to access anonymously,authentication error will occur. In order to connect to Apache DS successfully,we should create a new directory instead of a default "ou=users,ou=system","ou=groups,ou=system"and put user info there. Thanks Ivan for reviewing this issue and pointing this out.

            People

            • Assignee:
              Unassigned
              Reporter:
              Lu Jiang
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development