Uploaded image for project: 'Jetspeed 2'
  1. Jetspeed 2
  2. JS2-1030

LDAP configuration property ldap.user.searchBase (when not empty) makes login impossible

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.1
    • Component/s: LDAP
    • Labels:
      None
    • Environment:
      Windows XP, JRE 1.6.0.11, Tomcat 6.0.18, Apache DS 1.0.2 (also tested with ApacheDS 1.5.4)

      Description

      LDAP configuration property ldap.user.searchBase makes login impossible. When left empty, login is possible. But, when specified as:

      ldap.user.searchBase=ou=Peoples

      Exception occurs:

      ----------------------------
      WARNING: Login exception authenticating username "admin"
      javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: [LDAP: error code 32 - failed on search operation: ou=Peoples:
      SearchRequest
      baseDn : 'ou=Peoples'
      filter : '(& (2.5.4.3=admin) (2.5.4.0=person) ) '
      scope : whole subtree
      typesOnly : false
      no limit
      Time Limit : no limit
      Deref Aliases : deref Always
      attributes : 'javaCodeBase', 'javaReferenceAddress', 'javaClassName', 'javaSerializedData', 'javaRemoteLocation', 'javaFactory', 'javaClassNames', 'objectClass'
      :
      org.apache.directory.shared.ldap.exception.LdapNameNotFoundException: ou=Peoples
      at org.apache.directory.server.core.partition.DefaultPartitionNexus.getBackend(DefaultPartitionNexus.java:987)
      at org.apache.directory.server.core.partition.DefaultPartitionNexus.hasEntry(DefaultPartitionNexus.java:920)
      at org.apache.directory.server.core.interceptor.InterceptorChain$1.hasEntry(InterceptorChain.java:157)
      ---- more
      ----------------------------

      From the exception and the logs of ApacheDS LDAP server, I can deduce the baseDn='ou=Peoples' cannot be found. It makes sense since the entry's dn is 'ou=Peoples,o=lbs' not 'ou=Peoples'. When specified as:

      ldap.user.searchBase=ou=Peoples,o=lbs

      Another Exception occurs:

      -------------------------
      WARNING: Login exception authenticating username "admin"
      javax.security.auth.login.LoginException: [LDAP: error code 32 - failed on search operation: Attempt to search under non-existant entry: 2.5.4.11=peoples,2.5.4.10=lbs,2.5.4.10=lbs:
      SearchRequest
      baseDn : 'ou=Peoples,o=lbs,o=lbs'
      filter : '(& (2.5.4.0=inetorgperson) (& (2.5.4.0=inetorgperson) (0.9.2342.19200300.100.1.1=admin) ) ) '
      scope : whole subtree
      typesOnly : false
      no limit
      Time Limit : no limit
      Deref Aliases : deref Always
      attributes :
      :
      org.apache.directory.shared.ldap.exception.LdapNameNotFoundException: Attempt to search under non-existant entry: 2.5.4.11=peoples,2.5.4.10=lbs,2.5.4.10=lbs
      at org.apache.directory.server.core.exception.ExceptionService.assertHasEntry(ExceptionService.java:416)
      at org.apache.directory.server.core.exception.ExceptionService.search(ExceptionService.java:392)
      ---more
      -------------------------

      When debugging code, I figured out getSearchDomain() method of org.apache.jetspeed.security.impl.LdapAuthenticationProvider class is not working properly. So when specifying the search base without ldap.base suffixed, search (lookupByUid(String userName) method) fails since ldap.base (o=lbs) is not added to search domain. But when specifying the search base with ldap.base added, this time getUser(String userName) method fails, since it adds ldap.base once more resulting in invalid search string 'ou=Peoples,o=lbs,o=lbs'.

        Attachments

          Activity

            People

            • Assignee:
              adouma Ate Douma
              Reporter:
              ayzegul Aysegul Aydin Isiktekin
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: