Jetspeed 2
  1. Jetspeed 2
  2. JS2-1030

LDAP configuration property ldap.user.searchBase (when not empty) makes login impossible

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.1
    • Component/s: LDAP
    • Labels:
      None
    • Environment:
      Windows XP, JRE 1.6.0.11, Tomcat 6.0.18, Apache DS 1.0.2 (also tested with ApacheDS 1.5.4)

      Description

      LDAP configuration property ldap.user.searchBase makes login impossible. When left empty, login is possible. But, when specified as:

      ldap.user.searchBase=ou=Peoples

      Exception occurs:

      ----------------------------
      WARNING: Login exception authenticating username "admin"
      javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: [LDAP: error code 32 - failed on search operation: ou=Peoples:
      SearchRequest
      baseDn : 'ou=Peoples'
      filter : '(& (2.5.4.3=admin) (2.5.4.0=person) ) '
      scope : whole subtree
      typesOnly : false
      no limit
      Time Limit : no limit
      Deref Aliases : deref Always
      attributes : 'javaCodeBase', 'javaReferenceAddress', 'javaClassName', 'javaSerializedData', 'javaRemoteLocation', 'javaFactory', 'javaClassNames', 'objectClass'
      :
      org.apache.directory.shared.ldap.exception.LdapNameNotFoundException: ou=Peoples
      at org.apache.directory.server.core.partition.DefaultPartitionNexus.getBackend(DefaultPartitionNexus.java:987)
      at org.apache.directory.server.core.partition.DefaultPartitionNexus.hasEntry(DefaultPartitionNexus.java:920)
      at org.apache.directory.server.core.interceptor.InterceptorChain$1.hasEntry(InterceptorChain.java:157)
      ---- more
      ----------------------------

      From the exception and the logs of ApacheDS LDAP server, I can deduce the baseDn='ou=Peoples' cannot be found. It makes sense since the entry's dn is 'ou=Peoples,o=lbs' not 'ou=Peoples'. When specified as:

      ldap.user.searchBase=ou=Peoples,o=lbs

      Another Exception occurs:

      -------------------------
      WARNING: Login exception authenticating username "admin"
      javax.security.auth.login.LoginException: [LDAP: error code 32 - failed on search operation: Attempt to search under non-existant entry: 2.5.4.11=peoples,2.5.4.10=lbs,2.5.4.10=lbs:
      SearchRequest
      baseDn : 'ou=Peoples,o=lbs,o=lbs'
      filter : '(& (2.5.4.0=inetorgperson) (& (2.5.4.0=inetorgperson) (0.9.2342.19200300.100.1.1=admin) ) ) '
      scope : whole subtree
      typesOnly : false
      no limit
      Time Limit : no limit
      Deref Aliases : deref Always
      attributes :
      :
      org.apache.directory.shared.ldap.exception.LdapNameNotFoundException: Attempt to search under non-existant entry: 2.5.4.11=peoples,2.5.4.10=lbs,2.5.4.10=lbs
      at org.apache.directory.server.core.exception.ExceptionService.assertHasEntry(ExceptionService.java:416)
      at org.apache.directory.server.core.exception.ExceptionService.search(ExceptionService.java:392)
      ---more
      -------------------------

      When debugging code, I figured out getSearchDomain() method of org.apache.jetspeed.security.impl.LdapAuthenticationProvider class is not working properly. So when specifying the search base without ldap.base suffixed, search (lookupByUid(String userName) method) fails since ldap.base (o=lbs) is not added to search domain. But when specifying the search base with ldap.base added, this time getUser(String userName) method fails, since it adds ldap.base once more resulting in invalid search string 'ou=Peoples,o=lbs,o=lbs'.

        Activity

        Hide
        Ate Douma added a comment -

        Aysegul, with JS2-1096 I committed a rewrite of LdapAuthenticationProvider which AFAIK should as side-effect solved this issue too.
        I would appreciate it if you can find the time to review and validate the changes for JS2-1096 and report if it indeed fixes this issue too.

        Regards,
        Ate

        Show
        Ate Douma added a comment - Aysegul, with JS2-1096 I committed a rewrite of LdapAuthenticationProvider which AFAIK should as side-effect solved this issue too. I would appreciate it if you can find the time to review and validate the changes for JS2-1096 and report if it indeed fixes this issue too. Regards, Ate
        Hide
        Ate Douma added a comment -

        Considering this one fixed now, working fine with the new configuration AFAIK.

        Show
        Ate Douma added a comment - Considering this one fixed now, working fine with the new configuration AFAIK.

          People

          • Assignee:
            Ate Douma
            Reporter:
            Aysegul Aydin Isiktekin
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development