[
https://issues.apache.org/jira/browse/DERBY-4989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988947#comment-12988947
]
Dag H. Wanvik commented on DERBY-4989:
--------------------------------------
I ran your repro script "manually", that is I created a new database in the
same way explained in your script. And, yes, in client server
mode, it fails with
> ij(CONNECTION1)> connect
> 'jdbc:derby://localhost:1527/wombat;user=dw;password=<mypassword>';
> ERROR 08004: Connection authentication failure occurred. Reason: userid or
> password invalid.
>
> However, looking at derby.log, I see that the cause of this is a missing
> permission for the server:
>
> java.sql.SQLException: Connection refused :
> javax.naming.CommunicationException: localhost:389 [Root exception is
> java.security.AccessControlException: access denied
> (java.net.SocketPermission 127.0.0.1:389 connect,resolve)]
> at
> org.apache.derby.impl.jdbc.authentication.JNDIAuthenticationSchemeBase.getLoginSQLException(JNDIAuthenticationSchemeBase.java:122)
> at
> org.apache.derby.impl.jdbc.authentication.LDAPAuthenticationSchemeImpl.authenticateUser(LDAPAuthenticationSchemeImpl.java:197)
> at
> org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase.authenticate(AuthenticationServiceBase.java:279)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.checkUserCredentials(EmbedConnection.java:1218)
This is because by default, the Derby server starts with the Java security
manager enabled.
Starting the server this way (no security manager):
> java -jar $DERBY_HOME/derbyrun.jar server start -noSecurityManager -h 0.0.0.0
allows me to connect as expected.
By adding this line ("localhost:389" would be "miniserver:10389" in your case):
permission java.net.SocketPermission "localhost:389", "connect,resolve";
to my policy file (expanded from the sample policy file provided with
Derby, cf. my uploaded file "mypolicy"), I can start the server this
way:
> java -Djava.security.manager -Djava.security.policy=mypolicy -jar
> $DERBY_HOME/derbyrun.jar server start -h 0.0.0.0
and the be able to connect from ij using:
> connect 'jdbc:derby://localhost:1527/wombat;user=dw;password=<mypassword>';
I agree the error message is less than perfect, but I think the idea
is to not give would-be attackers my information than necessary: the
DB admin can always check derby.log for the real reason for the
authorization issue.
Hope this helps,
Dag
> LDAP authentication not working when using network client driver and database
> level properties
> ----------------------------------------------------------------------------------------------
>
> Key: DERBY-4989
> URL: https://issues.apache.org/jira/browse/DERBY-4989
> Project: Derby
> Issue Type: Bug
> Components: Network Client
> Environment: Network Server running under Debian 5.0 stable, Win XP
> Service Pack 3 Client, Derby Version 10.7.1.1, ApacheDS 1.5.7
> Reporter: Thomas Hill
> Attachments: LDAPrepro.txt, ldaprepro.tar.gz, screenshot-1.jpg
>
>
> The network server client driver is not recognising LDAP authentication
> provider configuration when database properties are being used.
> When trying to connect with the network client driver error 08004 'userid or
> password invalid' is thrown:
> [derby][SQLException <at> 22c95b] java.sql.SQLException
> [derby][SQLException <at> 22c95b] SQL state = 08004
> [derby][SQLException <at> 22c95b] Error code = 40000
> [derby][SQLException <at> 22c95b] Message = Connection authentication
> failure occurred. Reason: userid or password invalid.
> The same database level properties when connecting using the embedded driver
> lead to a successful login and everything is working as expected with this
> driver.
> Notes:
> As there are two other options in setting up the LDAP authentication
> provider, here is the behaviour observed for the network driver in these
> scenarios:
> 1) when using system-level properties, socket permission errors are given
> when running with the JAVA security manager enabled; so additional
> configuration in form of setting up a custom Security Manager is required
> 2) when supplying the properties as command line arguments at server start-up
> the properties are recognised (and authorisation is validated as expected
> without changes required to the default Basic Security Manager)
> Here is the output of sysinfo for my environment and the script used for
> setting the database level properties:
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication',
> 'true');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider','LDAP');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.server','myserver:10389');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.ldap.searchBase','o=THMB');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.ldap.searchFilter','derby.user');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.thill','uid=thill,o=THMB');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.sqlAuthorization',
> 'true');
> sysinfo for the server
> ------------------ Java Information ------------------
> Java Version: 1.6.0_22
> Java Vendor: Sun Microsystems Inc.
> Java home: /usr/lib/jvm/java-6-sun-1.6.0.22/jre
> Java classpath: /var/lib/derby/db-derby-10.7.1.1-bin/lib/derbyrun.jar
> OS name: Linux
> OS architecture: i386
> OS version: 2.6.26-2-686
> Java user name: root
> Java user home: /root
> Java user dir: /root
> java.specification.name: Java Platform API Specification
> java.specification.version: 1.6
> java.runtime.version: 1.6.0_22-b04
> --------- Derby Information --------
> JRE - JDBC: Java SE 6 - JDBC 4.0
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derby.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbytools.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbynet.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbyclient.jar] 10.7.1.1 -
> (1040133)
> ------------------------------------------------------
> ----------------- Locale Information -----------------
> Current Locale : [English/United States [en_US]]
> Found support for locale: [cs]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [de_DE]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [es]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [fr]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [hu]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [it]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [ja_JP]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [ko_KR]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [pl]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [pt_BR]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [ru]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [zh_CN]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [zh_TW]
> version: 10.7.1.1 - (1040133)
> ------------------------------------------------------
> sysinfo for the client
> ------------------ Java-Informationen ------------------
> Java-Version: 1.6.0_23
> Java-Anbieter: Sun Microsystems Inc.
> Java-Home: C:\Programme\Java\jre6
> Java-Klassenpfad: C:\Programme\Apache
> Derby\db-derby-10.7.1.1-bin\lib\derbyrun.jar
> Name des Betriebssystems: Windows XP
> Architektur des Betriebssystems: x86
> Betriebssystemversion: 5.1
> Java-Benutzername: Thomas
> Java-Benutzerausgangsverzeichnis: C:\Dokumente und Einstellungen\Thomas
> Java-Benutzerverzeichnis: C:\Daten\derby\keys
> java.specification.name: Java Platform API Specification
> java.specification.version: 1.6
> java.runtime.version: 1.6.0_23-b05
> --------- Derby-Informationen --------
> JRE - JDBC: Java SE 6 - JDBC 4.0
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derby.jar] 10.7.1.1 -
> (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbytools.jar] 10.7.1.1
> - (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbynet.jar] 10.7.1.1 -
> (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbyclient.jar]
> 10.7.1.1 - (1040133)
> ------------------------------------------------------
> ----------------- Informationen zur Ländereinstellung -----------------
> Aktuelle Ländereinstellung: [Deutsch/Deutschland [de_DE]]
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [cs]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [de_DE]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [es]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [fr]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [hu]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [it]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [pl]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [pt_BR]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [ru]
> Version: 10.7.1.1 - (1040133)
> ------------------------------------------------------
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
