https://bz.apache.org/bugzilla/show_bug.cgi?id=63550
Bug ID: 63550
Summary: LDAP non standard port leads to JNDIRealm erratic
behaviour
Product: Tomcat 9
Version: 9.0.x
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
When configuring a JNDIRealm with a non default port, and without alternate URL
:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
useStartTls="true"
connectionURL="ldap://X.X.X.X:1389";
userPattern="cn={0},ou=users,dc=mycorp,dc=com"
roleBase="ou=groups,dc=mycorp,dc=com"
roleSubtree="true"
roleNested="true"
roleName="cn"
roleSearch="(uniqueMember={0})" />
We can see Tomcat still trying to open connections to the default port (389),
moreover on localhost although the realm is configured with a non localhost IP.
Here is the network capture showing this behaviour, the two last packets are
themselves the problem :
01:23:26.672885 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [S], seq 1196755961, win
43690, options [mss 65495,sackOK,TS val 2631880516 ecr 0,nop,wscale 7], length
0
01:23:26.672966 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [S.], seq 4093902768,
ack 1196755962, win 43690, options [mss 65495,sackOK,TS val 2631880516 ecr
2631880516,nop,wscale 7], length 0
01:23:26.673035 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [.], ack 1, win 342,
options [nop,nop,TS val 2631880516 ecr 2631880516], length 0
01:23:26.680284 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [P.], seq 1:61, ack 1,
win 342, options [nop,nop,TS val 2631880524 ecr 2631880516], length 60
01:23:26.680319 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [.], ack 61, win 342,
options [nop,nop,TS val 2631880524 ecr 2631880524], length 0
01:23:26.680614 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [P.], seq 1:15, ack 61,
win 342, options [nop,nop,TS val 2631880524 ecr 2631880524], length 14
01:23:26.680814 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [.], ack 15, win 342,
options [nop,nop,TS val 2631880524 ecr 2631880524], length 0
01:23:26.957182 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [P.], seq 61:233, ack
15, win 342, options [nop,nop,TS val 2631880800 ecr 2631880524], length 172
01:23:26.959576 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [P.], seq 15:1010, ack
233, win 350, options [nop,nop,TS val 2631880803 ecr 2631880800], length 995
01:23:26.959748 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [.], ack 1010, win 357,
options [nop,nop,TS val 2631880803 ecr 2631880803], length 0
01:23:27.073508 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [P.], seq 233:500, ack
1010, win 357, options [nop,nop,TS val 2631880917 ecr 2631880803], length 267
01:23:27.113251 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [.], ack 500, win 359,
options [nop,nop,TS val 2631880957 ecr 2631880917], length 0
01:23:27.113291 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [P.], seq 500:506, ack
1010, win 357, options [nop,nop,TS val 2631880957 ecr 2631880957], length 6
01:23:27.113305 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [.], ack 506, win 359,
options [nop,nop,TS val 2631880957 ecr 2631880957], length 0
01:23:27.128492 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [P.], seq 506:591, ack
1010, win 357, options [nop,nop,TS val 2631880972 ecr 2631880957], length 85
01:23:27.128512 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [.], ack 591, win 359,
options [nop,nop,TS val 2631880972 ecr 2631880972], length 0
01:23:27.128927 IP X.X.X.X.1389 > X.X.X.X.11486: Flags [P.], seq 1010:1101, ack
591, win 359, options [nop,nop,TS val 2631880972 ecr 2631880972], length 91
01:23:27.129081 IP X.X.X.X.11486 > X.X.X.X.1389: Flags [.], ack 1101, win 357,
options [nop,nop,TS val 2631880972 ecr 2631880972], length 0
01:23:27.141642 IP 127.0.0.1.58499 > 127.0.0.1.389: Flags [S], seq 2317515753,
win 43690, options [mss 65495,sackOK,TS val 2631880985 ecr 0,nop,wscale 7],
length 0
01:23:27.141675 IP 127.0.0.1.389 > 127.0.0.1.58499: Flags [R.], seq 0, ack
2317515754, win 0, length 0
Tomcat logs the corresponding connection reset like this
Jul 06, 2019 8:27:17 PM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.CommunicationException: localhost:389 [Root exception is
java.net.ConnectException: Connection refused (Connection refused)]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:70)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at
org.apache.catalina.realm.JNDIRealm.createTlsDirContext(JNDIRealm.java:2585)
at org.apache.catalina.realm.JNDIRealm.createDirContext(JNDIRealm.java:2487)
at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2471)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1322)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:127)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:566)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1137)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:350)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
... 28 more
None of my config files mention port 389, it's coming from nowhere.
I tested both Tomcat 7 and 9 and got the the same result.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
