[
https://issues.apache.org/jira/browse/TRAFODION-2531?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15904231#comment-15904231
]
Arvind Narain commented on TRAFODION-2531:
------------------------------------------
Explanation:
In dbSecurity code we maintain two connections to the ldap server. One
connection is used for searches ( to get distinguished name, or to just search
for user) and another to actually authenticate.
LDAP supports anonymous searches and binds but some sites may disallow one or
the other or both.
If anonymous search is allowed, then search can be performed without binding,
but if it is not allowed then a bind needs to be done with the user supplied
search user and password before any searches can be performed.
For authentication, once Distinguished name is available, a direct bind can be
done without binding first with the search user.
Code currently was handling the case where sites do not allow anonymous
searches, but was binding irrespective of the search user/password supplied
being empty.
For the authentication connection, the code was binding anonymously and then
binding again with the authentication user/password. This failed in cases where
anonymous bind is not allowed.
New code should skip binding with search user for anonymous searches as well
skip initial binding for authentication connection.
> Authentication fails if connecting to Apache Knox Demo ldap server
> ------------------------------------------------------------------
>
> Key: TRAFODION-2531
> URL: https://issues.apache.org/jira/browse/TRAFODION-2531
> Project: Apache Trafodion
> Issue Type: Bug
> Affects Versions: any
> Reporter: Arvind Narain
> Assignee: Arvind Narain
>
> Connection fails if authenticating using Apache Knox Demo ldap server or
> server that does not allow anonymous binds.
> tested via ldapcheck:
> ldapcheck --username=admin --password
> Password:
> INFO: Authentication request: externalUser admin, result 2 (Unexpected error
> returned from LDAP)
> Configuration file used:
> ====
> # One or more identically configured hosts must be specified here,
> # one name: value pair for each host.
> LDAPHostName:10.1.30.67
> # Default is port 389, change if using 636 or any other port
> LDAPPort:33389
> # Must specify one or more unique identifiers, one name: value pair for each
> UniqueIdentifier:uid=,ou=people,dc=hadoop,dc=apache,dc=org
> # If the configured LDAP server requires a username and password to
> # to perform name lookup, provide those here.
> LDAPSearchDN:uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
> LDAPSearchPwd:*****
> # If configured LDAP server requires TLS(1) or SSL (2), update this value
> LDAPSSL:0
> ====
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
