Re: [ApacheDS] Weird issue with DIRSERVER-1285
My pleasure :-), thanks for all the help! Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: Just want to confirmed this is closed major PEBKAC on my behalf, a million thanks to Emmanuel for finding out what this was... Just for the record, the problem was that when restarting the service on an embedded server, it's mandatory to load the partitions. The reason is that the server will look for those partitions on the disk from their name, and not the opposite. That's for an embedded server. In Yiannis case, he didn't do that, thus the partition where the user was stored wasn't loaded, leading to an error during the authentication. It could have been easier to find the problem if the BindHandler has thrown the correct error message, instead of a cryptic Referral Error. I have fixed this in the trunk. So thanks Yiannis, such problems help to get the server better !
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: I also tried the patch described in 1285, and unfortunately it didn't make a difference :-(. Really a show-stopper bug for me at the moment, which is a shame as everything else is working fine.. Ok, let's go back to basic. Can you post the associated entry ? (cn=JBoss,dc=gameaccount,dc=com), with all the attributes (you can use studio for that) I would also like to get the credential you use. PS: The error message (referral blah) is atrocious. I think we have fixed it on trunk. -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Here is the entry dn: cn=JBoss,dc=gameaccount,dc=com objectClass: organizationalPerson objectClass: person objectClass: top cn: JBoss description: Security Principal sn: JBoss userPassword:: e1NIQX1xVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09 Using simple authentication for it, the password is test, SHA encrypted. I don't think the error message is fixed, I am using trunk :-) Thanks, Yiannis Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: I also tried the patch described in 1285, and unfortunately it didn't make a difference :-(. Really a show-stopper bug for me at the moment, which is a shame as everything else is working fine.. Ok, let's go back to basic. Can you post the associated entry ? (cn=JBoss,dc=gameaccount,dc=com), with all the attributes (you can use studio for that) I would also like to get the credential you use. PS: The error message (referral blah) is atrocious. I think we have fixed it on trunk.
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: Here is the entry dn: cn=JBoss,dc=gameaccount,dc=com objectClass: organizationalPerson objectClass: person objectClass: top cn: JBoss description: Security Principal sn: JBoss userPassword:: e1NIQX1xVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09 Using simple authentication for it, the password is test, SHA encrypted. I don't think the error message is fixed, I am using trunk :-) What if you try to connect with this user with Studio? Does it works ? -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Unfortunately yes... Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: Here is the entry dn: cn=JBoss,dc=gameaccount,dc=com objectClass: organizationalPerson objectClass: person objectClass: top cn: JBoss description: Security Principal sn: JBoss userPassword:: e1NIQX1xVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09 Using simple authentication for it, the password is test, SHA encrypted. I don't think the error message is fixed, I am using trunk :-) What if you try to connect with this user with Studio? Does it works ?
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: Unfortunately yes... Ok, the hex dump looks like just perfect. Is the password confidential, or could we talk about its value on this mailing list ? Or better, can you change it to something like test on the server using studio, and test it again ? -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
The password is test :-) Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: Unfortunately yes... Ok, the hex dump looks like just perfect. Is the password confidential, or could we talk about its value on this mailing list ? Or better, can you change it to something like test on the server using studio, and test it again ?
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: The password is test :-) This is not what is received : 30 31 LdapMessage 02 01 01 Message #1 60 2cBindRequest, length = 44 02 01 03 Ldap version 3 04 1e Name, length = 30 63 6e 3d 4a 42 6f 73 73 From 0 to 7 2c 64 63 3d 67 61 6d 65 From 8 to 0F 61 63 63 6f 75 6e 74 2c From 10 to 17 64 63 3d 63 6f 6d From 18 to 1E : cn=JBoss,dc=gameaccount,dc=com 80 07 Simple authentication 70 68 23 44 ... Credentials : ph#D (should be 'test') -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Hi Emmanuel Are your infering this on message I posted earlier where I gave you the bytes over the wire? If so that was me testing with different passwords.. Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: The password is test :-) This is not what is received : 30 31 LdapMessage 02 01 01 Message #1 60 2cBindRequest, length = 44 02 01 03 Ldap version 3 04 1e Name, length = 30 63 6e 3d 4a 42 6f 73 73 From 0 to 7 2c 64 63 3d 67 61 6d 65 From 8 to 0F 61 63 63 6f 75 6e 74 2c From 10 to 17 64 63 3d 63 6f 6d From 18 to 1E : cn=JBoss,dc=gameaccount,dc=com 80 07 Simple authentication 70 68 23 44 ... Credentials : ph#D (should be 'test')
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: Hi Emmanuel Are your infering this on message I posted earlier where I gave you the bytes over the wire? If so that was me testing with different passwords.. Yes. So when you setup the server with this entry and 'test' as a password, you can't connect with Studio ? -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Hmm ok I'm getting confused :-P (doesn't take much!!) The scenario is this. I start the server, create a partition, relevant context and the security principal, everything works fine, I can authenticate to ApacheDS. I shutdown the server, start it up again, obviously this time all the data is read from disk, I get LDAP: error code 49 - Bind principalDn points to referral. I cannot connect with neither JBoss name binding nor apache studio. So it seems logical(?) to me like there's something odd going on once the data is re-read from disk. Thanks, Yiannis Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: Hi Emmanuel Are your infering this on message I posted earlier where I gave you the bytes over the wire? If so that was me testing with different passwords.. Yes. So when you setup the server with this entry and 'test' as a password, you can't connect with Studio ?
Re: [ApacheDS] Weird issue with DIRSERVER-1285
I'll try it straight away, bear in mind I'm running this as an embedded application, so will there be a uid=admin user, and if so what would the password be? Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: Hmm ok I'm getting confused :-P (doesn't take much!!) The scenario is this. I start the server, create a partition, relevant context and the security principal, everything works fine, I can authenticate to ApacheDS. I shutdown the server, start it up again, obviously this time all the data is read from disk, I get LDAP: error code 49 - Bind principalDn points to referral. I cannot connect with neither JBoss name binding nor apache studio. So it seems logical(?) to me like there's something odd going on once the data is re-read from disk. Thanks for having sumarize the problem... I think we were heading to the wrong direction. Sounds to me like you might have a pb writing data on disk. The server will cache everything when started, to speed up things. So the first time, when you initialize everything, it's up in memory, so no pb. When you shutdown the server, and restart it, then you are reading back from disk. Ok, a few more tests : - after a restart, can you connect to the server with studio using the uid=admin user ? - if so, can you read the added entries ?
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Actually I don't think it matters much, as even with an incorrect password I get (from studio) The authentication failed [LDAP: error code 49 - Bind principalDn points to referral.] [LDAP: error code 49 - Bind principalDn points to referral.] Y. Should I try anonymous access? Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: Hmm ok I'm getting confused :-P (doesn't take much!!) The scenario is this. I start the server, create a partition, relevant context and the security principal, everything works fine, I can authenticate to ApacheDS. I shutdown the server, start it up again, obviously this time all the data is read from disk, I get LDAP: error code 49 - Bind principalDn points to referral. I cannot connect with neither JBoss name binding nor apache studio. So it seems logical(?) to me like there's something odd going on once the data is re-read from disk. Thanks for having sumarize the problem... I think we were heading to the wrong direction. Sounds to me like you might have a pb writing data on disk. The server will cache everything when started, to speed up things. So the first time, when you initialize everything, it's up in memory, so no pb. When you shutdown the server, and restart it, then you are reading back from disk. Ok, a few more tests : - after a restart, can you connect to the server with studio using the uid=admin user ? - if so, can you read the added entries ?
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: I'll try it straight away, bear in mind I'm running this as an embedded application, so will there be a uid=admin user, and if so what would the password be? Yes. The password is 'secret' (s... don't tell anyone :) -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: Actually I don't think it matters much, as even with an incorrect password I get (from studio) The authentication failed [LDAP: error code 49 - Bind principalDn points to referral.] [LDAP: error code 49 - Bind principalDn points to referral.] With Studio 1.3.0 ? When I try to bind with a bad password, I get this : The authentication failed [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system] [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system] Can you sne dme your initial LDIF file and server.xml, so that I can test on my computer ? (send it privately, otherwise the attachments might be removed by the Apache mail server) -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yep that's right 1.3.0 I am not using server.xml as this is a very bare embedded setup..should I be including it? Emmanuel Lécharny wrote: Yiannis Mavroukakis wrote: Actually I don't think it matters much, as even with an incorrect password I get (from studio) The authentication failed [LDAP: error code 49 - Bind principalDn points to referral.] [LDAP: error code 49 - Bind principalDn points to referral.] With Studio 1.3.0 ? When I try to bind with a bad password, I get this : The authentication failed [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system] [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system] Can you sne dme your initial LDIF file and server.xml, so that I can test on my computer ? (send it privately, otherwise the attachments might be removed by the Apache mail server)
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: Yep that's right 1.3.0 I am not using server.xml as this is a very bare embedded setup..should I be including it? If you didn't modified it, no. Btw, if you have some server logs, sned them too. -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
[ApacheDS] Weird issue with DIRSERVER-1285
Hello everyone, I'm getting this LDAP: error code 49 - Bind principalDn points to referral while trying to authenticate to my server. A bit of googling unearther DIRSERVER-1285. My user credentials are stored in a deployment file and they are java.naming.security.principal=cn=JBoss,dc=gameaccount,dc=com So no quotes here, unless they are quoted somewhere else in the process (wouldn't be in my code). Are there any workarounds for this? Thanks, Yiannis
Re: [ApacheDS] Weird issue with DIRSERVER-1285
One clarification, I'm compiling ApacheDS from the latest source. Yiannis Mavroukakis wrote: Hello everyone, I'm getting this LDAP: error code 49 - Bind principalDn points to referral while trying to authenticate to my server. A bit of googling unearther DIRSERVER-1285. My user credentials are stored in a deployment file and they are java.naming.security.principal=cn=JBoss,dc=gameaccount,dc=com So no quotes here, unless they are quoted somewhere else in the process (wouldn't be in my code). Are there any workarounds for this? Thanks, Yiannis
Re: [ApacheDS] Weird issue with DIRSERVER-1285
hmm, assuming the same context as before, that this request comes from a jabber server I would say that the jabber server is adding quotes not Apache Directory. At least this is the case I have seen with openfire server. Kiran Ayyagari Yiannis Mavroukakis wrote: Hello everyone, I'm getting this LDAP: error code 49 - Bind principalDn points to referral while trying to authenticate to my server. A bit of googling unearther DIRSERVER-1285. My user credentials are stored in a deployment file and they are java.naming.security.principal=cn=JBoss,dc=gameaccount,dc=com So no quotes here, unless they are quoted somewhere else in the process (wouldn't be in my code). Are there any workarounds for this? Thanks, Yiannis
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Hi Kiran, Sorry I should have specified, that's not the jabber server (I solved that issue btw, ApacheDS complains about the attribute but Jabber works fine now) , it's the JBoss server binding to ApacheDS. Thanks, Yiannis ayyagarikiran wrote: hmm, assuming the same context as before, that this request comes from a jabber server I would say that the jabber server is adding quotes not Apache Directory. At least this is the case I have seen with openfire server. Kiran Ayyagari Yiannis Mavroukakis wrote: Hello everyone, I'm getting this LDAP: error code 49 - Bind principalDn points to referral while trying to authenticate to my server. A bit of googling unearther DIRSERVER-1285. My user credentials are stored in a deployment file and they are java.naming.security.principal=cn=JBoss,dc=gameaccount,dc=com So no quotes here, unless they are quoted somewhere else in the process (wouldn't be in my code). Are there any workarounds for this? Thanks, Yiannis
Re: [ApacheDS] Weird issue with DIRSERVER-1285
I remember that there is some kind of strange behaviour when getting a DN from a property file, as the DN is truncated before the first comma. Could you check that the server receive the full DN ? On Wed, Feb 25, 2009 at 12:18 PM, Yiannis Mavroukakis imavrouka...@gameaccount.com wrote: Hi Kiran, Sorry I should have specified, that's not the jabber server (I solved that issue btw, ApacheDS complains about the attribute but Jabber works fine now) , it's the JBoss server binding to ApacheDS. Thanks, Yiannis ayyagarikiran wrote: hmm, assuming the same context as before, that this request comes from a jabber server I would say that the jabber server is adding quotes not Apache Directory. At least this is the case I have seen with openfire server. Kiran Ayyagari Yiannis Mavroukakis wrote: Hello everyone, I'm getting this LDAP: error code 49 - Bind principalDn points to referral while trying to authenticate to my server. A bit of googling unearther DIRSERVER-1285. My user credentials are stored in a deployment file and they are java.naming.security.principal=cn=JBoss,dc=gameaccount,dc=com So no quotes here, unless they are quoted somewhere else in the process (wouldn't be in my code). Are there any workarounds for this? Thanks, Yiannis -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: I can do, will setting it in debug mode show me that? yes, but it will be a bit verbose :) Or you can use wireshark. -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Ok will do :) Having said that, I don't think it's a JBoss issue as I get the same error using Ldap Studio.. Emmanuel Lecharny wrote: Yiannis Mavroukakis wrote: I can do, will setting it in debug mode show me that? yes, but it will be a bit verbose :) Or you can use wireshark.