Hi Kevin,
Could you comment JAMES-1313 with what you said, and reopen it if you
think it needs to... We need to solve this issue.
Thx again,
Eric
On 22/03/12 13:22, Dion, Kevin wrote:
Yes, that commit is exactly the issue I am having. Unfortunately, the
restriction added by that patch doesn't work for us, so I have decided to just
stick with the version we have working. I would recommend making sure to add
sufficient notice in the documentation of the LDAP that this restriction is in
place, as it makes the LDAP authentication system much less flexible.
As for a recommendation on how to fix, I've been mostly focusing on working to
get my configuration correct, and would need to become much more familiar with
the source to feel comfortable offering any suggestions. Sorry!
Thanks,
Kevin
-----Original Message-----
From: Eric Charles [mailto:[email protected]]
Sent: Wednesday, March 21, 2012 10:12 AM
To: James Users List
Subject: Re: LDAP User Repository only works when userIdAttribute is 'cn'
Hi Kevin,
Thx for reporting and testing.
You can view the history of on [1] and make diffs (example [2]).
You can see https://issues.apache.org/jira/browse/JAMES-1313 in the
commit log. Is this related to the issue you have?
Do you have any idea on how to fix this for you taking into account
previous patches?
Thx,
Eric
[1]
http://svn.apache.org/viewvc/james/server/trunk/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java?view=log
[2]
http://svn.apache.org/viewvc/james/server/trunk/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java?r1=1088681&r2=1179514&diff_format=h
On 21/03/12 14:38, Dion, Kevin wrote:
I have an ADLDS instance on a server running James beta2 I had been using to
provide the user repository for James. Previously, I was using the attribute
'uid' for the userIdAttribute in the configuration. When upgrading to beta4,
this no longer works. When attempting to login, I get an 'Unable to retrieve
user from ldap' error, with the following exception showing in the
userrepository log:
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr:
DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=Users,DC=SYSTEM,DC=DOMAIN,DC=ORG'
]; remaining name 'uid=cbrown,ou=users,dc=system,dc=domain,dc=org'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at
org.apache.james.util.retry.naming.directory.RetryingDirContext$24.operation(RetryingDirContext.java:473)
at
org.apache.james.util.retry.ExceptionRetryHandler.perform(ExceptionRetryHandler.java:84)
at
org.apache.james.util.retry.naming.NamingExceptionRetryHandler.perform(NamingExceptionRetryHandler.java:58)
at
org.apache.james.util.retry.naming.directory.RetryingDirContext.search(RetryingDirContext.java:468)
at
org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.buildUser(ReadOnlyUsersLDAPRepository.java:575)
at
org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.getUserByName(ReadOnlyUsersLDAPRepository.java:648)
at
org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.test(ReadOnlyUsersLDAPRepository.java:737)
at
org.apache.james.adapter.mailbox.store.UserRepositoryAuthenticator.isAuthentic(UserRepositoryAuthenticator.java:51)
at
org.apache.james.mailbox.store.StoreMailboxManager.login(StoreMailboxManager.java:269)
at
org.apache.james.mailbox.store.StoreMailboxManager.login(StoreMailboxManager.java:276)
at
org.apache.james.imap.processor.AbstractAuthProcessor.doAuth(AbstractAuthProcessor.java:56)
at
org.apache.james.imap.processor.LoginProcessor.doProcess(LoginProcessor.java:57)
at
org.apache.james.imap.processor.LoginProcessor.doProcess(LoginProcessor.java:37)
at
org.apache.james.imap.processor.AbstractMailboxProcessor.doProcess(AbstractMailboxProcessor.java:100)
at
org.apache.james.imap.processor.AbstractMailboxProcessor.process(AbstractMailboxProcessor.java:89)
at
org.apache.james.imap.processor.AbstractMailboxProcessor.doProcess(AbstractMailboxProcessor.java:83)
at
org.apache.james.imap.processor.AbstractMailboxProcessor.doProcess(AbstractMailboxProcessor.java:66)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:52)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54)
at
org.apache.james.imapserver.netty.ImapChannelUpstreamHandler.messageReceived(ImapChannelUpstreamHandler.java:181)
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75)
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777)
at
org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at
org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:327)
at
org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:305)
at
org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:207)
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75)
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777)
at
org.jboss.netty.handler.execution.ChannelUpstreamEventRunnable.run(ChannelUpstreamEventRunnable.java:44)
at
org.jboss.netty.handler.execution.OrderedMemoryAwareThreadPoolExecutor$ChildExecutor.run(OrderedMemoryAwareThreadPoolExecutor.java:312)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
I believe the source of this error comes from the following location:
...
at
org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.buildUser(ReadOnlyUsersLDAPRepository.java:575)
at
org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.getUserByName(ReadOnlyUsersLDAPRepository.java:648)
...
Looking at the differences in the getUserByName method between beta2 (1) and beta4 (2),
the newer beta4 implementation calls buildUser, but instead of passing in a user's DN (as
called for by the builduser input parameter), creates a pseudo-dn using the
userIdAttribute and the supplied username. i.e. a proper DN would be of the form
"cn=Charlie Brown, ,ou=users,dc=system,dc=domain,dc=org" but getUserByName
calls buildUser with 'uid=cbrown,ou=users,dc=system,dc=domain,dc=org'. This leads to a
failure in the LDAP lookup
Changing userIdAttribute to 'cn' and supplying the appropriate login
information does provide correct login, however it should be possible for users
to specify a different attribute for login purposes.
Links to referenced source for comparison:
(1)
http://svn.apache.org/repos/asf/james/server/tags/james-server-3.0-beta2/ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java
(2)
https://svn.apache.org/repos/asf/james/server/tags/james-server-3.0-beta4/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java
Kevin
--
eric | http://about.echarles.net | @echarles
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
