DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9705>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9705 Extra LDAP searches occur during JNDIRealm authentication Summary: Extra LDAP searches occur during JNDIRealm authentication Product: Tomcat 4 Version: 4.1.3 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I'm using JNDIRealm with the following setup. <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="cn=Directory Manager" connectionPassword="mypassword" connectionURL="ldap://myldapserver"; userPattern="uid={0}, ou=People, dc=mydomain" userRoleName="ou"/> I noticed that JNDIRealm is performing an extra query with a search base of "" and a filter of "(objectClass=*)". If I perform this search using ldapsearch, I receive an error of "ldap_search: No such object", so, it appears that that search isn't returning any meaningful information. The following is what gets logged when using iPlanet Directory Server 5.1. [07/Jun/2002:15:41:36 -0500] conn=23 op=12 BIND dn="cn=Directory Manager" method=128 version=3 [07/Jun/2002:15:41:36 -0500] conn=23 op=12 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [07/Jun/2002:15:41:36 -0500] conn=23 op=13 SRCH base="uid=jemiller, ou=People, dc=mydomain" scope=0 filter="(objectClass=*)" attrs="ou" [07/Jun/2002:15:41:36 -0500] conn=23 op=13 RESULT err=0 tag=101 nentries=1 etime=0 [07/Jun/2002:15:41:36 -0500] conn=23 op=14 BIND dn="uid=jemiller, ou=People, dc=mydomain" method=128 version=3 [07/Jun/2002:15:41:36 -0500] conn=23 op=14 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jemiller,ou=people,dc=mydomain" [07/Jun/2002:15:41:36 -0500] conn=23 op=15 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [07/Jun/2002:15:41:36 -0500] conn=23 op=15 RESULT err=0 tag=101 nentries=1 etime=0 Another possible optimization could be implemented for the following setup. With this setup connectionName and connectionPassword are left unspecified. As a result, an anonymous bind occurs when querying for the userRoleName. This works as long as the attribute that is being queried for is readable by the anonymous user. <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://myldapserver"; userPattern="uid={0}, ou=People, dc=mydomain" userRoleName="ou"/> This is what the log looks like. As you can see, it's the same as above. In this case, really all you need to do is bind as the user that you are authenticating. IMHO, if the connectionName and connectionPassword are left unspecified, it shouldn't perform the extra bind. [07/Jun/2002:15:54:05 -0500] conn=26 op=0 BIND dn="" method=128 version=3 [07/Jun/2002:15:54:05 -0500] conn=26 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [07/Jun/2002:15:54:26 -0500] conn=26 op=1 SRCH base="uid=jemiller, ou=People, dc=mydomain" scope=0 filter="(objectClass=*)" attrs="ou" [07/Jun/2002:15:54:26 -0500] conn=26 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [07/Jun/2002:15:54:26 -0500] conn=26 op=2 BIND dn="uid=jemiller, ou=People, dc=mydomain" method=128 version=3 [07/Jun/2002:15:54:26 -0500] conn=26 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jemiller,ou=people,dc=mydomain" [07/Jun/2002:15:54:26 -0500] conn=26 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [07/Jun/2002:15:54:26 -0500] conn=26 op=3 RESULT err=0 tag=101 nentries=1 etime=0 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
