Hello
there is an LDAP listening but I did not give the credentials here for security
reasons (I could start one LDAP server with public credentials for you if
needed).
The LDAP log for this Tomcat startup failure is :
51416e66 conn=1004 fd=14 ACCEPT from IP=46.218.139.243:48297 (IP=XXXXXXXX:XXX)
51416e66 conn=1004 op=0 BIND dn="" method=128
51416e66 conn=1004 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed
51416e66 conn=1004 fd=14 closed (connection lost)
When allowing the anonymous bind, Tomcat can start normally with a first
anonymous bind :
514170c5 conn=1000 fd=14 ACCEPT from IP=46.218.139.243:48663 (IP=XXXXXXXX:XXX)
514170c5 conn=1000 op=0 BIND dn="" method=128
514170c5 conn=1000 op=0 RESULT tag=97 err=0 text=
And after the startup, the LDAP binds are no more anonymous (the parameter
roleSearchAsUser is working there) :
514171e4 conn=1000 op=1 SRCH base="cn=eadell,ou=users,dc=XXX,dc=com" scope=0
deref=3 filter="(objectClass=*)"
514171e4 conn=1000 op=1 SRCH attr=1.1
514171e4 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
514171e4 conn=1000 op=2 BIND dn="cn=eadell,ou=users,dc=XXX,dc=com" method=128
514171e4 conn=1000 op=2 BIND dn="cn=eadell,ou=users,dc=XXX,dc=com" mech=SIMPLE
ssf=0
514171e4 conn=1000 op=2 RESULT tag=97 err=0 text=
514171e4 conn=1000 op=3 SRCH base="" scope=0 deref=3 filter="(objectClass=*)"
514171e4 conn=1000 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
514171e4 conn=1000 op=4 BIND anonymous mech=implicit ssf=0
514171e4 conn=1000 op=4 BIND dn="" method=128
514171e4 conn=1000 op=4 RESULT tag=97 err=0 text=
514171e4 conn=1000 op=5 SRCH base="ou=groups,dc=XXXX,dc=com" scope=2 deref=3
filter="(uniqueMember=cn=eadell,ou=users,dc=XXXX,dc=com)"
514171e4 conn=1000 op=5 SRCH attr=cn
514171e4 <= bdb_equality_candidates: (uniqueMember) not indexed
514171e4 conn=1000 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
514171e4 conn=1000 op=6 SRCH base="ou=groups,dc=XXXX,dc=com" scope=2 deref=3
filter="(uniqueMember=cn=XXX,ou=groups,dc=XXXX,dc=com)"
514171e4 conn=1000 op=6 SRCH attr=cn
514171e4 <= bdb_equality_candidates: (uniqueMember) not indexed
514171e4 conn=1000 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
This is why I think there is a problem with the Tomcat startup when using a
JNDI Realm : it always tries to bind anonymously to the LDAP server with or
without the roleSearchAsUser parameter. With a startup failure, this parameter
becomes useless in real life because most LDAP directories doesn't allow
anonymous binds and they cannot know if a request comes from a Tomcat startup
or for a real request.
Please help :)
De : Martin Gainty [mgai...@hotmail.com]
Envoyé : jeudi 14 mars 2013 01:59
À : Eugène Adell
Objet : RE: JNDI property roleSearchAsUser not working as expected
Hello Eugene
what you have supplied is the distinguished-name here is a partial example i
have used in the past
String distinguishedName = "ou=U,cn=Bank,o=S,c=US,o=grupo santander";
what you need to supply are:
IP of the LDAP host
Port (usually 389)
Authentication-scheme
(so that your client code can connect to an LDAP Listener)
//I have a piece of code that uses a client connect to LDAP server *listening
on Port 389* which looks like
log.debug("doLdap ipAddress="+ipAddress);
log.debug("doLdap port="+port);
log.debug("doLdap authMechanism="+authMechanism);
javax.naming.directory.DirContext context = test.createLdapContext(ipAddress,
port, authMechanism);
String costCenterKey = "C";
String commonName = "x123456";
//then I can do a 'attribute search' based on CostCenterKey of 'C'
costCenter = test.doUserAttributeSearch(context, distinguishedName, commonName,
costCenterKey);
The problem is that none of this would work if there is no listener listening
on Port 389 of the supplied IP
First step is to verify the LDAP server is running
netstat -ab | grep 389
Viel Gluck/Bon Chance
Martin
> From: eugene.ad...@d2-si.eu
> To: users@tomcat.apache.org
> Subject: JNDI property roleSearchAsUser not working as expected
> Date: Wed, 13 Mar 2013 20:46:43 +0000
>
> Hello
>
> I am running the following :
> java version "1.6.0_25"
> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
> Tomcat 7.0.37
> CentOS release 6.3
>
> with this REALM configuration in server.xml :
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://***.***.***.***:389";
> userPattern="cn={0},ou=users,dc=example,dc=com"
> roleBase="ou=groups,dc=example,dc=com"
> roleSubtree="true"
> roleNested="true"
> roleName="cn"
> roleSearchAsUser="true"
> roleSearch="(uniqueMember={0})" />
>
> and this triggers this error during the startup :
> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 -
> anonymous bind disallowed]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
> at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
> at
> org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> SEVERE: Catalina.start:
> org.apache.catalina.LifecycleException: Failed to start component
> [StandardServer[8005]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
> Caused by: org.apache.catalina.LifecycleException: Failed to start component
> [StandardService[Catalina]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 7 more
> Caused by: org.apache.catalina.LifecycleException: Failed to start component
> [StandardEngine[Catalina]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 9 more
> Caused by: org.apache.catalina.LifecycleException: Failed to start component
> [Realm[JNDIRealm]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
> at
> org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 11 more
> Caused by: org.apache.catalina.LifecycleException: Exception opening
> directory server connection
> at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2243)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 14 more
> Caused by: javax.naming.CommunicationException: localhost:389 [Root exception
> is java.net.ConnectException: Connection refused]
> at com.sun.jndi.ldap.Connection.<init>(Connection.java:200)
> at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
> at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:53)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2160)
> at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> ... 15 more
> Caused by: java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
> at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
> at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
> at java.net.Socket.connect(Socket.java:529)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at com.sun.jndi.ldap.Connection.createSocket(Connection.java:339)
> at com.sun.jndi.ldap.Connection.<init>(Connection.java:187)
> ... 27 more
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 34 ms
>
>
> From what I understand, roleSearchAsUser property was designed for people who
> need to bind on any LDAP where anonymous bind is not authorized. But it's
> just impossible to do this if the JNDI Realm tries to authenticate
> anonymously by itself during the startup.
>
> I suppose it's necessary to investigate further this bug :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
