[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Repost] JDNI Authentication

To: OpenLDAP-software@OpenLDAP.org
Subject: [Repost] JDNI Authentication
From: Ross Rankin <ross_r@bellsouth.net>
Date: Mon, 11 Oct 2004 19:12:31 -0400
User-agent: Mozilla Thunderbird 0.7.2 (Windows/20040707)

Sorry for the repost but I'm still having the same issue and am unable to resolve it... Let me know if there is a better group to post this in...

Ross

I am using JNDI and Tomcat for authentication. This is a new server I am setting up to replace an exisiting one... Upgraded hardware / software... Anyway, authentication works for the user but doesn't find the user in the group... It doesn't make sense, since this same config works on another box. Here's the necessary files: debug log:

slapd starting

ldap_pvt_gethostbyname_a: host=www.domain.com, r=0 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 50 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <cn=Manager,dc=domain,dc=com> => ldap_bv2dn(cn=Manager,dc=domain,dc=com,0) ldap_err2string <= ldap_bv2dn(cn=Manager,dc=domain,dc=com)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=Manager,dc=domain,dc=com)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=manager,dc=domain,dc=com)=0 Success <<< dnPrettyNormal: <cn=Manager,dc=domain,dc=com>, <cn=manager,dc=domain,dc=com> do_bind: version=3 dn="cn=Manager,dc=domain,dc=com" method=128 do_bind: v3 bind: "cn=Manager,dc=domain,dc=com" to "cn=Manager,dc=domain,dc=com" send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 119 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com> => ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com,0) ldap_err2string <= ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success <<< dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>, <uid=ross,ou=people,dc=domain,dc=com> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => bdb_search bdb_dn2entry("uid=ross,ou=people,dc=domain,dc=com") => bdb_dn2id( "dc=domain,dc=com" ) <= bdb_dn2id: got id=0x00000001 => bdb_dn2id( "ou=people,dc=domain,dc=com" ) <= bdb_dn2id: got id=0x00000007 => bdb_dn2id( "uid=ross,ou=people,dc=domain,dc=com" ) <= bdb_dn2id: got id=0x00000008 entry_decode: "uid=ross,ou=people,dc=domain,dc=com" <= entry_decode(uid=ross,ou=people,dc=domain,dc=com) => send_search_entry: dn="uid=ross,ou=people,dc=domain,dc=com" ber_flush: 74 bytes to sd 10 <= send_search_entry send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 148 contents: do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <ou=groups,dc=domain,dc=com> => ldap_bv2dn(ou=groups,dc=domain,dc=com,0) ldap_err2string <= ldap_bv2dn(ou=groups,dc=domain,dc=com)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success <<< dnPrettyNormal: <ou=groups,dc=domain,dc=com>, <ou=groups,dc=domain,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => bdb_search bdb_dn2entry("ou=groups,dc=domain,dc=com") => bdb_dn2id( "ou=groups,dc=domain,dc=com" ) <= bdb_dn2id: got id=0x00000006 entry_decode: "ou=groups,dc=domain,dc=com" <= entry_decode(ou=groups,dc=domain,dc=com) search_candidates: base="ou=groups,dc=domain,dc=com" (0x00000006) scope=1 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30990) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_dn2idl( "ou=groups,dc=domain,dc=com" ) <= bdb_dn2idl: id=4 first=9 last=13 bdb_search_candidates: id=0 first=9 last=0 bdb_search: no candidates send_ldap_result: conn=0 op=2 p=3 send_ldap_response: msgid=3 tag=101 err=0 ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) ber_flush: 14 bytes to sd 10 daemon: shutdown requested and initiated. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10 slapd shutdown: waiting for 0 threads to terminate slapd shutdown: initiated ====> bdb_cache_release_all slapd shutdown: freeing system resources. slapd stopped.

Slapd.conf:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

Tomcat server.xml JNDI part:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="cn=Manager,dc=domain,dc=com" connectionPassword="xxxxx" connectionURL="ldap://localhost:389"; userPassword="userPassword" userPattern="uid={0},ou=people,dc=domain,dc=com" roleBase="ou=groups,dc=domain,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> Web.XML section: <security-constraint> <web-resource-collection> <web-resource-name>Authentication</web-resource-name> <url-pattern>/secure/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> <role-name>manager></role-name> <role-name>admin</role-name> </auth-constraint> </security-constraint>

LDIF of database:
extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# domain.com
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: domain
dc: domain

# Manager, domain.com
dn: cn=Manager,dc=domain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
roleOccupant: uid=ross,ou=people,dc=domain,dc=com

# users, domain.com
dn: ou=users,dc=domain,dc=com
objectClass: organizationalUnit
ou: users

# us, domain.com
dn: c=us,dc=domain,dc=com
objectClass: top
objectClass: country
c: us

# groups, domain.com
dn: ou=groups,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# people, domain.com
dn: ou=people,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# ross, people, domain.com
dn: uid=ross,ou=people,dc=domain,dc=com
cn: Ross Rankin
sn: Rankin
objectClass: inetOrgPerson
uid: ross
mail: wolver@mindspring.com
userPassword:: dGVzdA==

# manager, groups, domain.com
dn: cn=manager,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: manager
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# tomcat, groups, domain.com
dn: cn=tomcat,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# admin, groups, domain.com
dn: cn=admin,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# ralph, people, domain.com
dn: uid=ralph,ou=people,dc=domain,dc=com
cn: Ralph Mobley
sn: Mobley
objectClass: inetOrgPerson
uid: ralph
userPassword:: cGFzc3dvcmQ=
mail: ralph@domain.edu

# user, groups, domain.com
dn: cn=user,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: user
uniqueMember: uid=ross,ou=people,dc=domain,dc=com
uniqueMember: uid=ralph,ou=people,dc=domain,dc=com

I think that would be all you need to help me diagnose the issue.  Thanks.

Ross

Follow-Ups:
- Re: [Repost] JDNI Authentication
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: how can you tell if md5 is in use
Next by Date: Re: [Repost] JDNI Authentication
Index(es):
- Chronological
- Thread