-
Enhancement
-
Resolution: Won't Fix
-
P4
-
None
-
6
-
x86
-
windows_2000, windows_xp
FULL PRODUCT VERSION :
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
I'm using with the com.sun.security.auth.module.LdapLoginModule.
The config specifies multiple ldap servers, but only the first one is ever checked when attempting authentication.
The error is in the attemptAuthentication method. The line
// Connect to the LDAP server (using simple bind)
ctx = new InitialLdapContext(ldapEnvironment, null);
Only binds to the first entry in the PROVIDER_URL as specified in the initialize method:
ldapEnvironment.put(Context.PROVIDER_URL, userProvider);
the error could actaully be in the InitialLdapContext constructor, but I don't have access to the source deep enough down to verify
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to search-first authenticate an LDAP user X whose entry is present in one LDAP repository ldapA but not in another LDAP repository ldapB.
When specifying the provider URL, it must be specified as 'ldapA ldapB' not 'ldapB ldapA'. because only the first entry in the url is ever used for searching
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
the ordering of multiple urls in provider config should be immaterial, so the authentication should work whichever way they are specified.
Expected sucessful authentication
LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389
[LdapLoginModule] searching for entry belonging to user: the-user
[LdapLoginModule] found entry: cn=the-user
[LdapLoginModule] attempting to authenticate user: the-user
[LdapLoginModule] authentication succeeded
ACTUAL -
Authentication failed becasue only the first url is used
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389
[LdapLoginModule] searching for entry belonging to user: the-user
[LdapLoginModule] user's entry not found
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.jcr.LoginException: Cannot find user's LDAP entry: Cannot find user's LDAP entry: Cannot find user's LDAP entry
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1255)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Caused by: javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
... 3 more
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Exception in thread "main" java.lang.NullPointerException
at FirstHop.main(FirstHop.java:22)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389
[LdapLoginModule] searching for entry belonging to user: the-user
[LdapLoginModule] user's entry not found
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.jcr.LoginException: Cannot find user's LDAP entry: Cannot find user's LDAP entry: Cannot find user's LDAP entry
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1255)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Caused by: javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
... 3 more
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Exception in thread "main" java.lang.NullPointerException
at FirstHop.main(FirstHop.java:22)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
(Using jackrabbit)
repository.xml
-----
<?xml version="1.0"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 1.2//EN"
"http://jackrabbit.apache.org/dtd/repository-1.2.dtd">
<!-- Example Repository Configuration File -->
<Repository>
<!--
virtual file system where the repository stores global state
(e.g. registered namespaces, custom node types, etc.)
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/repository"/>
</FileSystem>
<!--
security configuration
-->
<Security appName="Jackrabbit">
<!--
access manager:
class: FQN of class implementing the AccessManager interface
-->
<AccessManager class="org.apache.jackrabbit.core.security.SimpleAccessManager">
<!-- <param name="config" value="${rep.home}/access.xml"/> -->
</AccessManager>
<!-- <LoginModule class="com.amgen.common.ldap.LdapLoginModule"> -->
<LoginModule class="com.sun.security.auth.module.LdapLoginModule">
<param name="userProvider" value="ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389"/>
<param name="debug" value="true"/>
<param name="useFirstPass" value="false"/>
<param name="tryFirstPass" value="false"/>
<param name="useSSL" value="false"/>
<param name="userFilter" value="(|(cn={USERNAME})(uid={USERNAME}))"/>
<!--
default user name to be used instead of the anonymous user
when no login credentials are provided (unset by default)
-->
<!-- <param name="defaultUserId" value="superuser"/> -->
</LoginModule>
</Security>
<!--
location of workspaces root directory and name of default workspace
-->
<Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="default"/>
<!--
workspace configuration template:
used to create the initial workspace if there's no workspace yet
-->
<Workspace name="${wsp.name}">
<!--
virtual file system of the workspace:
class: FQN of class implementing the FileSystem interface
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${wsp.home}"/>
</FileSystem>
<!--
persistence manager of the workspace:
class: FQN of class implementing the PersistenceManager interface
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${wsp.home}/db;create=true"/>
<param name="schemaObjectPrefix" value="${wsp.name}_"/>
</PersistenceManager>
<!--
Search index and the file system it uses.
class: FQN of class implementing the QueryHandler interface
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${wsp.home}/index"/>
</SearchIndex>
</Workspace>
<!--
Configures the versioning
-->
<Versioning rootPath="${rep.home}/version">
<!--
Configures the filesystem to use for versioning for the respective
persistence manager
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/version" />
</FileSystem>
<!--
Configures the persistence manager to be used for persisting version state.
Please note that the current versioning implementation is based on
a 'normal' persistence manager, but this could change in future
implementations.
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${rep.home}/version/db;create=true"/>
<param name="schemaObjectPrefix" value="version_"/>
</PersistenceManager>
</Versioning>
<!--
Search index for content that is shared repository wide
(/jcr:system tree, contains mainly versions)
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${rep.home}/repository/index"/>
</SearchIndex>
</Repository>
java test case
----
import javax.jcr.Repository;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.core.TransientRepository;
public class FirstHop {
public static void main(String[] args) throws Exception {
Repository repository = null;
Session session = null;
try {
repository = new TransientRepository();
SimpleCredentials cred = new SimpleCredentials("the-user", "the-password"
.toCharArray());
session = repository.login(cred);
session.save();
}
catch (Exception e) {
e.printStackTrace(System.err);
} finally {
session.logout();
}
}
}
---------- END SOURCE ----------
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
I'm using with the com.sun.security.auth.module.LdapLoginModule.
The config specifies multiple ldap servers, but only the first one is ever checked when attempting authentication.
The error is in the attemptAuthentication method. The line
// Connect to the LDAP server (using simple bind)
ctx = new InitialLdapContext(ldapEnvironment, null);
Only binds to the first entry in the PROVIDER_URL as specified in the initialize method:
ldapEnvironment.put(Context.PROVIDER_URL, userProvider);
the error could actaully be in the InitialLdapContext constructor, but I don't have access to the source deep enough down to verify
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to search-first authenticate an LDAP user X whose entry is present in one LDAP repository ldapA but not in another LDAP repository ldapB.
When specifying the provider URL, it must be specified as 'ldapA ldapB' not 'ldapB ldapA'. because only the first entry in the url is ever used for searching
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
the ordering of multiple urls in provider config should be immaterial, so the authentication should work whichever way they are specified.
Expected sucessful authentication
LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389
[LdapLoginModule] searching for entry belonging to user: the-user
[LdapLoginModule] found entry: cn=the-user
[LdapLoginModule] attempting to authenticate user: the-user
[LdapLoginModule] authentication succeeded
ACTUAL -
Authentication failed becasue only the first url is used
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389
[LdapLoginModule] searching for entry belonging to user: the-user
[LdapLoginModule] user's entry not found
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.jcr.LoginException: Cannot find user's LDAP entry: Cannot find user's LDAP entry: Cannot find user's LDAP entry
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1255)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Caused by: javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
... 3 more
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Exception in thread "main" java.lang.NullPointerException
at FirstHop.main(FirstHop.java:22)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389
[LdapLoginModule] searching for entry belonging to user: the-user
[LdapLoginModule] user's entry not found
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.jcr.LoginException: Cannot find user's LDAP entry: Cannot find user's LDAP entry: Cannot find user's LDAP entry
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1255)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Caused by: javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
... 3 more
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
at com.sun.security.auth.module.LdapLoginModule.findUserDN(LdapLoginModule.java:912)
at com.sun.security.auth.module.LdapLoginModule.attemptAuthentication(LdapLoginModule.java:783)
at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:551)
at org.apache.jackrabbit.core.security.AuthContext$Local.login(AuthContext.java:143)
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1247)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:338)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:363)
at FirstHop.main(FirstHop.java:16)
Exception in thread "main" java.lang.NullPointerException
at FirstHop.main(FirstHop.java:22)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
(Using jackrabbit)
repository.xml
-----
<?xml version="1.0"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 1.2//EN"
"http://jackrabbit.apache.org/dtd/repository-1.2.dtd">
<!-- Example Repository Configuration File -->
<Repository>
<!--
virtual file system where the repository stores global state
(e.g. registered namespaces, custom node types, etc.)
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/repository"/>
</FileSystem>
<!--
security configuration
-->
<Security appName="Jackrabbit">
<!--
access manager:
class: FQN of class implementing the AccessManager interface
-->
<AccessManager class="org.apache.jackrabbit.core.security.SimpleAccessManager">
<!-- <param name="config" value="${rep.home}/access.xml"/> -->
</AccessManager>
<!-- <LoginModule class="com.amgen.common.ldap.LdapLoginModule"> -->
<LoginModule class="com.sun.security.auth.module.LdapLoginModule">
<param name="userProvider" value="ldap://ldapA.foo.com:389 ldap://ldapB.foo.com:389"/>
<param name="debug" value="true"/>
<param name="useFirstPass" value="false"/>
<param name="tryFirstPass" value="false"/>
<param name="useSSL" value="false"/>
<param name="userFilter" value="(|(cn={USERNAME})(uid={USERNAME}))"/>
<!--
default user name to be used instead of the anonymous user
when no login credentials are provided (unset by default)
-->
<!-- <param name="defaultUserId" value="superuser"/> -->
</LoginModule>
</Security>
<!--
location of workspaces root directory and name of default workspace
-->
<Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="default"/>
<!--
workspace configuration template:
used to create the initial workspace if there's no workspace yet
-->
<Workspace name="${wsp.name}">
<!--
virtual file system of the workspace:
class: FQN of class implementing the FileSystem interface
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${wsp.home}"/>
</FileSystem>
<!--
persistence manager of the workspace:
class: FQN of class implementing the PersistenceManager interface
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${wsp.home}/db;create=true"/>
<param name="schemaObjectPrefix" value="${wsp.name}_"/>
</PersistenceManager>
<!--
Search index and the file system it uses.
class: FQN of class implementing the QueryHandler interface
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${wsp.home}/index"/>
</SearchIndex>
</Workspace>
<!--
Configures the versioning
-->
<Versioning rootPath="${rep.home}/version">
<!--
Configures the filesystem to use for versioning for the respective
persistence manager
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${rep.home}/version" />
</FileSystem>
<!--
Configures the persistence manager to be used for persisting version state.
Please note that the current versioning implementation is based on
a 'normal' persistence manager, but this could change in future
implementations.
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.db.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${rep.home}/version/db;create=true"/>
<param name="schemaObjectPrefix" value="version_"/>
</PersistenceManager>
</Versioning>
<!--
Search index for content that is shared repository wide
(/jcr:system tree, contains mainly versions)
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${rep.home}/repository/index"/>
</SearchIndex>
</Repository>
java test case
----
import javax.jcr.Repository;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.core.TransientRepository;
public class FirstHop {
public static void main(String[] args) throws Exception {
Repository repository = null;
Session session = null;
try {
repository = new TransientRepository();
SimpleCredentials cred = new SimpleCredentials("the-user", "the-password"
.toCharArray());
session = repository.login(cred);
session.save();
}
catch (Exception e) {
e.printStackTrace(System.err);
} finally {
session.logout();
}
}
}
---------- END SOURCE ----------
- duplicates
-
JDK-6561371 LdapLoginModule does not support multiple ldap_urls
-
- Closed
-