[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Repost] JDNI Authentication



Sorry for the repost but I'm still having the same issue and am unable to resolve it... Let me know if there is a better group to post this in...

Ross

I am using JNDI and Tomcat for authentication. This is a new server I am setting up to replace an exisiting one... Upgraded hardware / software... Anyway, authentication works for the user but doesn't find the user in the group... It doesn't make sense, since this same config works on another box. Here's the necessary files:
debug log:


slapd starting

ldap_pvt_gethostbyname_a: host=www.domain.com, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=domain,dc=com>
=> ldap_bv2dn(cn=Manager,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <cn=Manager,dc=domain,dc=com>, <cn=manager,dc=domain,dc=com>
do_bind: version=3 dn="cn=Manager,dc=domain,dc=com" method=128
do_bind: v3 bind: "cn=Manager,dc=domain,dc=com" to "cn=Manager,dc=domain,dc=com"
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 119 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>
=> ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>, <uid=ross,ou=people,dc=domain,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("uid=ross,ou=people,dc=domain,dc=com")
=> bdb_dn2id( "dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000001
=> bdb_dn2id( "ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000007
=> bdb_dn2id( "uid=ross,ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000008
entry_decode: "uid=ross,ou=people,dc=domain,dc=com"
<= entry_decode(uid=ross,ou=people,dc=domain,dc=com)
=> send_search_entry: dn="uid=ross,ou=people,dc=domain,dc=com"
ber_flush: 74 bytes to sd 10
<= send_search_entry
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=groups,dc=domain,dc=com>
=> ldap_bv2dn(ou=groups,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <ou=groups,dc=domain,dc=com>, <ou=groups,dc=domain,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("ou=groups,dc=domain,dc=com")
=> bdb_dn2id( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000006
entry_decode: "ou=groups,dc=domain,dc=com"
<= entry_decode(ou=groups,dc=domain,dc=com)
search_candidates: base="ou=groups,dc=domain,dc=com" (0x00000006) scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2idl: id=4 first=9 last=13
bdb_search_candidates: id=0 first=9 last=0
bdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
ber_flush: 14 bytes to sd 10
daemon: shutdown requested and initiated.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.


Slapd.conf:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

Tomcat server.xml JNDI part:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=domain,dc=com"
connectionPassword="xxxxx"
connectionURL="ldap://localhost:389";
userPassword="userPassword"
userPattern="uid={0},ou=people,dc=domain,dc=com"
roleBase="ou=groups,dc=domain,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
Web.XML section:
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>manager></role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>


LDIF of database:
extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# domain.com
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: domain
dc: domain

# Manager, domain.com
dn: cn=Manager,dc=domain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
roleOccupant: uid=ross,ou=people,dc=domain,dc=com

# users, domain.com
dn: ou=users,dc=domain,dc=com
objectClass: organizationalUnit
ou: users

# us, domain.com
dn: c=us,dc=domain,dc=com
objectClass: top
objectClass: country
c: us

# groups, domain.com
dn: ou=groups,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# people, domain.com
dn: ou=people,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# ross, people, domain.com
dn: uid=ross,ou=people,dc=domain,dc=com
cn: Ross Rankin
sn: Rankin
objectClass: inetOrgPerson
uid: ross
mail: wolver@mindspring.com
userPassword:: dGVzdA==

# manager, groups, domain.com
dn: cn=manager,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: manager
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# tomcat, groups, domain.com
dn: cn=tomcat,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# admin, groups, domain.com
dn: cn=admin,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# ralph, people, domain.com
dn: uid=ralph,ou=people,dc=domain,dc=com
cn: Ralph Mobley
sn: Mobley
objectClass: inetOrgPerson
uid: ralph
userPassword:: cGFzc3dvcmQ=
mail: ralph@domain.edu

# user, groups, domain.com
dn: cn=user,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: user
uniqueMember: uid=ross,ou=people,dc=domain,dc=com
uniqueMember: uid=ralph,ou=people,dc=domain,dc=com

I think that would be all you need to help me diagnose the issue.  Thanks.

Ross