You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Eugène Adell <Eu...@d2-si.eu> on 2013/03/13 21:46:43 UTC
JNDI property roleSearchAsUser not working as expected
Hello
I am running the following :
java version "1.6.0_25"
Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
Tomcat 7.0.37
CentOS release 6.3
with this REALM configuration in server.xml :
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://***.***.***.***:389"
userPattern="cn={0},ou=users,dc=example,dc=com"
roleBase="ou=groups,dc=example,dc=com"
roleSubtree="true"
roleNested="true"
roleName="cn"
roleSearchAsUser="true"
roleSearch="(uniqueMember={0})" />
and this triggers this error during the startup :
Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
org.apache.catalina.LifecycleException: Failed to start component [StandardServer[8005]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardService[Catalina]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 7 more
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 9 more
Caused by: org.apache.catalina.LifecycleException: Failed to start component [Realm[JNDIRealm]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 11 more
Caused by: org.apache.catalina.LifecycleException: Exception opening directory server connection
at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2243)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 14 more
Caused by: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:200)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:53)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2160)
at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
... 15 more
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:529)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:339)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:187)
... 27 more
Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 34 ms
>From what I understand, roleSearchAsUser property was designed for people who need to bind on any LDAP where anonymous bind is not authorized. But it's just impossible to do this if the JNDI Realm tries to authenticate anonymously by itself during the startup.
I suppose it's necessary to investigate further this bug :
https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDI property roleSearchAsUser not working as expected
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 14.03.2013 15:54, schrieb Eugène Adell:
>> I still wonder, why you are so reluctant to use a technical user. Especially since you have security concerns about the anonymous user.
> To find someone's roles, LDAP only requires a bind + a search in groups. It is a simple ldapsearch command for the ones using command lines.
But you have to know which user is doing the search, right?
Tomcat does not know which user is logging in at start, it will search
for the user with one of the methods 'userSearch' or 'userPattern'.
The first will have to do a search to find the users dn, the second one
could theoretically build the dn and do a bind. But since the
'userPattern' approach can be configured to have more than one dn to
look up, it would have to do more than one login try, which could be
harmful for the performance, if your directory server gives penalty
pauses for wrong credentials.
> But when connecting through Tomcat we also need extra either one more account or allowing anonymous bind. This is not logical to add extra work to anything which could stay simple.
see above.
>
> About security, we can ask any user to change its password on a monthly or quarterly basis. The technical account should be under the same security control with expiring passwords and it is not good practice to stop client applications especially when there are many, or in production environment. The anonymous bind is free from such problem, and it's not much worse than a password stored in a config file.
I don't think, that it is necessary to use the same security enforcement
for technical users as for real users, but every one will have a
different opinion on security policies, so yours is as valid as every
ones :)
On the other hand, given the frequent updates of tomcat itself, you will
have to restart your servers in order to stay updated quite often already...
Regards
Felix
>
> ________________________________________
> De : Felix Schumacher [felix.schumacher@internetallee.de]
> Envoyé : jeudi 14 mars 2013 15:28
> À : Tomcat Users List
> Objet : RE:RE:JNDI property roleSearchAsUser not working as expected
>
> "Eugène Adell" <Eu...@d2-si.eu> schrieb:
>
>> Thanks Felix,
>>
>> I will choose the easy way by allowing the anonymous to bind the
>> directory, against all security logics, and strengthen the ACL to
>> forbid anonymous search.
>>
>> Anyway, the bug 19444 is closed saying the new parameter (introduced in
>> 7.0.9 and corrected in 7.0.30) allows role searching with the
>> authenticating user. That's true, but we still need either the
>> anonymous or a technical user for the startup binding. It's not really
>> compliant to real-life LDAP management.
>>
> I still wonder, why you are so reluctant to use a technical user. Especially since you have security concerns about the anonymous user.
>
> Regards
> Felix
>
>> best regards
>>
>>
>>
>> ________________________________________
>> De : Felix Schumacher [felix.schumacher@internetallee.de]
>> Envoyé : jeudi 14 mars 2013 14:22
>> À : Tomcat Users List
>> Objet : RE:JNDI property roleSearchAsUser not working as expected
>>
>> Am 14.03.2013 13:40, schrieb Eugène Adell:
>>> This doc is self-contradictory because it suggests "to setup a
>>> technical user" when we "don't want to configure a technical user",
>>> and it doesn't give any solution when we are not the admin of the
>>> directory.
>> I can't read that out of the docs for roleSearchAsUser as stated on
>> http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
>>
>> It is just a mechanism to switch from the credentials when searching
>> for roles.
>>
>> That way you can restrict the rights to the anonymous/admin user, so
>> that it doesn't need to be able to lookup groups/roles for a user.
>>
>>> Here we learn that Tomcat JNDI Realm only works in "Administrator
>>> Login Mode" with an administrator login/password (in fact the
>>> "technical user" discussed above) :
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
>> I believe the "Administrator Login Mode" is used for retrieving
>> attributes out of an users object and comparing the values to some
>> given
>> credentials. The "User Login Mode" is used when a bind is performed to
>> check the credentials. But either way, you will have to setup a
>> technical user, or open the directory server to allow anonymous binds
>> and searches for the user dn's.
>>
>>> From this, it seems that roleSearchAsUser is only usefull when the
>>> anonymous bind is allowed. It's another contradiction here, because
>> it
>>> seems logical to use this parameter especially when anonymous is not
>>> allowed.
>> You will not get to the point where the role is being searched, since
>> before that there are two points, where your directory is being
>> accessed.
>> 1. initial test of connection (which you reported in your first mail)
>> 2. look up of the user, which wants to login (and since the username
>> to bind with is not known, it will be hard to guess)
>>
>> So as stated before the easiest thing is to just use a technical user
>> to connect to the directory.
>>
>> Regards
>> Felix
>>>
>>>
>>> ________________________________________
>>> De : Felix Schumacher [felix.schumacher@internetallee.de]
>>> Envoyé : jeudi 14 mars 2013 12:03
>>> À : Tomcat Users List
>>> Objet : Re: JNDI property roleSearchAsUser not working as expected
>>>
>>> Am 13.03.2013 21:46, schrieb Eugène Adell:
>>>> Hello
>>>>
>>>> I am running the following :
>>>> java version "1.6.0_25"
>>>> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>>>> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>>>> Tomcat 7.0.37
>>>> CentOS release 6.3
>>>>
>>>> with this REALM configuration in server.xml :
>>>> <Realm
>>>> className="org.apache.catalina.realm.JNDIRealm"
>>>> connectionURL="ldap://***.***.***.***:389"
>>>>
>>>> userPattern="cn={0},ou=users,dc=example,dc=com"
>>>> roleBase="ou=groups,dc=example,dc=com"
>>>> roleSubtree="true"
>>>> roleNested="true"
>>>> roleName="cn"
>>>> roleSearchAsUser="true"
>>>> roleSearch="(uniqueMember={0})" />
>>>>
>>>> and this triggers this error during the startup :
>>>> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
>>>> WARNING: Exception performing authentication
>>>> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>>>> 48 - anonymous bind disallowed]
>>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>>>> at
>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>>>> at
>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>>>> at
>>>>
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>>>> at
>>>>
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>>>> at
>>>>
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>>>> at
>>>>
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>>>> at
>>>>
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>>>> at
>>>>
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>>>> at javax.naming.InitialContext.init(InitialContext.java:223)
>>>> at
>>>> javax.naming.InitialContext.<init>(InitialContext.java:197)
>>>> at
>>>>
>> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>>>> at
>>>> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>>>> at
>>>>
>> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
>>> ...
>>>> ... 27 more
>>>> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
>>>> INFO: Server startup in 34 ms
>>>>
>>>>
>>>> From what I understand, roleSearchAsUser property was designed for
>>>> people who need to bind on any LDAP where anonymous bind is not
>>>> authorized. But it's just impossible to do this if the JNDI Realm
>>>> tries to authenticate anonymously by itself during the startup.
>>> I read the docs as follows:
>>>
>>> If your directory server does not allow to scan for roles as
>> anonymous
>>> user and you don't want to configure a technical user (by specifying
>>> connectionName and connectionPassword) you can delegate the
>>> credentials
>>> of the user that is currently logging in.
>>>
>>> It is not intended to set the user credentials for all ldap
>>> operations.
>>>
>>> The easiest way to fix it, is to setup an technical user inside your
>>> directory, which has no right other than to login and lookup your
>>> users,
>>> which would be the next operation.
>>>
>>> Regards
>>> Felix
>>>> I suppose it's necessary to investigate further this bug :
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>> ---------------------------------------------------------------------
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE:RE:RE:JNDI property roleSearchAsUser not working as expected
Posted by Eugène Adell <Eu...@d2-si.eu>.
>I still wonder, why you are so reluctant to use a technical user. Especially since you have security concerns about the anonymous user.
To find someone's roles, LDAP only requires a bind + a search in groups. It is a simple ldapsearch command for the ones using command lines.
But when connecting through Tomcat we also need extra either one more account or allowing anonymous bind. This is not logical to add extra work to anything which could stay simple.
About security, we can ask any user to change its password on a monthly or quarterly basis. The technical account should be under the same security control with expiring passwords and it is not good practice to stop client applications especially when there are many, or in production environment. The anonymous bind is free from such problem, and it's not much worse than a password stored in a config file.
________________________________________
De : Felix Schumacher [felix.schumacher@internetallee.de]
Envoyé : jeudi 14 mars 2013 15:28
À : Tomcat Users List
Objet : RE:RE:JNDI property roleSearchAsUser not working as expected
"Eugène Adell" <Eu...@d2-si.eu> schrieb:
>
>Thanks Felix,
>
>I will choose the easy way by allowing the anonymous to bind the
>directory, against all security logics, and strengthen the ACL to
>forbid anonymous search.
>
>Anyway, the bug 19444 is closed saying the new parameter (introduced in
>7.0.9 and corrected in 7.0.30) allows role searching with the
>authenticating user. That's true, but we still need either the
>anonymous or a technical user for the startup binding. It's not really
>compliant to real-life LDAP management.
>
I still wonder, why you are so reluctant to use a technical user. Especially since you have security concerns about the anonymous user.
Regards
Felix
>best regards
>
>
>
>________________________________________
>De : Felix Schumacher [felix.schumacher@internetallee.de]
>Envoyé : jeudi 14 mars 2013 14:22
>À : Tomcat Users List
>Objet : RE:JNDI property roleSearchAsUser not working as expected
>
>Am 14.03.2013 13:40, schrieb Eugène Adell:
>> This doc is self-contradictory because it suggests "to setup a
>> technical user" when we "don't want to configure a technical user",
>> and it doesn't give any solution when we are not the admin of the
>> directory.
>
>I can't read that out of the docs for roleSearchAsUser as stated on
>http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
>
>It is just a mechanism to switch from the credentials when searching
>for roles.
>
>That way you can restrict the rights to the anonymous/admin user, so
>that it doesn't need to be able to lookup groups/roles for a user.
>
>>
>> Here we learn that Tomcat JNDI Realm only works in "Administrator
>> Login Mode" with an administrator login/password (in fact the
>> "technical user" discussed above) :
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
>
>I believe the "Administrator Login Mode" is used for retrieving
>attributes out of an users object and comparing the values to some
>given
>credentials. The "User Login Mode" is used when a bind is performed to
>check the credentials. But either way, you will have to setup a
>technical user, or open the directory server to allow anonymous binds
>and searches for the user dn's.
>
>>
>> From this, it seems that roleSearchAsUser is only usefull when the
>> anonymous bind is allowed. It's another contradiction here, because
>it
>> seems logical to use this parameter especially when anonymous is not
>> allowed.
>
>You will not get to the point where the role is being searched, since
>before that there are two points, where your directory is being
>accessed.
> 1. initial test of connection (which you reported in your first mail)
> 2. look up of the user, which wants to login (and since the username
>to bind with is not known, it will be hard to guess)
>
>So as stated before the easiest thing is to just use a technical user
>to connect to the directory.
>
>Regards
> Felix
>>
>>
>>
>> ________________________________________
>> De : Felix Schumacher [felix.schumacher@internetallee.de]
>> Envoyé : jeudi 14 mars 2013 12:03
>> À : Tomcat Users List
>> Objet : Re: JNDI property roleSearchAsUser not working as expected
>>
>> Am 13.03.2013 21:46, schrieb Eugène Adell:
>>> Hello
>>>
>>> I am running the following :
>>> java version "1.6.0_25"
>>> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>>> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>>> Tomcat 7.0.37
>>> CentOS release 6.3
>>>
>>> with this REALM configuration in server.xml :
>>> <Realm
>>> className="org.apache.catalina.realm.JNDIRealm"
>>> connectionURL="ldap://***.***.***.***:389"
>>>
>>> userPattern="cn={0},ou=users,dc=example,dc=com"
>>> roleBase="ou=groups,dc=example,dc=com"
>>> roleSubtree="true"
>>> roleNested="true"
>>> roleName="cn"
>>> roleSearchAsUser="true"
>>> roleSearch="(uniqueMember={0})" />
>>>
>>> and this triggers this error during the startup :
>>> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
>>> WARNING: Exception performing authentication
>>> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>>> 48 - anonymous bind disallowed]
>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>>> at
>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>>> at
>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>>> at
>>>
>javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>>> at
>>>
>javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>>> at javax.naming.InitialContext.init(InitialContext.java:223)
>>> at
>>> javax.naming.InitialContext.<init>(InitialContext.java:197)
>>> at
>>>
>javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>>> at
>>> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>>> at
>>>
>org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
>> ...
>>> ... 27 more
>>> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
>>> INFO: Server startup in 34 ms
>>>
>>>
>>> From what I understand, roleSearchAsUser property was designed for
>>> people who need to bind on any LDAP where anonymous bind is not
>>> authorized. But it's just impossible to do this if the JNDI Realm
>>> tries to authenticate anonymously by itself during the startup.
>>
>> I read the docs as follows:
>>
>> If your directory server does not allow to scan for roles as
>anonymous
>> user and you don't want to configure a technical user (by specifying
>> connectionName and connectionPassword) you can delegate the
>> credentials
>> of the user that is currently logging in.
>>
>> It is not intended to set the user credentials for all ldap
>> operations.
>>
>> The easiest way to fix it, is to setup an technical user inside your
>> directory, which has no right other than to login and lookup your
>> users,
>> which would be the next operation.
>>
>> Regards
>> Felix
>>>
>>> I suppose it's necessary to investigate further this bug :
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>>>
>>>
>>> Thanks
>>>
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE:RE:JNDI property roleSearchAsUser not working as expected
Posted by Felix Schumacher <fe...@internetallee.de>.
"Eugène Adell" <Eu...@d2-si.eu> schrieb:
>
>Thanks Felix,
>
>I will choose the easy way by allowing the anonymous to bind the
>directory, against all security logics, and strengthen the ACL to
>forbid anonymous search.
>
>Anyway, the bug 19444 is closed saying the new parameter (introduced in
>7.0.9 and corrected in 7.0.30) allows role searching with the
>authenticating user. That's true, but we still need either the
>anonymous or a technical user for the startup binding. It's not really
>compliant to real-life LDAP management.
>
I still wonder, why you are so reluctant to use a technical user. Especially since you have security concerns about the anonymous user.
Regards
Felix
>best regards
>
>
>
>________________________________________
>De : Felix Schumacher [felix.schumacher@internetallee.de]
>Envoyé : jeudi 14 mars 2013 14:22
>À : Tomcat Users List
>Objet : RE:JNDI property roleSearchAsUser not working as expected
>
>Am 14.03.2013 13:40, schrieb Eugène Adell:
>> This doc is self-contradictory because it suggests "to setup a
>> technical user" when we "don't want to configure a technical user",
>> and it doesn't give any solution when we are not the admin of the
>> directory.
>
>I can't read that out of the docs for roleSearchAsUser as stated on
>http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
>
>It is just a mechanism to switch from the credentials when searching
>for roles.
>
>That way you can restrict the rights to the anonymous/admin user, so
>that it doesn't need to be able to lookup groups/roles for a user.
>
>>
>> Here we learn that Tomcat JNDI Realm only works in "Administrator
>> Login Mode" with an administrator login/password (in fact the
>> "technical user" discussed above) :
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
>
>I believe the "Administrator Login Mode" is used for retrieving
>attributes out of an users object and comparing the values to some
>given
>credentials. The "User Login Mode" is used when a bind is performed to
>check the credentials. But either way, you will have to setup a
>technical user, or open the directory server to allow anonymous binds
>and searches for the user dn's.
>
>>
>> From this, it seems that roleSearchAsUser is only usefull when the
>> anonymous bind is allowed. It's another contradiction here, because
>it
>> seems logical to use this parameter especially when anonymous is not
>> allowed.
>
>You will not get to the point where the role is being searched, since
>before that there are two points, where your directory is being
>accessed.
> 1. initial test of connection (which you reported in your first mail)
> 2. look up of the user, which wants to login (and since the username
>to bind with is not known, it will be hard to guess)
>
>So as stated before the easiest thing is to just use a technical user
>to connect to the directory.
>
>Regards
> Felix
>>
>>
>>
>> ________________________________________
>> De : Felix Schumacher [felix.schumacher@internetallee.de]
>> Envoyé : jeudi 14 mars 2013 12:03
>> À : Tomcat Users List
>> Objet : Re: JNDI property roleSearchAsUser not working as expected
>>
>> Am 13.03.2013 21:46, schrieb Eugène Adell:
>>> Hello
>>>
>>> I am running the following :
>>> java version "1.6.0_25"
>>> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>>> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>>> Tomcat 7.0.37
>>> CentOS release 6.3
>>>
>>> with this REALM configuration in server.xml :
>>> <Realm
>>> className="org.apache.catalina.realm.JNDIRealm"
>>> connectionURL="ldap://***.***.***.***:389"
>>>
>>> userPattern="cn={0},ou=users,dc=example,dc=com"
>>> roleBase="ou=groups,dc=example,dc=com"
>>> roleSubtree="true"
>>> roleNested="true"
>>> roleName="cn"
>>> roleSearchAsUser="true"
>>> roleSearch="(uniqueMember={0})" />
>>>
>>> and this triggers this error during the startup :
>>> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
>>> WARNING: Exception performing authentication
>>> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>>> 48 - anonymous bind disallowed]
>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>>> at
>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>>> at
>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>>> at
>>>
>com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>>> at
>>>
>javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>>> at
>>>
>javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>>> at javax.naming.InitialContext.init(InitialContext.java:223)
>>> at
>>> javax.naming.InitialContext.<init>(InitialContext.java:197)
>>> at
>>>
>javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>>> at
>>> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>>> at
>>>
>org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
>> ...
>>> ... 27 more
>>> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
>>> INFO: Server startup in 34 ms
>>>
>>>
>>> From what I understand, roleSearchAsUser property was designed for
>>> people who need to bind on any LDAP where anonymous bind is not
>>> authorized. But it's just impossible to do this if the JNDI Realm
>>> tries to authenticate anonymously by itself during the startup.
>>
>> I read the docs as follows:
>>
>> If your directory server does not allow to scan for roles as
>anonymous
>> user and you don't want to configure a technical user (by specifying
>> connectionName and connectionPassword) you can delegate the
>> credentials
>> of the user that is currently logging in.
>>
>> It is not intended to set the user credentials for all ldap
>> operations.
>>
>> The easiest way to fix it, is to setup an technical user inside your
>> directory, which has no right other than to login and lookup your
>> users,
>> which would be the next operation.
>>
>> Regards
>> Felix
>>>
>>> I suppose it's necessary to investigate further this bug :
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>>>
>>>
>>> Thanks
>>>
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE:RE:JNDI property roleSearchAsUser not working as expected
Posted by Eugène Adell <Eu...@d2-si.eu>.
Thanks Felix,
I will choose the easy way by allowing the anonymous to bind the directory, against all security logics, and strengthen the ACL to forbid anonymous search.
Anyway, the bug 19444 is closed saying the new parameter (introduced in 7.0.9 and corrected in 7.0.30) allows role searching with the authenticating user. That's true, but we still need either the anonymous or a technical user for the startup binding. It's not really compliant to real-life LDAP management.
best regards
________________________________________
De : Felix Schumacher [felix.schumacher@internetallee.de]
Envoyé : jeudi 14 mars 2013 14:22
À : Tomcat Users List
Objet : RE:JNDI property roleSearchAsUser not working as expected
Am 14.03.2013 13:40, schrieb Eugène Adell:
> This doc is self-contradictory because it suggests "to setup a
> technical user" when we "don't want to configure a technical user",
> and it doesn't give any solution when we are not the admin of the
> directory.
I can't read that out of the docs for roleSearchAsUser as stated on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
It is just a mechanism to switch from the credentials when searching
for roles.
That way you can restrict the rights to the anonymous/admin user, so
that it doesn't need to be able to lookup groups/roles for a user.
>
> Here we learn that Tomcat JNDI Realm only works in "Administrator
> Login Mode" with an administrator login/password (in fact the
> "technical user" discussed above) :
>
> http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
I believe the "Administrator Login Mode" is used for retrieving
attributes out of an users object and comparing the values to some given
credentials. The "User Login Mode" is used when a bind is performed to
check the credentials. But either way, you will have to setup a
technical user, or open the directory server to allow anonymous binds
and searches for the user dn's.
>
> From this, it seems that roleSearchAsUser is only usefull when the
> anonymous bind is allowed. It's another contradiction here, because it
> seems logical to use this parameter especially when anonymous is not
> allowed.
You will not get to the point where the role is being searched, since
before that there are two points, where your directory is being
accessed.
1. initial test of connection (which you reported in your first mail)
2. look up of the user, which wants to login (and since the username
to bind with is not known, it will be hard to guess)
So as stated before the easiest thing is to just use a technical user
to connect to the directory.
Regards
Felix
>
>
>
> ________________________________________
> De : Felix Schumacher [felix.schumacher@internetallee.de]
> Envoyé : jeudi 14 mars 2013 12:03
> À : Tomcat Users List
> Objet : Re: JNDI property roleSearchAsUser not working as expected
>
> Am 13.03.2013 21:46, schrieb Eugène Adell:
>> Hello
>>
>> I am running the following :
>> java version "1.6.0_25"
>> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>> Tomcat 7.0.37
>> CentOS release 6.3
>>
>> with this REALM configuration in server.xml :
>> <Realm
>> className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldap://***.***.***.***:389"
>>
>> userPattern="cn={0},ou=users,dc=example,dc=com"
>> roleBase="ou=groups,dc=example,dc=com"
>> roleSubtree="true"
>> roleNested="true"
>> roleName="cn"
>> roleSearchAsUser="true"
>> roleSearch="(uniqueMember={0})" />
>>
>> and this triggers this error during the startup :
>> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
>> WARNING: Exception performing authentication
>> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>> 48 - anonymous bind disallowed]
>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>> at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>> at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>> at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>> at
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>> at javax.naming.InitialContext.init(InitialContext.java:223)
>> at
>> javax.naming.InitialContext.<init>(InitialContext.java:197)
>> at
>> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>> at
>> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>> at
>> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> ...
>> ... 27 more
>> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
>> INFO: Server startup in 34 ms
>>
>>
>> From what I understand, roleSearchAsUser property was designed for
>> people who need to bind on any LDAP where anonymous bind is not
>> authorized. But it's just impossible to do this if the JNDI Realm
>> tries to authenticate anonymously by itself during the startup.
>
> I read the docs as follows:
>
> If your directory server does not allow to scan for roles as anonymous
> user and you don't want to configure a technical user (by specifying
> connectionName and connectionPassword) you can delegate the
> credentials
> of the user that is currently logging in.
>
> It is not intended to set the user credentials for all ldap
> operations.
>
> The easiest way to fix it, is to setup an technical user inside your
> directory, which has no right other than to login and lookup your
> users,
> which would be the next operation.
>
> Regards
> Felix
>>
>> I suppose it's necessary to investigate further this bug :
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>>
>>
>> Thanks
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE:JNDI property roleSearchAsUser not working as expected
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 14.03.2013 13:40, schrieb Eugène Adell:
> This doc is self-contradictory because it suggests "to setup a
> technical user" when we "don't want to configure a technical user",
> and it doesn't give any solution when we are not the admin of the
> directory.
I can't read that out of the docs for roleSearchAsUser as stated on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
It is just a mechanism to switch from the credentials when searching
for roles.
That way you can restrict the rights to the anonymous/admin user, so
that it doesn't need to be able to lookup groups/roles for a user.
>
> Here we learn that Tomcat JNDI Realm only works in "Administrator
> Login Mode" with an administrator login/password (in fact the
> "technical user" discussed above) :
>
> http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
I believe the "Administrator Login Mode" is used for retrieving
attributes out of an users object and comparing the values to some given
credentials. The "User Login Mode" is used when a bind is performed to
check the credentials. But either way, you will have to setup a
technical user, or open the directory server to allow anonymous binds
and searches for the user dn's.
>
> From this, it seems that roleSearchAsUser is only usefull when the
> anonymous bind is allowed. It's another contradiction here, because it
> seems logical to use this parameter especially when anonymous is not
> allowed.
You will not get to the point where the role is being searched, since
before that there are two points, where your directory is being
accessed.
1. initial test of connection (which you reported in your first mail)
2. look up of the user, which wants to login (and since the username
to bind with is not known, it will be hard to guess)
So as stated before the easiest thing is to just use a technical user
to connect to the directory.
Regards
Felix
>
>
>
> ________________________________________
> De : Felix Schumacher [felix.schumacher@internetallee.de]
> Envoyé : jeudi 14 mars 2013 12:03
> À : Tomcat Users List
> Objet : Re: JNDI property roleSearchAsUser not working as expected
>
> Am 13.03.2013 21:46, schrieb Eugène Adell:
>> Hello
>>
>> I am running the following :
>> java version "1.6.0_25"
>> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>> Tomcat 7.0.37
>> CentOS release 6.3
>>
>> with this REALM configuration in server.xml :
>> <Realm
>> className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldap://***.***.***.***:389"
>>
>> userPattern="cn={0},ou=users,dc=example,dc=com"
>> roleBase="ou=groups,dc=example,dc=com"
>> roleSubtree="true"
>> roleNested="true"
>> roleName="cn"
>> roleSearchAsUser="true"
>> roleSearch="(uniqueMember={0})" />
>>
>> and this triggers this error during the startup :
>> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
>> WARNING: Exception performing authentication
>> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>> 48 - anonymous bind disallowed]
>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>> at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>> at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>> at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>> at
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>> at javax.naming.InitialContext.init(InitialContext.java:223)
>> at
>> javax.naming.InitialContext.<init>(InitialContext.java:197)
>> at
>> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>> at
>> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>> at
>> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> ...
>> ... 27 more
>> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
>> INFO: Server startup in 34 ms
>>
>>
>> From what I understand, roleSearchAsUser property was designed for
>> people who need to bind on any LDAP where anonymous bind is not
>> authorized. But it's just impossible to do this if the JNDI Realm
>> tries to authenticate anonymously by itself during the startup.
>
> I read the docs as follows:
>
> If your directory server does not allow to scan for roles as anonymous
> user and you don't want to configure a technical user (by specifying
> connectionName and connectionPassword) you can delegate the
> credentials
> of the user that is currently logging in.
>
> It is not intended to set the user credentials for all ldap
> operations.
>
> The easiest way to fix it, is to setup an technical user inside your
> directory, which has no right other than to login and lookup your
> users,
> which would be the next operation.
>
> Regards
> Felix
>>
>> I suppose it's necessary to investigate further this bug :
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>>
>>
>> Thanks
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE:JNDI property roleSearchAsUser not working as expected
Posted by Eugène Adell <Eu...@d2-si.eu>.
This doc is self-contradictory because it suggests "to setup a technical user" when we "don't want to configure a technical user", and it doesn't give any solution when we are not the admin of the directory.
Here we learn that Tomcat JNDI Realm only works in "Administrator Login Mode" with an administrator login/password (in fact the "technical user" discussed above) :
http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
>From this, it seems that roleSearchAsUser is only usefull when the anonymous bind is allowed. It's another contradiction here, because it seems logical to use this parameter especially when anonymous is not allowed.
________________________________________
De : Felix Schumacher [felix.schumacher@internetallee.de]
Envoyé : jeudi 14 mars 2013 12:03
À : Tomcat Users List
Objet : Re: JNDI property roleSearchAsUser not working as expected
Am 13.03.2013 21:46, schrieb Eugène Adell:
> Hello
>
> I am running the following :
> java version "1.6.0_25"
> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
> Tomcat 7.0.37
> CentOS release 6.3
>
> with this REALM configuration in server.xml :
> <Realm
> className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://***.***.***.***:389"
>
> userPattern="cn={0},ou=users,dc=example,dc=com"
> roleBase="ou=groups,dc=example,dc=com"
> roleSubtree="true"
> roleNested="true"
> roleName="cn"
> roleSearchAsUser="true"
> roleSearch="(uniqueMember={0})" />
>
> and this triggers this error during the startup :
> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
> 48 - anonymous bind disallowed]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
> at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
> at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at
> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
> at
> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
...
> ... 27 more
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 34 ms
>
>
> From what I understand, roleSearchAsUser property was designed for
> people who need to bind on any LDAP where anonymous bind is not
> authorized. But it's just impossible to do this if the JNDI Realm
> tries to authenticate anonymously by itself during the startup.
I read the docs as follows:
If your directory server does not allow to scan for roles as anonymous
user and you don't want to configure a technical user (by specifying
connectionName and connectionPassword) you can delegate the credentials
of the user that is currently logging in.
It is not intended to set the user credentials for all ldap operations.
The easiest way to fix it, is to setup an technical user inside your
directory, which has no right other than to login and lookup your users,
which would be the next operation.
Regards
Felix
>
> I suppose it's necessary to investigate further this bug :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDI property roleSearchAsUser not working as expected
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 13.03.2013 21:46, schrieb Eugène Adell:
> Hello
>
> I am running the following :
> java version "1.6.0_25"
> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
> Tomcat 7.0.37
> CentOS release 6.3
>
> with this REALM configuration in server.xml :
> <Realm
> className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://***.***.***.***:389"
>
> userPattern="cn={0},ou=users,dc=example,dc=com"
> roleBase="ou=groups,dc=example,dc=com"
> roleSubtree="true"
> roleNested="true"
> roleName="cn"
> roleSearchAsUser="true"
> roleSearch="(uniqueMember={0})" />
>
> and this triggers this error during the startup :
> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
> 48 - anonymous bind disallowed]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
> at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
> at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at
> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
> at
> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
...
> ... 27 more
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 34 ms
>
>
> From what I understand, roleSearchAsUser property was designed for
> people who need to bind on any LDAP where anonymous bind is not
> authorized. But it's just impossible to do this if the JNDI Realm
> tries to authenticate anonymously by itself during the startup.
I read the docs as follows:
If your directory server does not allow to scan for roles as anonymous
user and you don't want to configure a technical user (by specifying
connectionName and connectionPassword) you can delegate the credentials
of the user that is currently logging in.
It is not intended to set the user credentials for all ldap operations.
The easiest way to fix it, is to setup an technical user inside your
directory, which has no right other than to login and lookup your users,
which would be the next operation.
Regards
Felix
>
> I suppose it's necessary to investigate further this bug :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE:JNDI property roleSearchAsUser not working as expected
Posted by Eugène Adell <Eu...@d2-si.eu>.
Hello
there is an LDAP listening but I did not give the credentials here for security reasons (I could start one LDAP server with public credentials for you if needed).
The LDAP log for this Tomcat startup failure is :
51416e66 conn=1004 fd=14 ACCEPT from IP=46.218.139.243:48297 (IP=XXXXXXXX:XXX)
51416e66 conn=1004 op=0 BIND dn="" method=128
51416e66 conn=1004 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed
51416e66 conn=1004 fd=14 closed (connection lost)
When allowing the anonymous bind, Tomcat can start normally with a first anonymous bind :
514170c5 conn=1000 fd=14 ACCEPT from IP=46.218.139.243:48663 (IP=XXXXXXXX:XXX)
514170c5 conn=1000 op=0 BIND dn="" method=128
514170c5 conn=1000 op=0 RESULT tag=97 err=0 text=
And after the startup, the LDAP binds are no more anonymous (the parameter roleSearchAsUser is working there) :
514171e4 conn=1000 op=1 SRCH base="cn=eadell,ou=users,dc=XXX,dc=com" scope=0 deref=3 filter="(objectClass=*)"
514171e4 conn=1000 op=1 SRCH attr=1.1
514171e4 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
514171e4 conn=1000 op=2 BIND dn="cn=eadell,ou=users,dc=XXX,dc=com" method=128
514171e4 conn=1000 op=2 BIND dn="cn=eadell,ou=users,dc=XXX,dc=com" mech=SIMPLE ssf=0
514171e4 conn=1000 op=2 RESULT tag=97 err=0 text=
514171e4 conn=1000 op=3 SRCH base="" scope=0 deref=3 filter="(objectClass=*)"
514171e4 conn=1000 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
514171e4 conn=1000 op=4 BIND anonymous mech=implicit ssf=0
514171e4 conn=1000 op=4 BIND dn="" method=128
514171e4 conn=1000 op=4 RESULT tag=97 err=0 text=
514171e4 conn=1000 op=5 SRCH base="ou=groups,dc=XXXX,dc=com" scope=2 deref=3 filter="(uniqueMember=cn=eadell,ou=users,dc=XXXX,dc=com)"
514171e4 conn=1000 op=5 SRCH attr=cn
514171e4 <= bdb_equality_candidates: (uniqueMember) not indexed
514171e4 conn=1000 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
514171e4 conn=1000 op=6 SRCH base="ou=groups,dc=XXXX,dc=com" scope=2 deref=3 filter="(uniqueMember=cn=XXX,ou=groups,dc=XXXX,dc=com)"
514171e4 conn=1000 op=6 SRCH attr=cn
514171e4 <= bdb_equality_candidates: (uniqueMember) not indexed
514171e4 conn=1000 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
This is why I think there is a problem with the Tomcat startup when using a JNDI Realm : it always tries to bind anonymously to the LDAP server with or without the roleSearchAsUser parameter. With a startup failure, this parameter becomes useless in real life because most LDAP directories doesn't allow anonymous binds and they cannot know if a request comes from a Tomcat startup or for a real request.
Please help :)
De : Martin Gainty [mgainty@hotmail.com]
Envoyé : jeudi 14 mars 2013 01:59
À : Eugène Adell
Objet : RE: JNDI property roleSearchAsUser not working as expected
Hello Eugene
what you have supplied is the distinguished-name here is a partial example i have used in the past
String distinguishedName = "ou=U,cn=Bank,o=S,c=US,o=grupo santander";
what you need to supply are:
IP of the LDAP host
Port (usually 389)
Authentication-scheme
(so that your client code can connect to an LDAP Listener)
//I have a piece of code that uses a client connect to LDAP server *listening on Port 389* which looks like
log.debug("doLdap ipAddress="+ipAddress);
log.debug("doLdap port="+port);
log.debug("doLdap authMechanism="+authMechanism);
javax.naming.directory.DirContext context = test.createLdapContext(ipAddress, port, authMechanism);
String costCenterKey = "C";
String commonName = "x123456";
//then I can do a 'attribute search' based on CostCenterKey of 'C'
costCenter = test.doUserAttributeSearch(context, distinguishedName, commonName, costCenterKey);
The problem is that none of this would work if there is no listener listening on Port 389 of the supplied IP
First step is to verify the LDAP server is running
netstat -ab | grep 389
Viel Gluck/Bon Chance
Martin
> From: Eugene.Adell@d2-si.eu
> To: users@tomcat.apache.org
> Subject: JNDI property roleSearchAsUser not working as expected
> Date: Wed, 13 Mar 2013 20:46:43 +0000
>
> Hello
>
> I am running the following :
> java version "1.6.0_25"
> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
> Tomcat 7.0.37
> CentOS release 6.3
>
> with this REALM configuration in server.xml :
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://***.***.***.***:389"
> userPattern="cn={0},ou=users,dc=example,dc=com"
> roleBase="ou=groups,dc=example,dc=com"
> roleSubtree="true"
> roleNested="true"
> roleName="cn"
> roleSearchAsUser="true"
> roleSearch="(uniqueMember={0})" />
>
> and this triggers this error during the startup :
> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
> at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
> at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> SEVERE: Catalina.start:
> org.apache.catalina.LifecycleException: Failed to start component [StandardServer[8005]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
> Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardService[Catalina]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 7 more
> Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 9 more
> Caused by: org.apache.catalina.LifecycleException: Failed to start component [Realm[JNDIRealm]]
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
> at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 11 more
> Caused by: org.apache.catalina.LifecycleException: Exception opening directory server connection
> at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2243)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 14 more
> Caused by: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused]
> at com.sun.jndi.ldap.Connection.<init>(Connection.java:200)
> at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
> at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:53)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2160)
> at org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> ... 15 more
> Caused by: java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
> at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
> at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
> at java.net.Socket.connect(Socket.java:529)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at com.sun.jndi.ldap.Connection.createSocket(Connection.java:339)
> at com.sun.jndi.ldap.Connection.<init>(Connection.java:187)
> ... 27 more
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 34 ms
>
>
> From what I understand, roleSearchAsUser property was designed for people who need to bind on any LDAP where anonymous bind is not authorized. But it's just impossible to do this if the JNDI Realm tries to authenticate anonymously by itself during the startup.
>
> I suppose it's necessary to investigate further this bug :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org