JNDIRealm userPattern DOMAIN/username

[Brandon DuRette <bd...@smartbear.com>]

Hello,

One of our customers had configured JNDIRealm to authenticate against Active
Directory using the userPattern="DOMAIN/{0}". This was working great with
Tomcat 6.0.20 (with my patch for 42579 applied (IIRC, the first time it was
applied in the trunk it was misapplied)). However, when we upgraded to
6.0.29 this began failing:

javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34 -
0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
vece ]; remaining name 'DOMAIN\username

I've gone through the code trying to figure out if anything has changed in
JNDIRealm that would affect this, but I couldn't see anything. Has anyone
had success with this configuration or have any idea what might be causing
this error?

Regards,
Brandon

Re: JNDIRealm userPattern DOMAIN/username

[Brandon DuRette <bd...@smartbear.com>]

Chris - I've already been through all the changes in JNDIRealm between the
two versions and nothing jumped out at me. Since I don't have much else to
go on, I'll give it another shot. The JNDI logging is probably worthwhile.
I'll have to investigate how to enable that.

André - I appreciate that feedback. I had looked up the error code and knew
that's what it meant. This is not the result of a configuration change in
the LDAP/AD server, because when the customer downgraded back to our
6.0.20-based version, the same configuration works. That leads me to believe
that it must be the result of one (or more) changes in Tomcat. I just
haven't been able to figure out what it is or how to work around it.

-Brandon

On Fri, Feb 4, 2011 at 12:38 PM, André Warnier <aw...@ice-sa.com> wrote:

> Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Brandon,
>>
>> On 2/3/2011 5:36 PM, Brandon DuRette wrote:
>>
>>> One of our customers had configured JNDIRealm to authenticate against
>>> Active
>>> Directory using the userPattern="DOMAIN/{0}". This was working great with
>>> Tomcat 6.0.20 (with my patch for 42579 applied (IIRC, the first time it
>>> was
>>> applied in the trunk it was misapplied)). However, when we upgraded to
>>> 6.0.29 this began failing:
>>>
>>> javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34
>>> -
>>> 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
>>> vece ]; remaining name 'DOMAIN\username
>>>
>>> I've gone through the code trying to figure out if anything has changed
>>> in
>>> JNDIRealm that would affect this, but I couldn't see anything. Has anyone
>>> had success with this configuration or have any idea what might be
>>> causing
>>> this error?
>>>
>>
>> Take a look at the Changelog: there have been a number of changes to the
>> JNDIRealm betwene 6.0.20 and 6.0.29, including this one:
>>
>> "
>> Various JNDI realm improvements for Active Directory. These include the
>> ability to specify a default role, optional handling for nested roles
>> and an option to ignore PartialResultExceptions (markt).
>> "
>>
>> Unfortunately, there's no bug number listed and no revision number
>> mentioned, either, so you might have to dig through the svn logs to find
>> the appropriate update and see what changed.
>>
>> I did notice this one, too:
>>
>> "
>> Provide debug logging for JNDI lookups. (markt)
>> "
>>
>> Have you enabled debug logging for JNDI lookups? It's not clear from the
>> description if this is for JNDIRealm or for other types of JNDI lookups
>> (like for DataSources).
>>
>>
> It may be worth also having a look at this :
> http://wikis.sun.com/display/SunJavaSystem/LDAP+Error+Codes
>
> Error code 34 says "invalid DN syntax".
>
> I am no LDAP specialist, but are you sure that the above "DOMAIN\username"
> is a valid way of specifying the username ? It probably is so, in the
> Microsoft Active Directory version of LDAP, but maybe they have replaced the
> server or changed its settings  ?
>
> Note also that if this is part of an SSO system which obtains the user's
> Windows Domain userid, and then checks it with an AD or LDAP server :
> usually, you can obtain the user-id in several forms, and the form "
> username@long.domain.name" may be more appropriate here.
>
> Basically what I mean is that the error message above looks to me as if it
> is really an error returned by the LDAP server, and which the Java part is
> just reflecting.
> That may be why you are not finding any code changes that may explain the
> issue.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: JNDIRealm userPattern DOMAIN/username

[André Warnier <aw...@ice-sa.com>]

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Brandon,
> 
> On 2/3/2011 5:36 PM, Brandon DuRette wrote:
>> One of our customers had configured JNDIRealm to authenticate against Active
>> Directory using the userPattern="DOMAIN/{0}". This was working great with
>> Tomcat 6.0.20 (with my patch for 42579 applied (IIRC, the first time it was
>> applied in the trunk it was misapplied)). However, when we upgraded to
>> 6.0.29 this began failing:
>>
>> javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34 -
>> 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
>> vece ]; remaining name 'DOMAIN\username
>>
>> I've gone through the code trying to figure out if anything has changed in
>> JNDIRealm that would affect this, but I couldn't see anything. Has anyone
>> had success with this configuration or have any idea what might be causing
>> this error?
> 
> Take a look at the Changelog: there have been a number of changes to the
> JNDIRealm betwene 6.0.20 and 6.0.29, including this one:
> 
> "
> Various JNDI realm improvements for Active Directory. These include the
> ability to specify a default role, optional handling for nested roles
> and an option to ignore PartialResultExceptions (markt).
> "
> 
> Unfortunately, there's no bug number listed and no revision number
> mentioned, either, so you might have to dig through the svn logs to find
> the appropriate update and see what changed.
> 
> I did notice this one, too:
> 
> "
> Provide debug logging for JNDI lookups. (markt)
> "
> 
> Have you enabled debug logging for JNDI lookups? It's not clear from the
> description if this is for JNDIRealm or for other types of JNDI lookups
> (like for DataSources).
> 

It may be worth also having a look at this :
http://wikis.sun.com/display/SunJavaSystem/LDAP+Error+Codes

Error code 34 says "invalid DN syntax".

I am no LDAP specialist, but are you sure that the above "DOMAIN\username" is a valid way 
of specifying the username ? It probably is so, in the Microsoft Active Directory version 
of LDAP, but maybe they have replaced the server or changed its settings  ?

Note also that if this is part of an SSO system which obtains the user's Windows Domain 
userid, and then checks it with an AD or LDAP server : usually, you can obtain the user-id 
in several forms, and the form "username@long.domain.name" may be more appropriate here.

Basically what I mean is that the error message above looks to me as if it is really an 
error returned by the LDAP server, and which the Java part is just reflecting.
That may be why you are not finding any code changes that may explain the issue.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JNDIRealm userPattern DOMAIN/username

[Brandon DuRette <bd...@smartbear.com>]

Hi All,

Time for a mea culpa. In my original message, I said that this used to work
in 6.0.20. That's wasn't correct. The 6.0.20 version we were using was
patched to fix this very issue, but we had not applied that patch to the
6.0.29 build. When we patched the 6.0.29 code, all works as expected.

The issue is that the getAttributes call requires a distinguished name and
throws an exception if you pass it DOMAIN\username. When a userPattern is
specified, JNDIRealm calls getAttributes using the formatted username even
when there are no attributes to request (when not using password comparison
and not querying for roles). The fix is to shortcut around the getAttributes
call in getUserByPattern if there are no attrIds requested. This fixes the
issue under the no attributes constraint, but there remains an issue when
there are attributes to query.

I'm including the patch here (vs. the 6_0_29 tag), but I'll also post on the
developers list with the patch.

Regards,
Brandon

On Tue, Feb 8, 2011 at 4:49 AM, Konstantin Kolinko
<kn...@gmail.com>wrote:

> 2011/2/4 Christopher Schultz <ch...@christopherschultz.net>:
> > "
> > Various JNDI realm improvements for Active Directory. These include the
> > ability to specify a default role, optional handling for nested roles
> > and an option to ignore PartialResultExceptions (markt).
> > "
> >
> > Unfortunately, there's no bug number listed and no revision number
> > mentioned, either, so you might have to dig through the svn logs to find
> > the appropriate update and see what changed.
> >
>
> http://svn.apache.org/viewvc?view=revision&revision=812115
>
>
>
> Was there a stacktrace for that InvalidNameException ?
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: JNDIRealm userPattern DOMAIN/username

[Konstantin Kolinko <kn...@gmail.com>]

2011/2/4 Christopher Schultz <ch...@christopherschultz.net>:
> "
> Various JNDI realm improvements for Active Directory. These include the
> ability to specify a default role, optional handling for nested roles
> and an option to ignore PartialResultExceptions (markt).
> "
>
> Unfortunately, there's no bug number listed and no revision number
> mentioned, either, so you might have to dig through the svn logs to find
> the appropriate update and see what changed.
>

http://svn.apache.org/viewvc?view=revision&revision=812115



Was there a stacktrace for that InvalidNameException ?


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JNDIRealm userPattern DOMAIN/username

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brandon,

On 2/3/2011 5:36 PM, Brandon DuRette wrote:
> One of our customers had configured JNDIRealm to authenticate against Active
> Directory using the userPattern="DOMAIN/{0}". This was working great with
> Tomcat 6.0.20 (with my patch for 42579 applied (IIRC, the first time it was
> applied in the trunk it was misapplied)). However, when we upgraded to
> 6.0.29 this began failing:
> 
> javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34 -
> 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
> vece ]; remaining name 'DOMAIN\username
> 
> I've gone through the code trying to figure out if anything has changed in
> JNDIRealm that would affect this, but I couldn't see anything. Has anyone
> had success with this configuration or have any idea what might be causing
> this error?

Take a look at the Changelog: there have been a number of changes to the
JNDIRealm betwene 6.0.20 and 6.0.29, including this one:

"
Various JNDI realm improvements for Active Directory. These include the
ability to specify a default role, optional handling for nested roles
and an option to ignore PartialResultExceptions (markt).
"

Unfortunately, there's no bug number listed and no revision number
mentioned, either, so you might have to dig through the svn logs to find
the appropriate update and see what changed.

I did notice this one, too:

"
Provide debug logging for JNDI lookups. (markt)
"

Have you enabled debug logging for JNDI lookups? It's not clear from the
description if this is for JNDIRealm or for other types of JNDI lookups
(like for DataSources).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1MPLMACgkQ9CaO5/Lv0PCgpgCfTaWNpySyRyl8JyOo9GLEFx3w
rpsAnRtx6+uzyjgq9p/7J5RyanySy3cq
=NBfe
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org