You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "swhagy (JIRA)" <ji...@apache.org> on 2009/01/15 22:55:59 UTC
[jira] Created: (JSPWIKI-470) need a way to debug role-name and if
it is getting passed from the AD
need a way to debug role-name and if it is getting passed from the AD
---------------------------------------------------------------------
Key: JSPWIKI-470
URL: https://issues.apache.org/jira/browse/JSPWIKI-470
Project: JSPWiki
Issue Type: Bug
Components: Authentication&Authorization
Affects Versions: 2.8.1
Environment: ad
Reporter: swhagy
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-470) need a way to debug role-name and
if it is getting passed from the AD
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679980#action_12679980 ]
Harry Metske commented on JSPWIKI-470:
--------------------------------------
Propose to close in a few days...
> need a way to debug role-name and if it is getting passed from the AD
> ---------------------------------------------------------------------
>
> Key: JSPWIKI-470
> URL: https://issues.apache.org/jira/browse/JSPWIKI-470
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.8.1
> Environment: ad
> Reporter: swhagy
> Priority: Minor
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (JSPWIKI-470) need a way to debug role-name and if
it is getting passed from the AD
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Harry Metske closed JSPWIKI-470.
--------------------------------
Resolution: Invalid
Closing, feel free to come back with more diagnostic material..
> need a way to debug role-name and if it is getting passed from the AD
> ---------------------------------------------------------------------
>
> Key: JSPWIKI-470
> URL: https://issues.apache.org/jira/browse/JSPWIKI-470
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.8.1
> Environment: ad
> Reporter: swhagy
> Priority: Minor
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-470) need a way to debug role-name and
if it is getting passed from the AD
Posted by "swhagy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12664317#action_12664317 ]
swhagy commented on JSPWIKI-470:
--------------------------------
passing the role-name in webcontainer is an involved process; there should be a way to debug what information is being passed back to the application:
my config seems correct:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://ad01.smmcorp.local:389"
connectionName="cn=wikisvcacct,cn=users,dc=smmcorp,dc=local"
connectionPassword="P@ssw0rd!!"
referrals="follow"
userBase="cn=users,DC=smmcorp,DC=local"
userPattern="cn={0}, cn=users,dc=smmcorp,dc=local"
roleBase="cn=users,DC=smmcorp,DC=local"
roleName="name"
roleSearch="(uniqueMember={0})"
/>
but not sure the correct role-name "users" is being passed from AD, the user is not getting authenticated (he's authorized but gets the forbidden message).
I traced the packets, and seems LDAP is queried for the correct attribut, but not sure if it's responding correctly:
from jspwiki:
Lightweight Directory Access Protocol
LDAP Message, Search Request
Message Id: 6
Message Type: Search Request (0x03)
Message Length: 111
Response In: 129
Base DN: cn=users,DC=smmcorp,DC=local
Scope: Single (0x01)
Dereference: Always (0x03)
Size Limit: 0
Time Limit: 0
Attributes Only: False
Filter: (uniqueMember=cn=mohamed, cn=users,dc=smmcorp,dc=local)
Attribute: name
ldap response:
Source port: ldap (389)
Destination port: 1160 (1160)
Sequence number: 2452 (relative sequence number)
Next sequence number: 2474 (relative sequence number)
Acknowledgement number: 371 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 65097
Checksum: 0x7cd0 [correct]
SEQ/ACK analysis
This is an ACK to the segment in frame: 128
The RTT to ACK the segment was: 0.001674000 seconds
Lightweight Directory Access Protocol
LDAP Message, Search Result
Message Id: 6
Message Type: Search Result (0x05)
Message Length: 7
Response To: 128
Time: 0.001674000 seconds
Result Code: success (0x00)
Matched DN: (null)
Error Message: (null)
> need a way to debug role-name and if it is getting passed from the AD
> ---------------------------------------------------------------------
>
> Key: JSPWIKI-470
> URL: https://issues.apache.org/jira/browse/JSPWIKI-470
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.8.1
> Environment: ad
> Reporter: swhagy
> Priority: Minor
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JSPWIKI-470) need a way to debug role-name and if
it is getting passed from the AD
Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Janne Jalkanen updated JSPWIKI-470:
-----------------------------------
Priority: Minor (was: Major)
Issue Type: Improvement (was: Bug)
Bug => Improvement. Needs more info too, I don't know what this means.
> need a way to debug role-name and if it is getting passed from the AD
> ---------------------------------------------------------------------
>
> Key: JSPWIKI-470
> URL: https://issues.apache.org/jira/browse/JSPWIKI-470
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.8.1
> Environment: ad
> Reporter: swhagy
> Priority: Minor
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-470) need a way to debug role-name and
if it is getting passed from the AD
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12664598#action_12664598 ]
Harry Metske commented on JSPWIKI-470:
--------------------------------------
Could you give us a hint where we could improve the JSPWiki code to achieve your goal ?
LDAP per se has nothing to do with JSPWiki, it works by using ContainerManagedAuthentication, so everything is handled by the container (Tomcat, or any other container), not by JSPWiki.
A description of configuring LDAP authentication in Tomcat is provided at http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
> need a way to debug role-name and if it is getting passed from the AD
> ---------------------------------------------------------------------
>
> Key: JSPWIKI-470
> URL: https://issues.apache.org/jira/browse/JSPWIKI-470
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.8.1
> Environment: ad
> Reporter: swhagy
> Priority: Minor
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.