You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Su...@swisscom.com on 2021/05/18 13:43:11 UTC
JNDI ldaps Problem with SSO
Hi all
apache-tomcat-8.0.36
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
We are having a problem with our Single sign On config.
When using ldap - all works well.
When switiching to ldaps , the User loses to connection all together (Server not reachable)
server.xml
Good:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://xxxxx.xxxx.com:3268"
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch "
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
bad:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://xxxxx.xxxx.com:3269"
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection itself seems to be fine, Certificates are fine, we are sending the trustore as well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.
/usr/java/latest/bin/java -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks -Djavax.net.ssl.trustStorePassword=xxxxxx -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf -Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath /opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/tomcat8_appway1 -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36 -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp org.apache.catalina.startup.Bootstrap start
Domain controller seems to close the connection. The Error is "The Parameter is incorrect", "The System cannot find the path specified." Its seems to happen, during the bind process, as if the DC can not decrypt our tomcat request:
First two events are happening several times. After the last anonymous bind is entered, the bind exited is done with the appway service account user. Right after that the error appears.
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx:51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335171
Data3: 1004335171
Internal event: Function ldap_bind entered.
SID: S-1-5-7
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3:
Data4:
Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-21-576815021-3137181063-3029416097-6939
Source IP: 11.1xx.xxx.xxx::51240
Operation identifier: 894498
Data1:
Data2: 1004335203
Data3: 1004335203
Then we see the same error events like we saw before already with the normal log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0, v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
11.1xx.xxx.xxx::51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
In the App Log of the tomcat we see:
/opt/tomcat/tomcat8_appway1/logs
localhost.2021-03-22.log
22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log No Spring WebApplicationInitializer types detected on classpath
22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter has initialized
22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name 'DC=BCINTRA,DC=CH'
22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8] org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication
javax.naming.NamingException: LDAP connection has been closed; remaining name 'DC=BCINTRA,DC=CH'
What are we missing?
Thank you
Susan Wood
____________________________________________________________________________
System Engineering
Telefon +41-58-223 70 83
Mobile +41-79-375 34 58
susan.wood@swisscom.com<ma...@swisscom.com>
____________________________________________________________________________
Swisscom (Schweiz) AG
Business Customers
Solution Center Banking
Ey 10
3063 Ittigen
www.swisscom.com
Postadresse:
Postfach
3050 Bern
RE: JNDI ldaps Problem with SSO
Posted by Su...@swisscom.com.
Hi Christopher
Enclosed is the stacktrace of the tomcat (localhost)
On the DC side we see those messages:
Then we see the same error events like we saw before already with the normal log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0, v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
10.189.162.17:51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
Thank you
Susan
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Donnerstag, 20. Mai 2021 18:37
> To: users@tomcat.apache.org
> Subject: Re: JNDI ldaps Problem with SSO
>
> Susan,
>
> On 5/18/21 16:58, Susan.Wood@swisscom.com wrote:
> > When we are using plain ldap 3268, all works fine with those settings:
> >
> >
> > Good:
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldap://xxxxx.xxxx.com:3268"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > RA,DC=ch "
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > Its when we want to use ldaps with 3269 its failing:
> > bad:
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldaps://xxxxx.xxxx.com:3269"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > ldapsearch on port 3269 (ldaps) works fine from the same machine, but
> > yes, it's not exactly the same request
> >
> >
> > TEST ~]# ldapsearch -x -D
> > "cn=SA-PF00-Appway,OU=PF00_Appway-
> CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc
> =bcintra,dc=ch" -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
> Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <DC=bcintra,DC=ch> with scope subtree # filter: (objectclass=*)
> > # requesting: ALL # Organization, Schema, Configuration, bcintra.ch
> >
> >
> >
> > We think, ssl-handshake is fine but bind is failing. Why?
>
> What is the error you actually get? Can you pleae post the full stack trace
> and not just the message?
>
> -chris
>
>
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Dienstag, 18. Mai 2021 18:02
> >> To: users@tomcat.apache.org
> >> Subject: Re: JNDI ldaps Problem with SSO
> >>
> >> Susan,
> >>
> >> On 5/18/21 09:43, Susan.Wood@swisscom.com wrote:
> >>> Hi all
> >>>
> >>> apache-tomcat-8.0.36
> >>>
> >>> java version "1.8.0_281"
> >>> Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java
> >>> HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
> >>>
> >>> We are having a problem with our Single sign On config.
> >>> When using ldap - all works well.
> >>>
> >>> When switiching to ldaps , the User loses to connection all together
> >>> (Server not reachable)
> >>>
> >>>
> >>>
> >>> server.xml
> >>>
> >>> Good:
> >>> <Realm className="org.apache.catalina.realm.JNDIRealm"
> >>> connectionURL="ldap://xxxxx.xxxx.com:3268"
> >>> userBase="DC=XXXINTRA,DC=CH"
> >>> userSubtree="true"
> >>> userSearch="(sAMAccountName={0})"
> >>> userRoleName="memberOf"
> >>> roleBase="OU=PF00_App-
> >>
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >> RA,DC=ch "
> >>> roleName="CN"
> >>> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >>> roleSubtree="true"
> >>> roleNested="true" />
> >>>
> >>> bad:
> >>>
> >>> <Realm className="org.apache.catalina.realm.JNDIRealm"
> >>> connectionURL="ldaps://xxxxx.xxxx.com:3269"
> >>> userBase="DC=XXXINTRA,DC=CH"
> >>> userSubtree="true"
> >>> userSearch="(sAMAccountName={0})"
> >>> userRoleName="memberOf"
> >>> roleBase="OU=PF00_App-
> >>
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >> RA,DC=ch"
> >>> roleName="CN"
> >>> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >>> roleSubtree="true"
> >>> roleNested="true" />
> >>>
> >>>
> >>> Connectivity to the DC is fine (ldapsearch with ldaps works), SSL
> >> connection itself seems to be fine, Certificates are fine, we are
> >> sending the trustore as well. All is in the relevant cacerts too.
> >>> We have a https Server in Front and a proxy Setting to the tomcat.
> >>>
> >>> /usr/java/latest/bin/java
> >>> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/log
> >>> gi
> >>> ng.properties
> >>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> >>> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
> >>> -Djavax.net.ssl.trustStorePassword=xxxxxx
> >>> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> >>> -Dnm.data.home=/opt/tomcat/data
> >>> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> >>> -
> Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
> >>> -Djavax.security.auth.useSubjectCredsOnly=false
> >>> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> >>> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> >>> -classpath
> >>> /opt/tomcat/apache-tomcat-
> >> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> >>> tomcat-8.0.36/bin/tomcat-juli.jar
> >>> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> >>> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> >>> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> >>> org.apache.catalina.startup.Bootstrap start
> >>>
> >>>
> >>>
> >>> Domain controller seems to close the connection. The Error is "The
> >> Parameter is incorrect", "The System cannot find the path specified."
> >> Its seems to happen, during the bind process, as if the DC can not
> >> decrypt our tomcat request:
> >>>
> >>> First two events are happening several times. After the last
> >>> anonymous
> >> bind is entered, the bind exited is done with the appway service account
> user.
> >> Right after that the error appears.
> >>> Internal event: Function ldap_bind entered.
> >>> SID: S-1-5-7
> >>> Source IP: 11.1xx.xxx.xxx:51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335171
> >>> Data3:
> >>> Data4:
> >>> Internal event: Function ldap_bind exited.
> >>> Elapsed time (ms): 0
> >>> SID: S-1-5-7
> >>> Source IP: 11.1xx.xxx.xxx::51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335171
> >>> Data3: 1004335171
> >>> Internal event: Function ldap_bind entered.
> >>> SID: S-1-5-7
> >>> Source IP: 11.1xx.xxx.xxx::51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335203
> >>> Data3:
> >>> Data4:
> >>>
> >>> Internal event: Function ldap_bind exited.
> >>> Elapsed time (ms): 0
> >>> SID: S-1-5-21-576815021-3137181063-3029416097-6939
> >>> Source IP: 11.1xx.xxx.xxx::51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335203
> >>> Data3: 1004335203
> >>>
> >>>
> >>> Then we see the same error events like we saw before already with
> >>> the normal log level Internal event: The LDAP server returned an error.
> >>>
> >>> Additional Data
> >>> Error value:
> >>> 00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap
> >>> message, data 0, v2580
> >>>
> >>> Internal event: An LDAP client connection was closed because of an
> error.
> >>>
> >>> Client IP:
> >>> 11.1xx.xxx.xxx::51240
> >>>
> >>> Additional Data
> >>> Error value:
> >>> 87 The parameter is incorrect.
> >>> Internal ID:
> >>> c0c0095
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> In the App Log of the tomcat we see:
> >>>
> >>> /opt/tomcat/tomcat8_appway1/logs
> >>>
> >>>
> >>> localhost.2021-03-22.log
> >>>
> >>>
> >>> 22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
> >> org.apache.catalina.core.ApplicationContext.log
> >> [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
> >>> 22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log No Spring
> >>> WebApplicationInitializer types detected on classpath
> >>> 22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log
> >>> [CompressingFilter/1.7.1] CompressingFilter has initialized
> >>> 22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using
> >>> policy access restrictor classpath:/jolokia-access.xml
> >>> 22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
> >>> org.apache.catalina.realm.JNDIRealm.authenticate Exception
> >>> performing authentication
> >>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
> LdapErr:
> >> DSID-0C0907E9, comment: In order to perform this operation a
> >> successful bind must be completed on the connection., data 0,
> >> v2580^@]; remaining name 'DC=BCINTRA,DC=CH'
> >>>
> >>>
> >>> 22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
> >>> org.apache.catalina.realm.JNDIRealm.getPrincipal Exception
> >>> performing authentication
> >>> javax.naming.NamingException: LDAP connection has been closed;
> >> remaining name 'DC=BCINTRA,DC=CH'
> >>>
> >>>
> >>>
> >>>
> >>> What are we missing?
> >>
> >> Because your AD server sees the connection, it's probably not a TLS
> >> handshake failure, but I was wondering if it was a TLS handshake failure.
> >> Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but I
> >> think that was done at 1.8 patch 291 and you are on patch 281
> >>
> >> Maybe you should be using port 3269 instead of 3268? Looks like 3269
> >> is for TLS and 3268 is for plaintext.
> >>
> >>
> >> You say that ldapsearch works. Can you post that command-line?
> >>
> >> -chris
> >>
> �B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> >> KKKKKKKKKCB•�È�[œÝXœØÜšX™K��K[XZ[
> >>
> >> ˆ�\Ù\œË][œÝXœØÜšX™P��ÛXØ]
> >> ˜\�XÚ�K›Ü™ÃB‘›Üˆ�Y��]�[Û˜[��ÛÛ[X[™�Ë��K[XZ[
> >>
> >> ˆ�\Ù\œËZ�[����ÛXØ]
> >> ˜\�XÚ�K›Ü™ÃBƒ
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
RE: JNDI ldaps Problem with SSO
Posted by Su...@swisscom.com.
Hi Christopher
Enclosed is the stacktrace of the tomcat (localhost)
03-Mar-2021 15:57:15.221 SEVERE [http-nio-8080-exec-10] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3299)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1439)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1380)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1267)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:193)
at org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:950)
at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:932)
at org.apache.catalina.connector.Request.login(Request.java:2674)
at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1072)
at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:318)
at com.nm.exprlang.functions.LoginFunction.calculate(LoginFunction.java:41)
at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:207)
at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465)
at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:153)
at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465)
at com.nm.sdk.data.expeval.nodes.ScriptBodyNode.execute(ScriptBodyNode.java:176)
at com.nm.exprlang.InterpreterImpl.execute(InterpreterImpl.java:417)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:384)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:371)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:326)
at com.nm.sdk.data.pages.views.actions.ExpressionAction.execute(ExpressionAction.java:76)
at com.nm.sdk.data.pages.views.components.Component.handleEvent(Component.java:930)
at com.nm.sdk.data.pages.views.components.Component.handleEvents(Component.java:898)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:871)
at com.nm.sdk.data.pages.views.components.CustomControl.processComponent(CustomControl.java:295)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.screenflow.PageServiceImpl.processPageResponse(PageServiceImpl.java:1450)
at com.nm.sdk.data.workflow.model.ScreenTask.processHttpRequest(ScreenTask.java:524)
at com.nm.workspace.ProcessServlet.processWorkflowToken(ProcessServlet.java:554)
at com.nm.workspace.ProcessServlet.processWorkitem(ProcessServlet.java:264)
at com.nm.workspace.ProcessServlet.doPost(ProcessServlet.java:134)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.nm.servlets.AbstractHttpServlet.service(AbstractHttpServlet.java:29)
at com.nm.filter.AppwayServletsFilter.doFilter(AppwayServletsFilter.java:63)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.extensions.iedocumentmode.PatchFilter.doFilter(PatchFilter.java:49)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.extensions.scriptbridgeservletpatch.ScriptBridgeServletFilter.doFilter(ScriptBridgeServletFilter.java:38)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.StudioDeepLinksFilter.doFilter(StudioDeepLinksFilter.java:28)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.VersioningFilter.doFilter(VersioningFilter.java:85)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.AccessControlFilter.doFilter(AccessControlFilter.java:66)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.SecurityFilter.doFilter(SecurityFilter.java:56)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ApplicationLockFilter.doFilter(ApplicationLockFilter.java:97)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ContextPathFilter.doFilter(ContextPathFilter.java:49)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.CacheFilter.doFilter(CacheFilter.java:94)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.FileUploadFilter.doFilter(FileUploadFilter.java:68)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.UserFilter.doFilter(UserFilter.java:294)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.cluster.filter.PrintRequestFilter.doFilter(PrintRequestFilter.java:66)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.cluster.filter.ClusterFilter.doFilter(ClusterFilter.java:29)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ErrorFilter.doFilter(ErrorFilter.java:94)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.DebugFilter.doFilter(DebugFilter.java:96)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.StartupShutdownFilter.doFilter(StartupShutdownFilter.java:105)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.MasterPasswordFilter.doFilter(MasterPasswordFilter.java:91)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ThreadLocalFilter.doFilter(ThreadLocalFilter.java:37)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.EncodingFilter.doFilter(EncodingFilter.java:125)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.planetj.servlet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:293)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.AppwayFiltersFilter.doFilter(AppwayFiltersFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
03-Mar-2021 16:01:46.127 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
03-Mar-2021 16:02:09.313 FINE [Catalina-startStop-1] org.apache.catalina.realm.JNDIRealm.getDirectoryContextEnvironment Connecting to URL ldaps://sbxxxxx.bcintra.ch:3269
03-Mar-2021 16:02:14.040 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log No Spring WebApplicationInitializer types detected on classpath
03-Mar-2021 16:02:14.040 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Configuring event listener class 'com.nm.utils.ContextListener'
03-Mar-2021 16:02:14.492 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Sending application start events
03-Mar-2021 16:03:27.119 FINE [localhost-startStop-1] org.apache.catalina.session.StandardSession.doReadObject readObject() loading session 6B0CCD6AF425A8CC29DC68AA469C51A7
03-Mar-2021 16:03:27.120 FINE [localhost-startStop-1] org.apache.catalina.session.StandardSession.doReadObject loading attribute 'user.id' with value 'BPW'
03-Mar-2021 16:03:27.185 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Starting filters
03-Mar-2021 16:03:27.185 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Starting filter 'Tomcat WebSocket (JSR356) Filter'
03-Mar-2021 16:03:27.187 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Starting filter 'AppwayFiltersFilter'
03-Mar-2021 16:03:27.194 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter has initialized
03-Mar-2021 16:03:27.384 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Sending application start events
03-Mar-2021 16:03:27.385 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Starting filters
03-Mar-2021 16:03:27.385 FINE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Starting filter 'Tomcat WebSocket (JSR356) Filter'
03-Mar-2021 16:03:27.417 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
03-Mar-2021 16:04:18.777 SEVERE [http-nio-8080-exec-8] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3299)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1439)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1380)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1267)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:193)
at org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:950)
at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:932)
at org.apache.catalina.connector.Request.login(Request.java:2674)
at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1072)
at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:318)
at com.nm.exprlang.functions.LoginFunction.calculate(LoginFunction.java:41)
at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:207)
at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465)
at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:153)
at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465)
at com.nm.sdk.data.expeval.nodes.ScriptBodyNode.execute(ScriptBodyNode.java:176)
at com.nm.exprlang.InterpreterImpl.execute(InterpreterImpl.java:417)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:384)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:371)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:326)
at com.nm.sdk.data.pages.views.actions.ExpressionAction.execute(ExpressionAction.java:76)
at com.nm.sdk.data.pages.views.components.Component.handleEvent(Component.java:930)
at com.nm.sdk.data.pages.views.components.Component.handleEvents(Component.java:898)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:871)
at com.nm.sdk.data.pages.views.components.CustomControl.processComponent(CustomControl.java:295)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.screenflow.PageServiceImpl.processPageResponse(PageServiceImpl.java:1450)
at com.nm.sdk.data.workflow.model.ScreenTask.processHttpRequest(ScreenTask.java:524)
at com.nm.workspace.ProcessServlet.processWorkflowToken(ProcessServlet.java:554)
at com.nm.workspace.ProcessServlet.processWorkitem(ProcessServlet.java:264)
at com.nm.workspace.ProcessServlet.doPost(ProcessServlet.java:134)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.nm.servlets.AbstractHttpServlet.service(AbstractHttpServlet.java:29)
at com.nm.filter.AppwayServletsFilter.doFilter(AppwayServletsFilter.java:63)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.extensions.iedocumentmode.PatchFilter.doFilter(PatchFilter.java:49)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.extensions.scriptbridgeservletpatch.ScriptBridgeServletFilter.doFilter(ScriptBridgeServletFilter.java:38)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.StudioDeepLinksFilter.doFilter(StudioDeepLinksFilter.java:28)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.VersioningFilter.doFilter(VersioningFilter.java:85)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.AccessControlFilter.doFilter(AccessControlFilter.java:66)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.SecurityFilter.doFilter(SecurityFilter.java:56)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ApplicationLockFilter.doFilter(ApplicationLockFilter.java:97)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ContextPathFilter.doFilter(ContextPathFilter.java:49)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.CacheFilter.doFilter(CacheFilter.java:94)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.FileUploadFilter.doFilter(FileUploadFilter.java:68)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.UserFilter.doFilter(UserFilter.java:294)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.cluster.filter.PrintRequestFilter.doFilter(PrintRequestFilter.java:66)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.cluster.filter.ClusterFilter.doFilter(ClusterFilter.java:29)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ErrorFilter.doFilter(ErrorFilter.java:94)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.DebugFilter.doFilter(DebugFilter.java:96)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.StartupShutdownFilter.doFilter(StartupShutdownFilter.java:105)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.MasterPasswordFilter.doFilter(MasterPasswordFilter.java:91)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ThreadLocalFilter.doFilter(ThreadLocalFilter.java:37)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.EncodingFilter.doFilter(EncodingFilter.java:125)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.planetj.servlet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:293)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.AppwayFiltersFilter.doFilter(AppwayFiltersFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
03-Mar-2021 16:04:18.777 FINE [http-nio-8080-exec-8] org.apache.catalina.realm.JNDIRealm.close Closing directory context
03-Mar-2021 16:04:18.779 FINE [http-nio-8080-exec-8] org.apache.catalina.realm.JNDIRealm.authenticate Returning null principal.
03-Mar-2021 16:06:17.178 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.JNDIRealm.getDirectoryContextEnvironment Connecting to URL ldaps://sbxxxxx.bcintra.ch:3269
03-Mar-2021 16:06:17.274 SEVERE [http-nio-8080-exec-4] org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication
javax.naming.NamingException: LDAP connection has been closed; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:479)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1419)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2291)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2217)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:604)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:372)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:344)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:329)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
03-Mar-2021 16:06:17.274 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.JNDIRealm.close Closing directory context
03-Mar-2021 16:06:21.012 FINE [http-nio-8080-exec-7] org.apache.catalina.realm.JNDIRealm.getDirectoryContextEnvironment Connecting to URL ldaps://sbxxxxx.bcintra.ch:3269
03-Mar-2021 16:06:21.080 SEVERE [http-nio-8080-exec-7] org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication
javax.naming.NamingException: LDAP connection has been closed; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:479)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1419)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2291)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2217)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:604)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:372)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:344)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:329)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
03-Mar-2021 16:06:21.080 FINE [http-nio-8080-exec-7] org.apache.catalina.realm.JNDIRealm.close Closing directory context
03-Mar-2021 16:06:26.179 FINE [http-nio-8080-exec-5] org.apache.catalina.realm.JNDIRealm.getDirectoryContextEnvironment Connecting to URL ldaps://sbxxxxx.bcintra.ch:3269
03-Mar-2021 16:06:26.258 SEVERE [http-nio-8080-exec-5] org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication
javax.naming.NamingException: LDAP connection has been closed; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:479)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1419)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2291)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2217)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:604)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:372)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:344)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:329)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
03-Mar-2021 16:06:26.259 FINE [http-nio-8080-exec-5] org.apache.catalina.realm.JNDIRealm.close Closing directory context
03-Mar-2021 16:06:56.360 FINE [http-nio-8080-exec-7] org.apache.catalina.realm.JNDIRealm.getDirectoryContextEnvironment Connecting to URL ldaps://sbxxxxx.bcintra.ch:3269
03-Mar-2021 16:06:56.442 SEVERE [http-nio-8080-exec-7] org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication
javax.naming.NamingException: LDAP connection has been closed; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:479)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:561)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1419)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2291)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2217)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:604)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:372)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:344)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:329)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
03-Mar-2021 16:06:56.442 FINE [http-nio-8080-exec-7] org.apache.catalina.realm.JNDIRealm.close Closing directory context
03-Mar-2021 16:13:53.656 FINE [localhost-startStop-2] org.apache.catalina.core.StandardContext.filterStop Stopping filters
03-Mar-2021 16:13:53.656 FINE [localhost-startStop-2] org.apache.catalina.core.StandardContext.filterStop Stopping filter 'Tomcat WebSocket (JSR356) Filter'
03-Mar-2021 16:13:53.656 FINE [localhost-startStop-2] org.apache.catalina.core.StandardContext.filterStop Stopping filter 'AppwayFiltersFilter'
03-Mar-2021 16:13:53.656 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
03-Mar-2021 16:13:53.657 FINE [localhost-startStop-2] org.apache.catalina.session.StandardSession.doWriteObject writeObject() storing session 40D61EE9752652F4174F2CD8695D4703
03-Mar-2021 16:13:53.657 FINE [localhost-startStop-2] org.apache.catalina.session.StandardSession.doWriteObject storing attribute 'user.id' with value 'BPW'
03-Mar-2021 16:13:53.669 FINE [localhost-startStop-2] org.apache.catalina.core.StandardContext.filterStop Stopping filters
03-Mar-2021 16:13:53.669 FINE [localhost-startStop-2] org.apache.catalina.core.StandardContext.filterStop Stopping filter 'Tomcat WebSocket (JSR356) Filter'
03-Mar-2021 16:14:02.170 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log No Spring WebApplicationInitializer types detected on classpath
03-Mar-2021 16:15:15.081 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter has initialized
03-Mar-2021 16:15:15.307 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
03-Mar-2021 16:15:47.389 SEVERE [http-nio-8080-exec-8] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name 'DC=bcintra,DC=CH'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3299)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1655)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1491)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1439)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1380)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1267)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:193)
at org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:950)
at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:932)
at org.apache.catalina.connector.Request.login(Request.java:2674)
at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1072)
at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:318)
at com.nm.exprlang.functions.LoginFunction.calculate(LoginFunction.java:41)
at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:207)
at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465)
at com.nm.sdk.data.expeval.MethodCallUtils.callScriptFunction(MethodCallUtils.java:153)
at com.nm.sdk.data.expeval.nodes.FunctionNode.execute(FunctionNode.java:465)
at com.nm.sdk.data.expeval.nodes.ScriptBodyNode.execute(ScriptBodyNode.java:176)
at com.nm.exprlang.InterpreterImpl.execute(InterpreterImpl.java:417)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:384)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:371)
at com.nm.exprlang.InterpreterImpl.interpret(InterpreterImpl.java:326)
at com.nm.sdk.data.pages.views.actions.ExpressionAction.execute(ExpressionAction.java:76)
at com.nm.sdk.data.pages.views.components.Component.handleEvent(Component.java:930)
at com.nm.sdk.data.pages.views.components.Component.handleEvents(Component.java:898)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:871)
at com.nm.sdk.data.pages.views.components.CustomControl.processComponent(CustomControl.java:295)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.sdk.data.pages.views.components.Container.processChildren(Container.java:408)
at com.nm.sdk.data.pages.views.components.Container.processComponent(Container.java:403)
at com.nm.sdk.data.pages.views.components.Component.process(Component.java:872)
at com.nm.screenflow.PageServiceImpl.processPageResponse(PageServiceImpl.java:1450)
at com.nm.sdk.data.workflow.model.ScreenTask.processHttpRequest(ScreenTask.java:524)
at com.nm.workspace.ProcessServlet.processWorkflowToken(ProcessServlet.java:554)
at com.nm.workspace.ProcessServlet.processWorkitem(ProcessServlet.java:264)
at com.nm.workspace.ProcessServlet.doPost(ProcessServlet.java:134)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.nm.servlets.AbstractHttpServlet.service(AbstractHttpServlet.java:29)
at com.nm.filter.AppwayServletsFilter.doFilter(AppwayServletsFilter.java:63)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.extensions.iedocumentmode.PatchFilter.doFilter(PatchFilter.java:49)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.extensions.scriptbridgeservletpatch.ScriptBridgeServletFilter.doFilter(ScriptBridgeServletFilter.java:38)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.StudioDeepLinksFilter.doFilter(StudioDeepLinksFilter.java:28)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.VersioningFilter.doFilter(VersioningFilter.java:85)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.AccessControlFilter.doFilter(AccessControlFilter.java:66)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.SecurityFilter.doFilter(SecurityFilter.java:56)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ApplicationLockFilter.doFilter(ApplicationLockFilter.java:97)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ContextPathFilter.doFilter(ContextPathFilter.java:49)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.CacheFilter.doFilter(CacheFilter.java:94)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.FileUploadFilter.doFilter(FileUploadFilter.java:68)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.UserFilter.doFilter(UserFilter.java:294)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.cluster.filter.PrintRequestFilter.doFilter(PrintRequestFilter.java:66)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.cluster.filter.ClusterFilter.doFilter(ClusterFilter.java:29)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ErrorFilter.doFilter(ErrorFilter.java:94)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.DebugFilter.doFilter(DebugFilter.java:96)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.StartupShutdownFilter.doFilter(StartupShutdownFilter.java:105)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.MasterPasswordFilter.doFilter(MasterPasswordFilter.java:91)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.ThreadLocalFilter.doFilter(ThreadLocalFilter.java:37)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.EncodingFilter.doFilter(EncodingFilter.java:125)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.planetj.servlet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:293)
at com.nm.filter.AppwayFilterChain.doFilter(AppwayFilterChain.java:46)
at com.nm.filter.AppwayFiltersFilter.doFilter(AppwayFiltersFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
On the DC side we see those messages:
Then we see the same error events like we saw before already with the normal log level
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0, v2580
Internal event: An LDAP client connection was closed because of an error.
Client IP:
10.189.162.17:51240
Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095
Thank you
Susan
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Donnerstag, 20. Mai 2021 18:37
> To: users@tomcat.apache.org
> Subject: Re: JNDI ldaps Problem with SSO
>
> Susan,
>
> On 5/18/21 16:58, Susan.Wood@swisscom.com wrote:
> > When we are using plain ldap 3268, all works fine with those settings:
> >
> >
> > Good:
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldap://xxxxx.xxxx.com:3268"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > RA,DC=ch "
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > Its when we want to use ldaps with 3269 its failing:
> > bad:
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldaps://xxxxx.xxxx.com:3269"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > ldapsearch on port 3269 (ldaps) works fine from the same machine, but
> > yes, it's not exactly the same request
> >
> >
> > TEST ~]# ldapsearch -x -D
> > "cn=SA-PF00-Appway,OU=PF00_Appway-
> CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc
> =bcintra,dc=ch" -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
> Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <DC=bcintra,DC=ch> with scope subtree # filter: (objectclass=*)
> > # requesting: ALL # Organization, Schema, Configuration, bcintra.ch
> >
> >
> >
> > We think, ssl-handshake is fine but bind is failing. Why?
>
> What is the error you actually get? Can you pleae post the full stack trace
> and not just the message?
>
> -chris
>
>
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Dienstag, 18. Mai 2021 18:02
> >> To: users@tomcat.apache.org
> >> Subject: Re: JNDI ldaps Problem with SSO
> >>
> >> Susan,
> >>
> >> On 5/18/21 09:43, Susan.Wood@swisscom.com wrote:
> >>> Hi all
> >>>
> >>> apache-tomcat-8.0.36
> >>>
> >>> java version "1.8.0_281"
> >>> Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java
> >>> HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
> >>>
> >>> We are having a problem with our Single sign On config.
> >>> When using ldap - all works well.
> >>>
> >>> When switiching to ldaps , the User loses to connection all together
> >>> (Server not reachable)
> >>>
> >>>
> >>>
> >>> server.xml
> >>>
> >>> Good:
> >>> <Realm className="org.apache.catalina.realm.JNDIRealm"
> >>> connectionURL="ldap://xxxxx.xxxx.com:3268"
> >>> userBase="DC=XXXINTRA,DC=CH"
> >>> userSubtree="true"
> >>> userSearch="(sAMAccountName={0})"
> >>> userRoleName="memberOf"
> >>> roleBase="OU=PF00_App-
> >>
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >> RA,DC=ch "
> >>> roleName="CN"
> >>> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >>> roleSubtree="true"
> >>> roleNested="true" />
> >>>
> >>> bad:
> >>>
> >>> <Realm className="org.apache.catalina.realm.JNDIRealm"
> >>> connectionURL="ldaps://xxxxx.xxxx.com:3269"
> >>> userBase="DC=XXXINTRA,DC=CH"
> >>> userSubtree="true"
> >>> userSearch="(sAMAccountName={0})"
> >>> userRoleName="memberOf"
> >>> roleBase="OU=PF00_App-
> >>
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >> RA,DC=ch"
> >>> roleName="CN"
> >>> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >>> roleSubtree="true"
> >>> roleNested="true" />
> >>>
> >>>
> >>> Connectivity to the DC is fine (ldapsearch with ldaps works), SSL
> >> connection itself seems to be fine, Certificates are fine, we are
> >> sending the trustore as well. All is in the relevant cacerts too.
> >>> We have a https Server in Front and a proxy Setting to the tomcat.
> >>>
> >>> /usr/java/latest/bin/java
> >>> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/log
> >>> gi
> >>> ng.properties
> >>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> >>> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
> >>> -Djavax.net.ssl.trustStorePassword=xxxxxx
> >>> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> >>> -Dnm.data.home=/opt/tomcat/data
> >>> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> >>> -
> Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
> >>> -Djavax.security.auth.useSubjectCredsOnly=false
> >>> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> >>> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> >>> -classpath
> >>> /opt/tomcat/apache-tomcat-
> >> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> >>> tomcat-8.0.36/bin/tomcat-juli.jar
> >>> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> >>> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> >>> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> >>> org.apache.catalina.startup.Bootstrap start
> >>>
> >>>
> >>>
> >>> Domain controller seems to close the connection. The Error is "The
> >> Parameter is incorrect", "The System cannot find the path specified."
> >> Its seems to happen, during the bind process, as if the DC can not
> >> decrypt our tomcat request:
> >>>
> >>> First two events are happening several times. After the last
> >>> anonymous
> >> bind is entered, the bind exited is done with the appway service account
> user.
> >> Right after that the error appears.
> >>> Internal event: Function ldap_bind entered.
> >>> SID: S-1-5-7
> >>> Source IP: 11.1xx.xxx.xxx:51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335171
> >>> Data3:
> >>> Data4:
> >>> Internal event: Function ldap_bind exited.
> >>> Elapsed time (ms): 0
> >>> SID: S-1-5-7
> >>> Source IP: 11.1xx.xxx.xxx::51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335171
> >>> Data3: 1004335171
> >>> Internal event: Function ldap_bind entered.
> >>> SID: S-1-5-7
> >>> Source IP: 11.1xx.xxx.xxx::51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335203
> >>> Data3:
> >>> Data4:
> >>>
> >>> Internal event: Function ldap_bind exited.
> >>> Elapsed time (ms): 0
> >>> SID: S-1-5-21-576815021-3137181063-3029416097-6939
> >>> Source IP: 11.1xx.xxx.xxx::51240
> >>> Operation identifier: 894498
> >>> Data1:
> >>> Data2: 1004335203
> >>> Data3: 1004335203
> >>>
> >>>
> >>> Then we see the same error events like we saw before already with
> >>> the normal log level Internal event: The LDAP server returned an error.
> >>>
> >>> Additional Data
> >>> Error value:
> >>> 00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap
> >>> message, data 0, v2580
> >>>
> >>> Internal event: An LDAP client connection was closed because of an
> error.
> >>>
> >>> Client IP:
> >>> 11.1xx.xxx.xxx::51240
> >>>
> >>> Additional Data
> >>> Error value:
> >>> 87 The parameter is incorrect.
> >>> Internal ID:
> >>> c0c0095
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> In the App Log of the tomcat we see:
> >>>
> >>> /opt/tomcat/tomcat8_appway1/logs
> >>>
> >>>
> >>> localhost.2021-03-22.log
> >>>
> >>>
> >>> 22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
> >> org.apache.catalina.core.ApplicationContext.log
> >> [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
> >>> 22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log No Spring
> >>> WebApplicationInitializer types detected on classpath
> >>> 22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log
> >>> [CompressingFilter/1.7.1] CompressingFilter has initialized
> >>> 22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using
> >>> policy access restrictor classpath:/jolokia-access.xml
> >>> 22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
> >>> org.apache.catalina.realm.JNDIRealm.authenticate Exception
> >>> performing authentication
> >>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
> LdapErr:
> >> DSID-0C0907E9, comment: In order to perform this operation a
> >> successful bind must be completed on the connection., data 0,
> >> v2580^@]; remaining name 'DC=BCINTRA,DC=CH'
> >>>
> >>>
> >>> 22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
> >>> org.apache.catalina.realm.JNDIRealm.getPrincipal Exception
> >>> performing authentication
> >>> javax.naming.NamingException: LDAP connection has been closed;
> >> remaining name 'DC=BCINTRA,DC=CH'
> >>>
> >>>
> >>>
> >>>
> >>> What are we missing?
> >>
> >> Because your AD server sees the connection, it's probably not a TLS
> >> handshake failure, but I was wondering if it was a TLS handshake failure.
> >> Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but I
> >> think that was done at 1.8 patch 291 and you are on patch 281
> >>
> >> Maybe you should be using port 3269 instead of 3268? Looks like 3269
> >> is for TLS and 3268 is for plaintext.
> >>
> >>
> >> You say that ldapsearch works. Can you post that command-line?
> >>
> >> -chris
> >>
> �B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> >> KKKKKKKKKCB•�È�[œÝXœØÜšX™K��K[XZ[
> >>
> >> ˆ�\Ù\œË][œÝXœØÜšX™P��ÛXØ]
> >> ˜\�XÚ�K›Ü™ÃB‘›Üˆ�Y��]�[Û˜[��ÛÛ[X[™�Ë��K[XZ[
> >>
> >> ˆ�\Ù\œËZ�[����ÛXØ]
> >> ˜\�XÚ�K›Ü™ÃBƒ
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDI ldaps Problem with SSO
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Susan,
On 5/18/21 16:58, Susan.Wood@swisscom.com wrote:
> When we are using plain ldap 3268, all works fine with those settings:
>
>
> Good:
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://xxxxx.xxxx.com:3268"
> userBase="DC=XXXINTRA,DC=CH"
> userSubtree="true"
> userSearch="(sAMAccountName={0})"
> userRoleName="memberOf"
> roleBase="OU=PF00_App- Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch "
> roleName="CN"
> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> roleSubtree="true"
> roleNested="true" />
>
>
> Its when we want to use ldaps with 3269 its failing:
> bad:
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://xxxxx.xxxx.com:3269"
> userBase="DC=XXXINTRA,DC=CH"
> userSubtree="true"
> userSearch="(sAMAccountName={0})"
> userRoleName="memberOf"
> roleBase="OU=PF00_App- Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
> roleName="CN"
> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> roleSubtree="true"
> roleNested="true" />
>
>
> ldapsearch on port 3269 (ldaps) works fine from the same machine, but yes, it's not exactly the same request
>
>
> TEST ~]# ldapsearch -x -D "cn=SA-PF00-Appway,OU=PF00_Appway-CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc=bcintra,dc=ch" -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <DC=bcintra,DC=ch> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> # Organization, Schema, Configuration, bcintra.ch
>
>
>
> We think, ssl-handshake is fine but bind is failing. Why?
What is the error you actually get? Can you pleae post the full stack
trace and not just the message?
-chris
>> -----Original Message-----
>> From: Christopher Schultz <ch...@christopherschultz.net>
>> Sent: Dienstag, 18. Mai 2021 18:02
>> To: users@tomcat.apache.org
>> Subject: Re: JNDI ldaps Problem with SSO
>>
>> Susan,
>>
>> On 5/18/21 09:43, Susan.Wood@swisscom.com wrote:
>>> Hi all
>>>
>>> apache-tomcat-8.0.36
>>>
>>> java version "1.8.0_281"
>>> Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java HotSpot(TM)
>>> 64-Bit Server VM (build 25.281-b09, mixed mode)
>>>
>>> We are having a problem with our Single sign On config.
>>> When using ldap - all works well.
>>>
>>> When switiching to ldaps , the User loses to connection all together
>>> (Server not reachable)
>>>
>>>
>>>
>>> server.xml
>>>
>>> Good:
>>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>>> connectionURL="ldap://xxxxx.xxxx.com:3268"
>>> userBase="DC=XXXINTRA,DC=CH"
>>> userSubtree="true"
>>> userSearch="(sAMAccountName={0})"
>>> userRoleName="memberOf"
>>> roleBase="OU=PF00_App-
>> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
>> RA,DC=ch "
>>> roleName="CN"
>>> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
>>> roleSubtree="true"
>>> roleNested="true" />
>>>
>>> bad:
>>>
>>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>>> connectionURL="ldaps://xxxxx.xxxx.com:3269"
>>> userBase="DC=XXXINTRA,DC=CH"
>>> userSubtree="true"
>>> userSearch="(sAMAccountName={0})"
>>> userRoleName="memberOf"
>>> roleBase="OU=PF00_App-
>> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
>> RA,DC=ch"
>>> roleName="CN"
>>> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
>>> roleSubtree="true"
>>> roleNested="true" />
>>>
>>>
>>> Connectivity to the DC is fine (ldapsearch with ldaps works), SSL
>> connection itself seems to be fine, Certificates are fine, we are sending the
>> trustore as well. All is in the relevant cacerts too.
>>> We have a https Server in Front and a proxy Setting to the tomcat.
>>>
>>> /usr/java/latest/bin/java
>>> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/loggi
>>> ng.properties
>>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
>>> -Djavax.net.ssl.trustStorePassword=xxxxxx
>>> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
>>> -Dnm.data.home=/opt/tomcat/data
>>> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
>>> -Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
>>> -Djavax.security.auth.useSubjectCredsOnly=false
>>> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
>>> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
>>> -classpath
>>> /opt/tomcat/apache-tomcat-
>> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
>>> tomcat-8.0.36/bin/tomcat-juli.jar
>>> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
>>> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
>>> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
>>> org.apache.catalina.startup.Bootstrap start
>>>
>>>
>>>
>>> Domain controller seems to close the connection. The Error is "The
>> Parameter is incorrect", "The System cannot find the path specified." Its
>> seems to happen, during the bind process, as if the DC can not decrypt our
>> tomcat request:
>>>
>>> First two events are happening several times. After the last anonymous
>> bind is entered, the bind exited is done with the appway service account user.
>> Right after that the error appears.
>>> Internal event: Function ldap_bind entered.
>>> SID: S-1-5-7
>>> Source IP: 11.1xx.xxx.xxx:51240
>>> Operation identifier: 894498
>>> Data1:
>>> Data2: 1004335171
>>> Data3:
>>> Data4:
>>> Internal event: Function ldap_bind exited.
>>> Elapsed time (ms): 0
>>> SID: S-1-5-7
>>> Source IP: 11.1xx.xxx.xxx::51240
>>> Operation identifier: 894498
>>> Data1:
>>> Data2: 1004335171
>>> Data3: 1004335171
>>> Internal event: Function ldap_bind entered.
>>> SID: S-1-5-7
>>> Source IP: 11.1xx.xxx.xxx::51240
>>> Operation identifier: 894498
>>> Data1:
>>> Data2: 1004335203
>>> Data3:
>>> Data4:
>>>
>>> Internal event: Function ldap_bind exited.
>>> Elapsed time (ms): 0
>>> SID: S-1-5-21-576815021-3137181063-3029416097-6939
>>> Source IP: 11.1xx.xxx.xxx::51240
>>> Operation identifier: 894498
>>> Data1:
>>> Data2: 1004335203
>>> Data3: 1004335203
>>>
>>>
>>> Then we see the same error events like we saw before already with the
>>> normal log level Internal event: The LDAP server returned an error.
>>>
>>> Additional Data
>>> Error value:
>>> 00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap
>>> message, data 0, v2580
>>>
>>> Internal event: An LDAP client connection was closed because of an error.
>>>
>>> Client IP:
>>> 11.1xx.xxx.xxx::51240
>>>
>>> Additional Data
>>> Error value:
>>> 87 The parameter is incorrect.
>>> Internal ID:
>>> c0c0095
>>>
>>>
>>>
>>>
>>>
>>>
>>> In the App Log of the tomcat we see:
>>>
>>> /opt/tomcat/tomcat8_appway1/logs
>>>
>>>
>>> localhost.2021-03-22.log
>>>
>>>
>>> 22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
>> org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
>> CompressingFilter is being destroyed...
>>> 22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
>>> org.apache.catalina.core.ApplicationContext.log No Spring
>>> WebApplicationInitializer types detected on classpath
>>> 22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
>>> org.apache.catalina.core.ApplicationContext.log
>>> [CompressingFilter/1.7.1] CompressingFilter has initialized
>>> 22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
>>> org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using
>>> policy access restrictor classpath:/jolokia-access.xml
>>> 22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
>>> org.apache.catalina.realm.JNDIRealm.authenticate Exception performing
>>> authentication
>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>> DSID-0C0907E9, comment: In order to perform this operation a successful
>> bind must be completed on the connection., data 0, v2580^@]; remaining
>> name 'DC=BCINTRA,DC=CH'
>>>
>>>
>>> 22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
>>> org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing
>>> authentication
>>> javax.naming.NamingException: LDAP connection has been closed;
>> remaining name 'DC=BCINTRA,DC=CH'
>>>
>>>
>>>
>>>
>>> What are we missing?
>>
>> Because your AD server sees the connection, it's probably not a TLS
>> handshake failure, but I was wondering if it was a TLS handshake failure.
>> Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but I think that
>> was done at 1.8 patch 291 and you are on patch 281
>>
>> Maybe you should be using port 3269 instead of 3268? Looks like 3269 is for
>> TLS and 3268 is for plaintext.
>>
>>
>> You say that ldapsearch works. Can you post that command-line?
>>
>> -chris
>> �B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
>> KKKKKKKKKCB•�È�[œÝXœØÜšX™K��K[XZ[
>>
>> ˆ�\Ù\œË][œÝXœØÜšX™P��ÛXØ]
>> ˜\�XÚ�K›Ü™ÃB‘›Üˆ�Y��]�[Û˜[��ÛÛ[X[™�Ë��K[XZ[
>>
>> ˆ�\Ù\œËZ�[����ÛXØ]
>> ˜\�XÚ�K›Ü™ÃBƒ
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JNDI ldaps Problem with SSO
Posted by Su...@swisscom.com.
Hi Chris
Thank you for your fast reply
When we are using plain ldap 3268, all works fine with those settings:
Good:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://xxxxx.xxxx.com:3268"
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App- Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch "
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
Its when we want to use ldaps with 3269 its failing:
bad:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://xxxxx.xxxx.com:3269"
userBase="DC=XXXINTRA,DC=CH"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=PF00_App- Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
roleName="CN"
roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
roleSubtree="true"
roleNested="true" />
ldapsearch on port 3269 (ldaps) works fine from the same machine, but yes, it's not exactly the same request
TEST ~]# ldapsearch -x -D "cn=SA-PF00-Appway,OU=PF00_Appway-CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc=bcintra,dc=ch" -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=bcintra,DC=ch> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# Organization, Schema, Configuration, bcintra.ch
We think, ssl-handshake is fine but bind is failing. Why?
Thank you
Susan
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Dienstag, 18. Mai 2021 18:02
> To: users@tomcat.apache.org
> Subject: Re: JNDI ldaps Problem with SSO
>
> Susan,
>
> On 5/18/21 09:43, Susan.Wood@swisscom.com wrote:
> > Hi all
> >
> > apache-tomcat-8.0.36
> >
> > java version "1.8.0_281"
> > Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java HotSpot(TM)
> > 64-Bit Server VM (build 25.281-b09, mixed mode)
> >
> > We are having a problem with our Single sign On config.
> > When using ldap - all works well.
> >
> > When switiching to ldaps , the User loses to connection all together
> > (Server not reachable)
> >
> >
> >
> > server.xml
> >
> > Good:
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldap://xxxxx.xxxx.com:3268"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch "
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> > bad:
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldaps://xxxxx.xxxx.com:3269"
> > userBase="DC=XXXINTRA,DC=CH"
> > userSubtree="true"
> > userSearch="(sAMAccountName={0})"
> > userRoleName="memberOf"
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> > roleName="CN"
> > roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > roleSubtree="true"
> > roleNested="true" />
> >
> >
> > Connectivity to the DC is fine (ldapsearch with ldaps works), SSL
> connection itself seems to be fine, Certificates are fine, we are sending the
> trustore as well. All is in the relevant cacerts too.
> > We have a https Server in Front and a proxy Setting to the tomcat.
> >
> > /usr/java/latest/bin/java
> > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/loggi
> > ng.properties
> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
> > -Djavax.net.ssl.trustStorePassword=xxxxxx
> > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> > -Dnm.data.home=/opt/tomcat/data
> > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
> > -Djavax.security.auth.useSubjectCredsOnly=false
> > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> > -classpath
> > /opt/tomcat/apache-tomcat-
> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> > tomcat-8.0.36/bin/tomcat-juli.jar
> > -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> > org.apache.catalina.startup.Bootstrap start
> >
> >
> >
> > Domain controller seems to close the connection. The Error is "The
> Parameter is incorrect", "The System cannot find the path specified." Its
> seems to happen, during the bind process, as if the DC can not decrypt our
> tomcat request:
> >
> > First two events are happening several times. After the last anonymous
> bind is entered, the bind exited is done with the appway service account user.
> Right after that the error appears.
> > Internal event: Function ldap_bind entered.
> > SID: S-1-5-7
> > Source IP: 11.1xx.xxx.xxx:51240
> > Operation identifier: 894498
> > Data1:
> > Data2: 1004335171
> > Data3:
> > Data4:
> > Internal event: Function ldap_bind exited.
> > Elapsed time (ms): 0
> > SID: S-1-5-7
> > Source IP: 11.1xx.xxx.xxx::51240
> > Operation identifier: 894498
> > Data1:
> > Data2: 1004335171
> > Data3: 1004335171
> > Internal event: Function ldap_bind entered.
> > SID: S-1-5-7
> > Source IP: 11.1xx.xxx.xxx::51240
> > Operation identifier: 894498
> > Data1:
> > Data2: 1004335203
> > Data3:
> > Data4:
> >
> > Internal event: Function ldap_bind exited.
> > Elapsed time (ms): 0
> > SID: S-1-5-21-576815021-3137181063-3029416097-6939
> > Source IP: 11.1xx.xxx.xxx::51240
> > Operation identifier: 894498
> > Data1:
> > Data2: 1004335203
> > Data3: 1004335203
> >
> >
> > Then we see the same error events like we saw before already with the
> > normal log level Internal event: The LDAP server returned an error.
> >
> > Additional Data
> > Error value:
> > 00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap
> > message, data 0, v2580
> >
> > Internal event: An LDAP client connection was closed because of an error.
> >
> > Client IP:
> > 11.1xx.xxx.xxx::51240
> >
> > Additional Data
> > Error value:
> > 87 The parameter is incorrect.
> > Internal ID:
> > c0c0095
> >
> >
> >
> >
> >
> >
> > In the App Log of the tomcat we see:
> >
> > /opt/tomcat/tomcat8_appway1/logs
> >
> >
> > localhost.2021-03-22.log
> >
> >
> > 22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
> org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1]
> CompressingFilter is being destroyed...
> > 22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
> > org.apache.catalina.core.ApplicationContext.log No Spring
> > WebApplicationInitializer types detected on classpath
> > 22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
> > org.apache.catalina.core.ApplicationContext.log
> > [CompressingFilter/1.7.1] CompressingFilter has initialized
> > 22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
> > org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using
> > policy access restrictor classpath:/jolokia-access.xml
> > 22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
> > org.apache.catalina.realm.JNDIRealm.authenticate Exception performing
> > authentication
> > javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
> DSID-0C0907E9, comment: In order to perform this operation a successful
> bind must be completed on the connection., data 0, v2580^@]; remaining
> name 'DC=BCINTRA,DC=CH'
> >
> >
> > 22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
> > org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing
> > authentication
> > javax.naming.NamingException: LDAP connection has been closed;
> remaining name 'DC=BCINTRA,DC=CH'
> >
> >
> >
> >
> > What are we missing?
>
> Because your AD server sees the connection, it's probably not a TLS
> handshake failure, but I was wondering if it was a TLS handshake failure.
> Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but I think that
> was done at 1.8 patch 291 and you are on patch 281
>
> Maybe you should be using port 3269 instead of 3268? Looks like 3269 is for
> TLS and 3268 is for plaintext.
>
>
> You say that ldapsearch works. Can you post that command-line?
>
> -chris
> �B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KKKKKKKKKCB•�È�[œÝXœØÜšX™K��K[XZ[
>
> ˆ�\Ù\œË][œÝXœØÜšX™P��ÛXØ]
> ˜\�XÚ�K›Ü™ÃB‘›Üˆ�Y��]�[Û˜[��ÛÛ[X[™�Ë��K[XZ[
>
> ˆ�\Ù\œËZ�[����ÛXØ]
> ˜\�XÚ�K›Ü™ÃBƒ
Re: JNDI ldaps Problem with SSO
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Susan,
On 5/18/21 09:43, Susan.Wood@swisscom.com wrote:
> Hi all
>
> apache-tomcat-8.0.36
>
> java version "1.8.0_281"
> Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
> Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
>
> We are having a problem with our Single sign On config.
> When using ldap - all works well.
>
> When switiching to ldaps , the User loses to connection all together (Server not reachable)
>
>
>
> server.xml
>
> Good:
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://xxxxx.xxxx.com:3268"
> userBase="DC=XXXINTRA,DC=CH"
> userSubtree="true"
> userSearch="(sAMAccountName={0})"
> userRoleName="memberOf"
> roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch "
> roleName="CN"
> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> roleSubtree="true"
> roleNested="true" />
>
> bad:
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://xxxxx.xxxx.com:3269"
> userBase="DC=XXXINTRA,DC=CH"
> userSubtree="true"
> userSearch="(sAMAccountName={0})"
> userRoleName="memberOf"
> roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
> roleName="CN"
> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> roleSubtree="true"
> roleNested="true" />
>
>
> Connectivity to the DC is fine (ldapsearch with ldaps works), SSL connection itself seems to be fine, Certificates are fine, we are sending the trustore as well. All is in the relevant cacerts too.
> We have a https Server in Front and a proxy Setting to the tomcat.
>
> /usr/java/latest/bin/java -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks -Djavax.net.ssl.trustStorePassword=xxxxxx -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf -Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath /opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/tomcat8_appway1 -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36 -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp org.apache.catalina.startup.Bootstrap start
>
>
>
> Domain controller seems to close the connection. The Error is "The Parameter is incorrect", "The System cannot find the path specified." Its seems to happen, during the bind process, as if the DC can not decrypt our tomcat request:
>
> First two events are happening several times. After the last anonymous bind is entered, the bind exited is done with the appway service account user. Right after that the error appears.
> Internal event: Function ldap_bind entered.
> SID: S-1-5-7
> Source IP: 11.1xx.xxx.xxx:51240
> Operation identifier: 894498
> Data1:
> Data2: 1004335171
> Data3:
> Data4:
> Internal event: Function ldap_bind exited.
> Elapsed time (ms): 0
> SID: S-1-5-7
> Source IP: 11.1xx.xxx.xxx::51240
> Operation identifier: 894498
> Data1:
> Data2: 1004335171
> Data3: 1004335171
> Internal event: Function ldap_bind entered.
> SID: S-1-5-7
> Source IP: 11.1xx.xxx.xxx::51240
> Operation identifier: 894498
> Data1:
> Data2: 1004335203
> Data3:
> Data4:
>
> Internal event: Function ldap_bind exited.
> Elapsed time (ms): 0
> SID: S-1-5-21-576815021-3137181063-3029416097-6939
> Source IP: 11.1xx.xxx.xxx::51240
> Operation identifier: 894498
> Data1:
> Data2: 1004335203
> Data3: 1004335203
>
>
> Then we see the same error events like we saw before already with the normal log level
> Internal event: The LDAP server returned an error.
>
> Additional Data
> Error value:
> 00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0, v2580
>
> Internal event: An LDAP client connection was closed because of an error.
>
> Client IP:
> 11.1xx.xxx.xxx::51240
>
> Additional Data
> Error value:
> 87 The parameter is incorrect.
> Internal ID:
> c0c0095
>
>
>
>
>
>
> In the App Log of the tomcat we see:
>
> /opt/tomcat/tomcat8_appway1/logs
>
>
> localhost.2021-03-22.log
>
>
> 22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
> 22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log No Spring WebApplicationInitializer types detected on classpath
> 22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log [CompressingFilter/1.7.1] CompressingFilter has initialized
> 22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
> 22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication
> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name 'DC=BCINTRA,DC=CH'
>
>
> 22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8] org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication
> javax.naming.NamingException: LDAP connection has been closed; remaining name 'DC=BCINTRA,DC=CH'
>
>
>
>
> What are we missing?
Because your AD server sees the connection, it's probably not a TLS
handshake failure, but I was wondering if it was a TLS handshake
failure. Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but
I think that was done at 1.8 patch 291 and you are on patch 281
Maybe you should be using port 3269 instead of 3268? Looks like 3269 is
for TLS and 3268 is for plaintext.
You say that ldapsearch works. Can you post that command-line?
-chris