Solved

JNDI and Openldap

Posted on 2004-10-11
3
681 Views
Last Modified: 2012-05-05
I am using JNDI and Tomcat for authentication.  This is a new server I am setting up to replace an exisiting one...  Upgraded hardware / software...  Anyway, authentication works for the user but doesn't find the user in the group...  It doesn't make sense, since this same config works on another box.  Here's the necessary files:

debug log:
slapd starting

ldap_pvt_gethostbyname_a: host=www.domain.com, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=domain,dc=com>
=> ldap_bv2dn(cn=Manager,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <cn=Manager,dc=domain,dc=com>, <cn=manager,dc=domain,dc=com>
do_bind: version=3 dn="cn=Manager,dc=domain,dc=com" method=128
do_bind: v3 bind: "cn=Manager,dc=domain,dc=com" to "cn=Manager,dc=domain,dc=com"
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 119 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>
=> ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>, <uid=ross,ou=people,dc=domain,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("uid=ross,ou=people,dc=domain,dc=com")
=> bdb_dn2id( "dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000001
=> bdb_dn2id( "ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000007
=> bdb_dn2id( "uid=ross,ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000008
entry_decode: "uid=ross,ou=people,dc=domain,dc=com"
<= entry_decode(uid=ross,ou=people,dc=domain,dc=com)
=> send_search_entry: dn="uid=ross,ou=people,dc=domain,dc=com"
ber_flush: 74 bytes to sd 10
<= send_search_entry
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=groups,dc=domain,dc=com>
=> ldap_bv2dn(ou=groups,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <ou=groups,dc=domain,dc=com>, <ou=groups,dc=domain,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("ou=groups,dc=domain,dc=com")
=> bdb_dn2id( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000006
entry_decode: "ou=groups,dc=domain,dc=com"
<= entry_decode(ou=groups,dc=domain,dc=com)
search_candidates: base="ou=groups,dc=domain,dc=com" (0x00000006) scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2idl: id=4 first=9 last=13
bdb_search_candidates: id=0 first=9 last=0
bdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
ber_flush: 14 bytes to sd 10
daemon: shutdown requested and initiated.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.

Slapd.conf:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

Tomcat server.xml JNDI part:

<Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
   connectionName="cn=Manager,dc=domain,dc=com"
   connectionPassword="xxxxx"
    connectionURL="ldap://localhost:389"
     userPassword="userPassword"
      userPattern="uid={0},ou=people,dc=domain,dc=com"
         roleBase="ou=groups,dc=domain,dc=com"
         roleName="cn"
       roleSearch="(uniqueMember={0})"
/>
Web.XML section:
       <security-constraint>
               <web-resource-collection>
                       <web-resource-name>Authentication</web-resource-name>
                       <url-pattern>/secure/*</url-pattern>
               </web-resource-collection>
               <auth-constraint>
                       <role-name>user</role-name>
                       <role-name>manager></role-name>
                       <role-name>admin</role-name>
               </auth-constraint>
       </security-constraint>

LDIF of database:
extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# domain.com
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: domain
dc: domain

# Manager, domain.com
dn: cn=Manager,dc=domain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
roleOccupant: uid=ross,ou=people,dc=domain,dc=com

# users, domain.com
dn: ou=users,dc=domain,dc=com
objectClass: organizationalUnit
ou: users

# us, domain.com
dn: c=us,dc=domain,dc=com
objectClass: top
objectClass: country
c: us

# groups, domain.com
dn: ou=groups,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# people, domain.com
dn: ou=people,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# ross, people, domain.com
dn: uid=ross,ou=people,dc=domain,dc=com
cn: Ross Rankin
sn: Rankin
objectClass: inetOrgPerson
uid: ross
mail: wolver@mindspring.com
userPassword:: dGVzdA==

# manager, groups, domain.com
dn: cn=manager,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: manager
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# tomcat, groups, domain.com
dn: cn=tomcat,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# admin, groups, domain.com
dn: cn=admin,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# ralph, people, domain.com
dn: uid=ralph,ou=people,dc=domain,dc=com
cn: Ralph Mobley
sn: Mobley
objectClass: inetOrgPerson
uid: ralph
userPassword:: cGFzc3dvcmQ=
mail: ralph@domain.edu

# user, groups, domain.com
dn: cn=user,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: user
uniqueMember: uid=ross,ou=people,dc=domain,dc=com
uniqueMember: uid=ralph,ou=people,dc=domain,dc=com

I think that would be all you need to help me diagnose the issue.  Thanks.

Ross
0
Comment
Question by:w0lver
3 Comments
 
LVL 3

Author Comment

by:w0lver
ID: 12383622
Figured it out...  The new version of Tomcat doesn't like the () as in previous versions...
So this:    roleSearch="(uniqueMember={0})"
Must be changed to this:      roleSearch="uniqueMember={0}"

Ross
Close me...

0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14048684
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Currently, there is not an RPM package available under the RHEL/Fedora/CentOS distributions that gives you a quick and easy way to allow PHP to interface with Oracle. As a result, I have included a set of instructions on how to do this with minimal …
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now