Solved

JNDI and Openldap

Posted on 2004-10-11
3
684 Views
Last Modified: 2012-05-05
I am using JNDI and Tomcat for authentication.  This is a new server I am setting up to replace an exisiting one...  Upgraded hardware / software...  Anyway, authentication works for the user but doesn't find the user in the group...  It doesn't make sense, since this same config works on another box.  Here's the necessary files:

debug log:
slapd starting

ldap_pvt_gethostbyname_a: host=www.domain.com, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=domain,dc=com>
=> ldap_bv2dn(cn=Manager,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <cn=Manager,dc=domain,dc=com>, <cn=manager,dc=domain,dc=com>
do_bind: version=3 dn="cn=Manager,dc=domain,dc=com" method=128
do_bind: v3 bind: "cn=Manager,dc=domain,dc=com" to "cn=Manager,dc=domain,dc=com"
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 119 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>
=> ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>, <uid=ross,ou=people,dc=domain,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("uid=ross,ou=people,dc=domain,dc=com")
=> bdb_dn2id( "dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000001
=> bdb_dn2id( "ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000007
=> bdb_dn2id( "uid=ross,ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000008
entry_decode: "uid=ross,ou=people,dc=domain,dc=com"
<= entry_decode(uid=ross,ou=people,dc=domain,dc=com)
=> send_search_entry: dn="uid=ross,ou=people,dc=domain,dc=com"
ber_flush: 74 bytes to sd 10
<= send_search_entry
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=groups,dc=domain,dc=com>
=> ldap_bv2dn(ou=groups,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <ou=groups,dc=domain,dc=com>, <ou=groups,dc=domain,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("ou=groups,dc=domain,dc=com")
=> bdb_dn2id( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000006
entry_decode: "ou=groups,dc=domain,dc=com"
<= entry_decode(ou=groups,dc=domain,dc=com)
search_candidates: base="ou=groups,dc=domain,dc=com" (0x00000006) scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2idl: id=4 first=9 last=13
bdb_search_candidates: id=0 first=9 last=0
bdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
ber_flush: 14 bytes to sd 10
daemon: shutdown requested and initiated.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.

Slapd.conf:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

Tomcat server.xml JNDI part:

<Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
   connectionName="cn=Manager,dc=domain,dc=com"
   connectionPassword="xxxxx"
    connectionURL="ldap://localhost:389"
     userPassword="userPassword"
      userPattern="uid={0},ou=people,dc=domain,dc=com"
         roleBase="ou=groups,dc=domain,dc=com"
         roleName="cn"
       roleSearch="(uniqueMember={0})"
/>
Web.XML section:
       <security-constraint>
               <web-resource-collection>
                       <web-resource-name>Authentication</web-resource-name>
                       <url-pattern>/secure/*</url-pattern>
               </web-resource-collection>
               <auth-constraint>
                       <role-name>user</role-name>
                       <role-name>manager></role-name>
                       <role-name>admin</role-name>
               </auth-constraint>
       </security-constraint>

LDIF of database:
extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# domain.com
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: domain
dc: domain

# Manager, domain.com
dn: cn=Manager,dc=domain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
roleOccupant: uid=ross,ou=people,dc=domain,dc=com

# users, domain.com
dn: ou=users,dc=domain,dc=com
objectClass: organizationalUnit
ou: users

# us, domain.com
dn: c=us,dc=domain,dc=com
objectClass: top
objectClass: country
c: us

# groups, domain.com
dn: ou=groups,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# people, domain.com
dn: ou=people,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# ross, people, domain.com
dn: uid=ross,ou=people,dc=domain,dc=com
cn: Ross Rankin
sn: Rankin
objectClass: inetOrgPerson
uid: ross
mail: wolver@mindspring.com
userPassword:: dGVzdA==

# manager, groups, domain.com
dn: cn=manager,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: manager
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# tomcat, groups, domain.com
dn: cn=tomcat,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# admin, groups, domain.com
dn: cn=admin,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# ralph, people, domain.com
dn: uid=ralph,ou=people,dc=domain,dc=com
cn: Ralph Mobley
sn: Mobley
objectClass: inetOrgPerson
uid: ralph
userPassword:: cGFzc3dvcmQ=
mail: ralph@domain.edu

# user, groups, domain.com
dn: cn=user,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: user
uniqueMember: uid=ross,ou=people,dc=domain,dc=com
uniqueMember: uid=ralph,ou=people,dc=domain,dc=com

I think that would be all you need to help me diagnose the issue.  Thanks.

Ross
0
Comment
Question by:w0lver
3 Comments
 
LVL 3

Author Comment

by:w0lver
ID: 12383622
Figured it out...  The new version of Tomcat doesn't like the () as in previous versions...
So this:    roleSearch="(uniqueMember={0})"
Must be changed to this:      roleSearch="uniqueMember={0}"

Ross
Close me...

0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14048684
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now