Solved

JNDI and Openldap

Posted on 2004-10-11
3
691 Views
Last Modified: 2012-05-05
I am using JNDI and Tomcat for authentication.  This is a new server I am setting up to replace an exisiting one...  Upgraded hardware / software...  Anyway, authentication works for the user but doesn't find the user in the group...  It doesn't make sense, since this same config works on another box.  Here's the necessary files:

debug log:
slapd starting

ldap_pvt_gethostbyname_a: host=www.domain.com, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=domain,dc=com>
=> ldap_bv2dn(cn=Manager,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=Manager,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <cn=Manager,dc=domain,dc=com>, <cn=manager,dc=domain,dc=com>
do_bind: version=3 dn="cn=Manager,dc=domain,dc=com" method=128
do_bind: v3 bind: "cn=Manager,dc=domain,dc=com" to "cn=Manager,dc=domain,dc=com"
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 119 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>
=> ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=ross,ou=people,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <uid=ross,ou=people,dc=domain,dc=com>, <uid=ross,ou=people,dc=domain,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("uid=ross,ou=people,dc=domain,dc=com")
=> bdb_dn2id( "dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000001
=> bdb_dn2id( "ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000007
=> bdb_dn2id( "uid=ross,ou=people,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000008
entry_decode: "uid=ross,ou=people,dc=domain,dc=com"
<= entry_decode(uid=ross,ou=people,dc=domain,dc=com)
=> send_search_entry: dn="uid=ross,ou=people,dc=domain,dc=com"
ber_flush: 74 bytes to sd 10
<= send_search_entry
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=groups,dc=domain,dc=com>
=> ldap_bv2dn(ou=groups,dc=domain,dc=com,0)
ldap_err2string
<= ldap_bv2dn(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=groups,dc=domain,dc=com)=0 Success
<<< dnPrettyNormal: <ou=groups,dc=domain,dc=com>, <ou=groups,dc=domain,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("ou=groups,dc=domain,dc=com")
=> bdb_dn2id( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2id: got id=0x00000006
entry_decode: "ou=groups,dc=domain,dc=com"
<= entry_decode(ou=groups,dc=domain,dc=com)
search_candidates: base="ou=groups,dc=domain,dc=com" (0x00000006) scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "ou=groups,dc=domain,dc=com" )
<= bdb_dn2idl: id=4 first=9 last=13
bdb_search_candidates: id=0 first=9 last=0
bdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
ber_flush: 14 bytes to sd 10
daemon: shutdown requested and initiated.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.

Slapd.conf:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

Tomcat server.xml JNDI part:

<Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
   connectionName="cn=Manager,dc=domain,dc=com"
   connectionPassword="xxxxx"
    connectionURL="ldap://localhost:389"
     userPassword="userPassword"
      userPattern="uid={0},ou=people,dc=domain,dc=com"
         roleBase="ou=groups,dc=domain,dc=com"
         roleName="cn"
       roleSearch="(uniqueMember={0})"
/>
Web.XML section:
       <security-constraint>
               <web-resource-collection>
                       <web-resource-name>Authentication</web-resource-name>
                       <url-pattern>/secure/*</url-pattern>
               </web-resource-collection>
               <auth-constraint>
                       <role-name>user</role-name>
                       <role-name>manager></role-name>
                       <role-name>admin</role-name>
               </auth-constraint>
       </security-constraint>

LDIF of database:
extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# domain.com
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: domain
dc: domain

# Manager, domain.com
dn: cn=Manager,dc=domain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
roleOccupant: uid=ross,ou=people,dc=domain,dc=com

# users, domain.com
dn: ou=users,dc=domain,dc=com
objectClass: organizationalUnit
ou: users

# us, domain.com
dn: c=us,dc=domain,dc=com
objectClass: top
objectClass: country
c: us

# groups, domain.com
dn: ou=groups,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# people, domain.com
dn: ou=people,dc=domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# ross, people, domain.com
dn: uid=ross,ou=people,dc=domain,dc=com
cn: Ross Rankin
sn: Rankin
objectClass: inetOrgPerson
uid: ross
mail: wolver@mindspring.com
userPassword:: dGVzdA==

# manager, groups, domain.com
dn: cn=manager,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: manager
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# tomcat, groups, domain.com
dn: cn=tomcat,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# admin, groups, domain.com
dn: cn=admin,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ross,ou=people,dc=domain,dc=com

# ralph, people, domain.com
dn: uid=ralph,ou=people,dc=domain,dc=com
cn: Ralph Mobley
sn: Mobley
objectClass: inetOrgPerson
uid: ralph
userPassword:: cGFzc3dvcmQ=
mail: ralph@domain.edu

# user, groups, domain.com
dn: cn=user,ou=groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: user
uniqueMember: uid=ross,ou=people,dc=domain,dc=com
uniqueMember: uid=ralph,ou=people,dc=domain,dc=com

I think that would be all you need to help me diagnose the issue.  Thanks.

Ross
0
Comment
Question by:w0lver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Author Comment

by:w0lver
ID: 12383622
Figured it out...  The new version of Tomcat doesn't like the () as in previous versions...
So this:    roleSearch="(uniqueMember={0})"
Must be changed to this:      roleSearch="uniqueMember={0}"

Ross
Close me...

0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14048684
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question