users@glassfish.java.net

LDAPRealm group search with Active Directory

From: <glassfish_at_javadesktop.org>
Date: Wed, 27 Jun 2007 01:30:26 PDT

Hi,
I managed to authenticate users with our Active Directory in glassfish V2 beta 2 (build b41d-beta2) by configuring the LDAPRealm like this:

- directory = ldap://ldap.server.org:389
- base DN = dc=ldap,dc=server,dc=org

It is necessary to authenticate to the LDAP directory to view and search users and groups:
- search-bind-dn=cn=user name,ou=users,dc=ldap,dc=server,dc=org
- search-bind-password=your password

Our users and groups don't belong to a single OU (organizational Unit), so I had to use the following search filters:
- search-filter=(&(objectClass=user)(sAMAccountName=%s))
- group-search-filter=(&(objectClass=group)(member=%d))

First, I would like to ask if it would be possible to use the "memberOf" attribute
of a user object to obtain the list of groups it is a member of instead of searching for all the groups with the user as member (see method LDAPRealm.groupSearch)?

LDAPRealm works pretty well: the user is authenticated successfully and the groups it belongs to are retrieved correctly,
but I still get a stack trace when the LDAPRealm performs a "dynamic group search", right after it performs the normal group search using the "group-search-filter"
(see method LDAPRealm.dynamicGroupSearch):

javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C0905A4, comment: Error processing filter, data 0, v893 ]; remaining name 'dc=ldap,dc=server,dc=org'

The problem is the search filter attributes DYNAMIC_GROUP_FILTER = (&(objectclass=groupofuniquenames)(objectclass=*groupofurls*)) aren't recognized by Active Directory in Windows 2000.

I think that functionnality may have been added in Windows 2003 (see http://msdn2.microsoft.com/en-us/library/ms952382.aspx).

But I couldn't find a way to disable the search or change the search filter above for this second group search, which doesn't seem to be necessary in my case...

Would it be possible to introduce a configuration parameter to disable the dynamic group search for backwards compatibility with Active Directory in Windows 2000, please?

Thank you.

Here is the error log:

ldaplm.searcherror
SEC1000: Caught exception.
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C0905A4, comment: Error processing filter, data 0, v893 ]; remaining name 'dc=ldap,dc=server,dc=org'

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3026)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
        at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.dynamicGroupSearch(LDAPRealm.java:535)
        at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:392)
        at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:98)
        at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:77)
        at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:171)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:282)
        at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:157)
        at com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:110)
        at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:466)
        at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:406)
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:238)
        at org.apache.catalina.authenticator.AuthenticatorBase.processSecurityCheck(AuthenticatorBase.java:998)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:609)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:596)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:81)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:193)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:558)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1067)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:611)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:564)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:558)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1067)
        at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:255)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:618)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:549)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:790)
        at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:326)
        at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:248)
        at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:199)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:93)
[Message sent by forum member 'johnnymac' (johnnymac)]

http://forums.java.net/jive/thread.jspa?messageID=224157