users@glassfish.java.net

LDAP integration "improperly specified input name" exception

From: <glassfish_at_javadesktop.org>
Date: Sat, 26 Jul 2008 21:56:52 PDT

Hello All,

We are attempting to migrate some applications from WebLogic and are testing Glassfish as an alternate solution. I am attempting to create an ldapRealm that does a basic connection to our ldap environment. We have an application that takes a basic login and prints the http headers after authentication which worked fine in WebLogic. When deployed in GF we are getting denied (403) and the exception below appears when we try to log in with my username. The error appears to be using our LDAP DN for authentication instead of using the UID, but I may be reading into it incorretly.

Thanks for any help!

[i]Glassfish ldapRealm Configuration:[/i]
Name: [b]myrealm[/b]
Class Name: [b]com.sun.enterprise.security.auth.realm.ldap.LDAPRealm[/b]
JAAS Context: [b]ldapRealm[/b]
Directory: [b]ldap://ldapserver.example.com:389[/b]
Base DN: [b]dc=example,dc=com[/b]
Properties:
        search-bind-password: password
        search-bind-dn: [b]cn=LDAPAdmin,ou=SysAccounts,dc=example,dc=com
[/b]
[i]web.xml[/i]:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <display-name>Glassfish LDAP Test Application</display-name>
  <distributable/>

<!-- grant access to all authenticated users -->

  <security-constraint>
     <web-resource-collection>
        <web-resource-name>glassfish-ldaptest</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
        <role-name>[b]everyone[/b]</role-name>
     </auth-constraint>
  </security-constraint>

   <login-config>
       <auth-method>[b]BASIC[/b]</auth-method>
       <realm-name>[b]myrealm[/b]</realm-name>
   </login-config>

    <security-role>
        <role-name>[b]everyone[/b]</role-name>
    </security-role>

</web-app>

[i]sun-web.xml[/i]:
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">

<sun-web-app>
  <security-role-mapping>
    <role-name>[b]everyone[/b]</role-name>
    <principal-name>[b]users[/b]</principal-name>
  </security-role-mapping>
</sun-web-app>

[i]Exception[/i]:
httpSSLWorkerThread-30202-1;(&(objectclass=groupofuniquenames)(objectclass=*groupofurls*));_RequestID=f0c25d44-6150-4103-9582-8a14f4bda3d4;|ldaplm.searcherror|#]

[#|2008-07-26T21:18:41.684-0700|WARNING|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=23;_ThreadName=httpSSLWorkerThread-30202-1;_RequestID=f0c25d44-6150-4103-9582-8a14f4bda3d4;|SEC1000: Caught exception.
java.lang.IllegalArgumentException:[b] improperly specified input name[/b]: expDN=PKLFOQIU,ou=people,dc=example,dc=com
        at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)
        at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)
        at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.dynamicGroupSearch(LDAPRealm.java:577)
        at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:427)
        ......
[Message sent by forum member 'benuwine' (benuwine)]

http://forums.java.net/jive/thread.jspa?messageID=289615