users@glassfish.java.net

Re: LDAP integration "improperly specified input name" exception

From: <glassfish_at_javadesktop.org>
Date: Mon, 28 Jul 2008 11:03:56 PDT

Hi,

  Thanks for the log.
>
>Just a little background here, in our
> LDAP environment we are required to change the DN
> attribute, removing the uid= portion and replacing it
> with the "expDN" attribute and the random character
> value. This is structured this way for every new user
> that comes in. So from what I can tell,
>

OK now i understand where the exp was coming from.
 
> 1. The UID (in this case testuser) comes in and is
> verified by LDAP

correct.

> 2. The associated DN is then retreived
> 3. For some reason the DN is being used for
> authentication instead of the UID (I may not know
> enough about this, perhaps it always happens this
> way).
The DN is not being used for Authentication, authentication was successful but the GF LDAPRealm tries to do a dynamic group search using the filter : "(&(objectclass=groupofuniquenames)(objectclass=*groupofurls*))"

The returned groups are then added to the list of Caller Principals used for subsequent Authorization Policy Decisions by the Container.

> 4. the DN, since it's been modified, causes the
> authentication failure (or it works and I just don't
> have access. The latter is probably untrue as the
> web.xml should allow any authenticated user.)

As part of invoking the Dynamic Group Search it tries to construct the X500Principal and since the DN is no longer syntactically valid so we see the error below :

> Caused by: java.io.IOException: Invalid keyword
> "GNEDN"
> at
> sun.security.x509.AVAKeyword.getOID(AVA.java:1251)
> at
> sun.security.x509.AVA.<init>(AVA.java:175)
> at
> sun.security.x509.AVA.<init>(AVA.java:128)
> at
> sun.security.x509.RDN.<init>(RDN.java:134)
> at
> sun.security.x509.X500Name.parseDN(X500Name.java:901)
> at
> sun.security.x509.X500Name.<init>(X500Name.java:148)
> at
> javax.security.auth.x500.X500Principal.<init>(X500Prin
> cipal.java:148)
> ... 47 more
> #|2008-07-28T09:01:19.466-0700|FINE|sun-appserver9.1|j
> avax.enterprise.system.core.security|_ThreadID=25;_Thr
> eadName=httpSSLWorkerThread-30202-1;ClassName=com.sun.
> enterprise.security.auth.realm.ldap.LDAPRealm;MethodNa
> me=findAndBind;_RequestID=1c0b9214-b45e-48bf-b0a1-2871
> ac5cbfe2;|LDAP:Group search filter:
> uniquemember=expDN=PKLFOQIU,ou=people,dc=example,dc=co
> m|#]
> [/i]

Unfortunately the Dynamic Group Search does not seem to be optional, neither is the filter configurable through properties on the LDAPRealm. Is the change to DN attribute unavoidable in your system ?.

If you file an Issue, i can fix it ASAP and make it so that Dynamic Group Search can be disabled by a Property. However that will require you to switch to the latest SailFin build after i make the fix :

https://sailfin.dev.java.net/downloads/downloads.html

If you need the patch on V2 UR2 then you may want to consider Signing Up for Support.

Thanks.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=289893