hi,
thank you for your fast answer. i am using GF 3.1 release build.
this spelling mistake of the glassfish-application.xml is not in the app :) i
know this because when i first introduced the glassfish-application.xml the
warnings that there is no role to group mapping defind was gone. e.g.
WARNUNG: No Principals mapped to Role [ADMIN]
i tryed out the idea with the explicit role to principal mapping, and this
works. so my first guess that ldap cant make the group to role mapping is
correct. and i think it has something to do with the group-target entry from
the domain.xml, because in our ldap the groups the user belongs are stored in
this propertie.
<security-role-mapping> <role-name>ADMIN</role-name>
<principal-name>admin1</principal-name> <group-name>ADMIN</group-name>
</security-role-mapping>
the ldap setings should be ok. but i will ask an ldap resoponsible of our
company today.
here is the full stack trace from the group-target NPE:
WARNUNG: SEC1106: Error during LDAP search with filter
[uniquemember=uid=admin1,o=company,c=com,dc=company]. WARNUNG: SEC1000:
Caught exception. java.lang.NullPointerException at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
at
com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
at
com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
at
com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597) at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at
java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at
javax.security.auth.login.LoginContext.login(LoginContext.java:579) at
com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382)
at
com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:240)
at
com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:153)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:483) at
com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:425) at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:269)
at
org.apache.catalina.authenticator.AuthenticatorBase.processSecurityCheck(AuthenticatorBase.java:909)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:546)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98) at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719) at
com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013) at
com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at
com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at
com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at
com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at
com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:619)
there is actualy another error in the web admin panel. on Configurations
> server-config > Security > Realms > ldapRealm. if you are on the created
ldapRealm and add a property and save the page it adds "" to the Directory:
and Base DN: fileds. you have to manualy edit the domain.xml to remove this
"". because it adds another pair every time you press save.
this is how it looks in the domain.xml after pressing save twice:
<auth-realm name="ldapRealm"
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property description="null" name="directory"
value="""ldap://ldapserver:389"""></property>
<property description="null" name="base-dn"
value="""dc=company"""></property>
<property name="jaas-context" value="ldapRealm"></property>
<property name="search-bind-password"
value="password"></property> <property
name="search-bind-dn"
value="uid=admin,cn=authuser,cn=test,dc=company"></property>
<property name="group-target"
value="ibm-allgroups"></property> </auth-realm>
thank you again for your fast support :)
best, mike.
--
[Message sent by forum member 'mike_ko']
View Post: http://forums.java.net/node/783668