users@glassfish.java.net

Re: Glassfish 3.1 LDAP

From: Kumar.Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Tue, 22 Mar 2011 15:46:08 +0530

Thanks for the info...

Have you experimented the group-search-filter property that i suggested
?. Because the filter it was showing seemed wrong (Error during LDAP
search with filter
[uniquemember=uid=admin1,o=company,c=com,dc=company].)

regards,
kumar

On 22/03/11 3:07 PM, forums_at_java.net wrote:
> hi,
>
> thank you for your fast answer. i am using GF 3.1 release build.
>
> this spelling mistake of the glassfish-application.xml is not in the
> app :) i
> know this because when i first introduced the
> glassfish-application.xml the
> warnings that there is no role to group mapping defind was gone. e.g.
> WARNUNG: No Principals mapped to Role [ADMIN]
>
> i tryed out the idea with the explicit role to principal mapping, and
> this
> works. so my first guess that ldap cant make the group to role mapping is
> correct. and i think it has something to do with the group-target
> entry from
> the domain.xml, because in our ldap the groups the user belongs are
> stored in
> this propertie.
>
> <security-role-mapping> <role-name>ADMIN</role-name>
> <principal-name>admin1</principal-name> <group-name>ADMIN</group-name>
> </security-role-mapping>
> the ldap setings should be ok. but i will ask an ldap resoponsible of our
> company today.
>
> here is the full stack trace from the group-target NPE:
>
> WARNUNG: SEC1106: Error during LDAP search with filter
> [uniquemember=uid=admin1,o=company,c=com,dc=company]. WARNUNG: SEC1000:
> Caught exception. java.lang.NullPointerException at
> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
>
> at
> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
>
> at
> com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
>
> at
> com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
>
> at
> com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>
> at java.lang.reflect.Method.invoke(Method.java:597) at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> at
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at
> java.security.AccessController.doPrivileged(Native Method) at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at
> javax.security.auth.login.LoginContext.login(LoginContext.java:579) at
> com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382)
>
> at
> com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:240)
>
> at
> com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:153)
>
> at
> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:483) at
> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:425) at
> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:269)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.processSecurityCheck(AuthenticatorBase.java:909)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:546)
>
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
>
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
>
> at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98) at
> com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
>
> at
> com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
>
> at
> com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
> at
> com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719) at
> com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013) at
> com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
>
> at
> com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
>
> at
> com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
>
> at
> com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
> at
> com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
> at
> com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
>
> at
> com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
>
> at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at
> com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
>
> at
> com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
>
> at java.lang.Thread.run(Thread.java:619)
>
>
> there is actualy another error in the web admin panel. on Configurations
> > server-config > Security > Realms > ldapRealm. if you are on the
> created
> ldapRealm and add a property and save the page it adds "" to the
> Directory:
> and Base DN: fileds. you have to manualy edit the domain.xml to remove
> this
> "". because it adds another pair every time you press save.
>
> this is how it looks in the domain.xml after pressing save twice:
>
> <auth-realm name="ldapRealm"
> classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
> <property description="null" name="directory"
> value="&quot;&quot;ldap://ldapserver:389&quot;&quot;"></property>
> <property description="null" name="base-dn"
> value="&quot;&quot;dc=company&quot;&quot;"></property>
> <property name="jaas-context" value="ldapRealm"></property>
> <property name="search-bind-password"
> value="password"></property> <property
> name="search-bind-dn"
> value="uid=admin,cn=authuser,cn=test,dc=company"></property>
> <property name="group-target"
> value="ibm-allgroups"></property> </auth-realm>
> thank you again for your fast support :)
>
> best, mike.
>
>
> --
>
> [Message sent by forum member 'mike_ko']
>
> View Post: http://forums.java.net/node/783668
>
>