[Bug 64011] New: JNDIRealm no longer authenticates to LDAP

Tue, 17 Dec 2019 05:45:04 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64011

            Bug ID: 64011
           Summary: JNDIRealm no longer authenticates to LDAP
           Product: Tomcat 8
           Version: 8.5.50
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: m...@fireburn.co.uk
  Target Milestone: ----

This works in 8.5.49 and stops working in 8.5.50

jaas.conf:

ORDS {
   com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/compu...@realm.com"
    useKeyTab=true
    keyTab="krb5.keytab"
    storeKey=true;
};

ords.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
  <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
      loginConfigName="ORDS"
  />
 <Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://ldap1:3268";
   alternateURL="ldap://ldap2:3268";
   userSearch="(sAMAccountName={0})"
   userBase="DC=realm,DC=com"
   userSubtree="true"
   roleSearch="(member={0})"
   roleBase="DC=realm,DC=com"
   roleName="CN"
   roleSubtree="true"
   allRolesMode="authOnly"
   spnegoDelegationQop="auth"
   stripRealmForGss="true"
   authentication="none"
   referrals="ignore"
   useDelegatedCredential="true"
 />
</Context>

This now gives the following error:

17-Dec-2019 13:16:30.754 SEVERE [https-jsse-nio-10843-exec-3]
org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing
authentication
        javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C090A4C, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, v3839 ]; remaining name
'DC=realm,DC=com'
                at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3194)
                at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
                at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
                at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
                at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
                at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
                at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
                at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
                at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
                at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1693)
                at
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1528)
                at
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1456)
                at
org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2354)
                at
org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2280)
                at
org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2260)
                at
org.apache.catalina.realm.RealmBase.getPrincipal(RealmBase.java:1283)
                at
org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:501)
                at
org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:344)
                at
org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:329)
                at java.security.AccessController.doPrivileged(Native Method)
                at javax.security.auth.Subject.doAs(Subject.java:360)
                at
org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:243)
                at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:633)
                at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
                at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
                at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
                at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
                at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
                at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
                at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
                at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
                at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.lang.Thread.run(Thread.java:748)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to