Hello:
I have an OpenLDAP server running ldaps. It's a very simple and basic
configuration that I use for identity management for linux boxes. My
structure is as follows:
Root DSE
dc=mydomain,dc=com
ou=group
<entry>
objectClass: posixGroup
cn: admins
gidNumber: 1001
memberUid: test
ou=people
objectClass: account
objectClass: posixAccount
objectClass: shadowAccont
cn: Test User
gidNumber: 1000
uid: test
homeDirectory: /home/test
uidNumber: 1003
loginShell: /bin/bash
userPassword: {SSHA} hashed password
I'm able to correctly configure the settings and connect to the server
in the configuration screen using the following parameters:
Server: ldaps://mydomain.com:636
root DN: dc=mydomain,dc=com
User search base: ou=people
User search filter: uid={0}
Group search base: ou=group
Manager DN: cn=Manager,dc=purlogic,dc=biz
Manager Password: <the correct password>
I know I'm correctly connecting this way as I don't see any red error
messages and I can see the connection happen in my JBoss logs.
I check the "Logged in users can do anything" radio button and click
"Save". However, when I try and login with the test user, it says
login failed. My JBoss log outputs the following error message:
-----------------------------------------------------------
09:32:55,258 INFO [hudson.security.AuthenticationProcessingFilter2]
Login attempt failed:
org.acegisecurity.AuthenticationServiceException: Failed to obtain
InitialDirContext due to unexpected exception; nested exception is
javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN];
nested exception is org.acegisecurity.ldap.LdapDataAccessException:
Failed to obtain InitialDirContext due to unexpected exception; nested
exception is javax.naming.InvalidNameException: [LDAP: error code 34 -
invalid DN]
at
org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:
238) [:]
at
org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:
119) [:]
at
org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:
195) [:]
at
org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:
45) [:]
at
org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:
71) [:]
at
org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:
252) [:]
at hudson.security.ChainedServletFilter
$1.doFilter(ChainedServletFilter.java:87) [:]
at
org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:
173) [:]
at hudson.security.ChainedServletFilter
$1.doFilter(ChainedServletFilter.java:87) [:]
at
jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61) [:]
at hudson.security.ChainedServletFilter
$1.doFilter(ChainedServletFilter.java:87) [:]
at
org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:
249) [:]
at
hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:
66) [:]
at hudson.security.ChainedServletFilter
$1.doFilter(ChainedServletFilter.java:87) [:]
at
hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:
76) [:]
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:
164) [:]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
274) [:6.0.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
242) [:6.0.0.Final]
at
hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:
81) [:]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
274) [:6.0.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
242) [:6.0.0.Final]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
275) [:6.0.0.Final]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
191) [:6.0.0.Final]
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:
181) [:6.0.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
501) [:6.0.0.Final]
at org.jboss.modcluster.catalina.CatalinaContext
$RequestListenerValve.event(CatalinaContext.java:285) [:1.1.0.Final]
at org.jboss.modcluster.catalina.CatalinaContext
$RequestListenerValve.invoke(CatalinaContext.java:261) [:1.1.0.Final]
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:
88) [:6.0.0.Final]
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:
100) [:6.0.0.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
127) [:6.0.0.Final]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102) [:6.0.0.Final]
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:
158) [:6.0.0.Final]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109) [:6.0.0.Final]
at
org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:
53) [:6.0.0.Final]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
362) [:6.0.0.Final]
at
org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:504) [:
6.0.0.Final]
at org.apache.coyote.ajp.AjpProtocol
$AjpConnectionHandler.process(AjpProtocol.java:437) [:6.0.0.Final]
at org.apache.tomcat.util.net.JIoEndpoint
$Worker.run(JIoEndpoint.java:951) [:6.0.0.Final]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]
Caused by: org.acegisecurity.ldap.LdapDataAccessException: Failed to
obtain InitialDirContext due to unexpected exception; nested exception
is javax.naming.InvalidNameException: [LDAP: error code 34 - invalid
DN]
at
org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:
193) [:]
at
org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:
261) [:]
at
org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:123) [:]
at
org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:
165) [:]
at
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn(BindAuthenticator.java:
87) [:]
at
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:
72) [:]
at
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:
49) [:]
at
org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:
233) [:]
... 38 more
Caused by: javax.naming.InvalidNameException: [LDAP: error code 34 -
invalid DN]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
2982) [:1.6.0_26]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
2789) [:1.6.0_26]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) [:
1.6.0_26]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) [:
1.6.0_26]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
[:1.6.0_26]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
[:1.6.0_26]
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:
136) [:1.6.0_26]
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:
66) [:1.6.0_26]
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:
667) [:1.6.0_26]
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
[:1.6.0_26]
at javax.naming.InitialContext.init(InitialContext.java:223) [:
1.6.0_26]
at javax.naming.InitialContext.<init>(InitialContext.java:197)
[:1.6.0_26]
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:
82) [:1.6.0_26]
at
org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:
180) [:]
... 45 more
---------------------------------------------
I really do believe that I have a valid DN setting, as the JBoss logs
will show the unencrypted response from the LDAP server, which
contains all of the information from that user. I'm really stumped on
what could be the issue. Any insight would be greatly appreciated,
thanks!
