Am 13.03.2013 21:46, schrieb Eugène Adell:
Hello
I am running the following :
java version "1.6.0_25"
Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
Tomcat 7.0.37
CentOS release 6.3
with this REALM configuration in server.xml :
<Realm
className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://***.***.***.***:389";
userPattern="cn={0},ou=users,dc=example,dc=com"
roleBase="ou=groups,dc=example,dc=com"
roleSubtree="true"
roleNested="true"
roleName="cn"
roleSearchAsUser="true"
roleSearch="(uniqueMember={0})" />
and this triggers this error during the startup :
Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - anonymous bind disallowed]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at
org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
at
org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
...
... 27 more
Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 34 ms
From what I understand, roleSearchAsUser property was designed for
people who need to bind on any LDAP where anonymous bind is not
authorized. But it's just impossible to do this if the JNDI Realm
tries to authenticate anonymously by itself during the startup.
I read the docs as follows:
If your directory server does not allow to scan for roles as anonymous
user and you don't want to configure a technical user (by specifying
connectionName and connectionPassword) you can delegate the credentials
of the user that is currently logging in.
It is not intended to set the user credentials for all ldap operations.
The easiest way to fix it, is to setup an technical user inside your
directory, which has no right other than to login and lookup your users,
which would be the next operation.
Regards
Felix
I suppose it's necessary to investigate further this bug :
https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
