[MGNLLDAP-31] Cannot resolve attributes from AD if entry is in different subtree then the one used as initialSearchAttributes Created: 07/Oct/08  Updated: 27/Nov/13  Resolved: 07/Nov/08

Status: Closed
Project: LDAP Connector
Component/s: None
Affects Version/s: None
Fix Version/s: 1.3

Type: Improvement Priority: Major
Reporter: Tobias Bösch Assignee: Teresa Miyar
Resolution: Fixed Votes: 0
Labels: businesscritical
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Magnolia Enterprise 3.5.8 running on Centos 5.1 32bit


Attachments: PNG File Picture 2.png    
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

I am setting up the AD connection as ssoSlave following CAS authorisation. I have some success using these settings:

initialSearchAttributes=cn=AdminAccounts,dc=rtsi,dc=ch
uid=userPrincipalName

in ad.properties. Using these and a account in the AdminAccounts subtree I can login.

I guess that users could also be in other subtrees if they are not Administrators therefor I would actually like to do something similar to this search:

[tboesch@server-03-11 config]$ ldapsearch -a never -H ldap://ip-of-ldap -x -W -D 'cnldap-read-cn' -b 'dc=rtsi,dc=ch' userPrincipalName=G*****CH@rtsi.ch

ie. use dc=rtsi,dc=ch as searchbase. This leads to this settings in ad.properties:

initialSearchAttributes=dc=rtsi,dc=ch
uid=userPrincipalName

When I change to these I however get the following: Unprocessed Continuation Reference(s) (full trace at the end)

Which could mean that the search is not following referrals, but this should not be the problem, since ldapsearch does not follow referrals either. I added these anyway:

java.naming.referral=follow
java.naming.ldap.referral.limit=10

to ad.properties, but without any luck. So they are either not picked up or something else goes wrong here.

I found this on the net: http://forums.sun.com/thread.jspa?messageID=1679534 (see attached picture)

Trace:

ERROR info.magnolia.cms.security.SecuritySupportBase SecuritySupportBase.java(logLoginException:85) 09.08.2008 13:44:18 Can't login due to:
javax.security.auth.login.LoginException: Unprocessed Continuation Reference(s)
at info.magnolia.jaas.sp.ldap.ADAuthenticationModule.validateUser(ADAuthenticationModule.java:74)
at info.magnolia.jaas.sp.AbstractLoginModule.login(AbstractLoginModule.java:194)
at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at info.magnolia.cms.security.SecuritySupportBase.authenticate(SecuritySupportBase.java:61)
at info.magnolia.cms.security.auth.login.CASLogin.handle(CASLogin.java:66)
at info.magnolia.cms.security.auth.login.LoginFilter.doFilter(LoginFilter.java:65)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:70)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:71)
at info.magnolia.enterprise.registration.RegistrationFilter.doFilter(RegistrationFilter.java:54)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:70)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:71)
at info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:73)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:70)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:71)
at info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:72)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:70)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:71)
at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:64)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:70)
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:98)
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:199)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)



 Comments   
Comment by Teresa Miyar [ 07/Nov/08 ]

fixed issue by adding suggested change.

Comment by Jan Haderka [ 27/Mar/09 ]

Fixed as of r19766
http://svn.magnolia.info/view?view=rev&revision=19766

Comment by Magnolia International [ 26/Oct/10 ]

the change done here only "hides" the actual problem; the referral properties are currently not passed to the context, so they're simply ignored if present in the config.
See MGNLLDAP-39 for related discussion.

Generated at Mon Feb 12 02:20:54 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.