Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Invalid
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: LDAP
    • Labels:
      None
    • Environment:
      tested with Apache DS.

      Description

      seems simple binding (without retrieving roles) does not work anymore. This would work in 2.0.3:

      <ldap-authentication-provider user-dn-pattern="cn=

      {0},ou=people,o=tudu" />

      As well as this:

      <ldap-authentication-provider user-search-filter="(cn={0}

      )" user-search-base="ou=people,o=tudu" />

      Authentication attemps now launches the following exception: LDAP: error code 80 - failed on search operation: Unexpected exception.]; remaining name ''

      Adding the group search base makes both working:

      <ldap-authentication-provider user-search-filter="(cn=

      {0})" user-search-base="ou=people,o=tudu" group-search-base="ou=groups,o=tudu" />
      <ldap-authentication-provider user-dn-pattern="cn={0}

      ,ou=people,o=tudu" group-search-base="ou=groups,o=tudu" />

      Perhaps something to do with SEC-963 (http://jira.springframework.org/browse/SEC-963).

      Being not a LDAP guru, I attached the ldif just in case my directory is not correct.

      1. tudu.ldif
        1 kB
        Arnaud Cogoluegnes

        Activity

        Hide
        luke Luke Taylor added a comment -

        This doesn't seem to be a problem with the existing unit tests where they don't provide the group-search-base. Could you possibly provide a test case which demonstrates the problem? The full configuration and whether you are using an embedded server or some other external server would also be useful.

        Show
        luke Luke Taylor added a comment - This doesn't seem to be a problem with the existing unit tests where they don't provide the group-search-base. Could you possibly provide a test case which demonstrates the problem? The full configuration and whether you are using an embedded server or some other external server would also be useful.
        Hide
        acogoluegnes Arnaud Cogoluegnes added a comment -

        I enclosed a small Maven 2 project:

        • launch mvn test (works because Spring Security version is 2.0.3)
        • change Spring Security version to 2.0.4 in pom.xml
        • launch mvn test (does not work any more )
        Show
        acogoluegnes Arnaud Cogoluegnes added a comment - I enclosed a small Maven 2 project: launch mvn test (works because Spring Security version is 2.0.3) change Spring Security version to 2.0.4 in pom.xml launch mvn test (does not work any more )
        Hide
        luke Luke Taylor added a comment -

        The full exception I get when running with your test and 2.0.4 is

        Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.693 sec <<< FAILURE!
        testLdapTests(org.springframework.security.SimpleBindingTest) Time elapsed: 1.668 sec <<< ERROR!
        org.springframework.security.AuthenticationServiceException: Uncategorized exception occured during LDAP processing; nes
        ted exception is javax.naming.NamingException: [LDAP: error code 33 - failed on search operation: Unexpected exception.:
        SearchRequest
        baseDn : ''
        filter : '(2.5.4.50=cn=acogoluegnes, ou=people, o=tudu) '
        scope : whole subtree
        typesOnly : false
        no limit
        Time Limit : no limit
        Deref Aliases : deref Always
        attributes : 'javaRemoteLocation', 'javaSerializedData', 'objectClass', 'cn', 'javaClassName', 'javaCodeBase', '
        javaClassNames', 'javaReferenceAddress', 'javaFactory'
        :
        org.apache.directory.server.core.interceptor.InterceptorException: Unexpected exception. [Root exception is java.lang.Cl
        assCastException: org.apache.directory.shared.ldap.filter.SimpleNode]
        at org.apache.directory.server.core.interceptor.InterceptorChain.throwInterceptorException(InterceptorChain.java
        :1510)
        at org.apache.directory.server.core.interceptor.InterceptorChain.access$700(InterceptorChain.java:52)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.search(InterceptorChain.java:1271)
        at org.apache.directory.server.core.interceptor.BaseInterceptor.search(BaseInterceptor.java:202)

        (always post the full exception trace in preference to the error message). So the cause is a ClassCastException within Apache

        So this looks like an internal problem with Apache Directory, possibly because you are using their AbstractServerTestCase.

        Show
        luke Luke Taylor added a comment - The full exception I get when running with your test and 2.0.4 is Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.693 sec <<< FAILURE! testLdapTests(org.springframework.security.SimpleBindingTest) Time elapsed: 1.668 sec <<< ERROR! org.springframework.security.AuthenticationServiceException: Uncategorized exception occured during LDAP processing; nes ted exception is javax.naming.NamingException: [LDAP: error code 33 - failed on search operation: Unexpected exception.: SearchRequest baseDn : '' filter : '(2.5.4.50=cn=acogoluegnes, ou=people, o=tudu) ' scope : whole subtree typesOnly : false no limit Time Limit : no limit Deref Aliases : deref Always attributes : 'javaRemoteLocation', 'javaSerializedData', 'objectClass', 'cn', 'javaClassName', 'javaCodeBase', ' javaClassNames', 'javaReferenceAddress', 'javaFactory' : org.apache.directory.server.core.interceptor.InterceptorException: Unexpected exception. [Root exception is java.lang.Cl assCastException: org.apache.directory.shared.ldap.filter.SimpleNode] at org.apache.directory.server.core.interceptor.InterceptorChain.throwInterceptorException(InterceptorChain.java :1510) at org.apache.directory.server.core.interceptor.InterceptorChain.access$700(InterceptorChain.java:52) at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.search(InterceptorChain.java:1271) at org.apache.directory.server.core.interceptor.BaseInterceptor.search(BaseInterceptor.java:202) (always post the full exception trace in preference to the error message). So the cause is a ClassCastException within Apache So this looks like an internal problem with Apache Directory, possibly because you are using their AbstractServerTestCase.
        Hide
        luke Luke Taylor added a comment -

        I was able to get the supplied ldif file working with the following test code:

        context = new InMemoryXmlApplicationContext("<ldap-server port='53389' root='o=tudu' ldif='classpath:tudu.ldif'/> <ldap-authentication-provider user-dn-pattern='cn=

        {0}

        ,ou=people' />");
        AuthenticationManager authManager = (AuthenticationManager) context.getBeansOfType(AuthenticationManager.class).values().iterator().next();
        authManager.authenticate(new UsernamePasswordAuthenticationToken("acogoluegnes","mdp4arno"));

        I don't think there is a Spring Security problem here - at least there is no evidence of one.

        It's worth adding the following log4j.properties file to your maven test resources directory so you can see what's going on - particularly what Apache DS is doing:

        log4j.rootLogger=INFO, stdout, fileout
        log4j.logger.org.springframework.security=DEBUG
        log4j.logger.org.apache.directory=DEBUG
        log4j.appender.stdout=org.apache.log4j.ConsoleAppender
        log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
        log4j.appender.stdout.layout.conversionPattern=[%p,%c

        {1}

        ,%t] %m%n

        Show
        luke Luke Taylor added a comment - I was able to get the supplied ldif file working with the following test code: context = new InMemoryXmlApplicationContext("<ldap-server port='53389' root='o=tudu' ldif='classpath:tudu.ldif'/> <ldap-authentication-provider user-dn-pattern='cn= {0} ,ou=people' />"); AuthenticationManager authManager = (AuthenticationManager) context.getBeansOfType(AuthenticationManager.class).values().iterator().next(); authManager.authenticate(new UsernamePasswordAuthenticationToken("acogoluegnes","mdp4arno")); I don't think there is a Spring Security problem here - at least there is no evidence of one. It's worth adding the following log4j.properties file to your maven test resources directory so you can see what's going on - particularly what Apache DS is doing: log4j.rootLogger=INFO, stdout, fileout log4j.logger.org.springframework.security=DEBUG log4j.logger.org.apache.directory=DEBUG log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.conversionPattern=[%p,%c {1} ,%t] %m%n
        Hide
        luke Luke Taylor added a comment -

        Closing the issue as the original error is coming from ApacheDS. If you come up with some more detailed evidence of a problem please open a new issue.

        Show
        luke Luke Taylor added a comment - Closing the issue as the original error is coming from ApacheDS. If you come up with some more detailed evidence of a problem please open a new issue.
        Hide
        pmularien Peter Mularien added a comment -

        FWIW I was able to reproduce issues similar to this with ApacheDS when I did not specify a group-search-base. It seems that ApacheDS doesn't deal well with searches that don't have an explicitly stated root (aka partition).

        Show
        pmularien Peter Mularien added a comment - FWIW I was able to reproduce issues similar to this with ApacheDS when I did not specify a group-search-base. It seems that ApacheDS doesn't deal well with searches that don't have an explicitly stated root (aka partition).

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            acogoluegnes Arnaud Cogoluegnes
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: