|
Home > Archive > Apache Directory Project > December 2005 > [ApacheDS] authentication problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[ApacheDS] authentication problem
|
|
| Jeff Lansing 2005-12-16, 5:45 pm |
| Hi,
I am having problems connecting to the ldap server. (I am using an 0.9.4
SNAPSHOT build created today. I did not have these problems with 0.9.3)
I can connect with JXplorer, as admin, and add a user, for instance with =
the
newuser.ldif example. I can see the new user in JXplorer. I can then
disconnect and reconnect as uid=3Djdoe,ou=3Dusers,ou=3Dsystem with =
JXplorer.
However, none of the examples on the page
http://directory.apache.org/subproj...entication.htm=
l
will work. For example:
C:\openldap>ldapsearch -D 'uid=3Dadmin,ou=3Dsystem' -h localhost -p =
10389 -x -w
secret -s one -b 'ou=3Dusers,ou=3Dsystem' '(uid=3Djdoe)'
ldap_bind: Invalid credentials (49)
additional info: Bind failed
More importantly (to me), I can no longer search programmatically for =
users,
as in:
InitialDirContext ctx =3D new InitialDirContext();
LdapName name =3D new LdapName("ou=3Dusers");
Attributes attributes =3D new LockableAttributesImpl();
attributes.put("uid", "jdoe");
NamingEnumeration ne =3D ctx.search(name, attributes);
which returns nothing.
I know the user is there because I can connect as that user with =
JXplorer.
Surely I am doing something stupid, but I just don't see what.
Any suggestions?
Jeff
| |
| Stefan Zoerner 2005-12-17, 7:45 am |
| Jeff Lansing wrote:
> ...
> However, none of the examples on the page
> http://directory.apache.org/subproj...entication.html
> will work. For example:
>
> C:\openldap>ldapsearch -D 'uid=admin,ou=system' -h localhost -p 10389 -x -w
> secret -s one -b 'ou=users,ou=system' '(uid=jdoe)'
> ldap_bind: Invalid credentials (49)
> additional info: Bind failed
>
> ...
>
> Any suggestions?
>
Hi Jeff!
At least for this one. I was able to reproduce this error and recommend
not to use '...' for the -D argument, but "..." (actually, for all of
the args!).
Which OS and LDAP clients do you use? I was able to reproduce it on
Windows XP with the IBM TivoliDS LDAP client:
C:\>ldapsearch -h magritte -p 10389 -b "ou=users,ou=system" -s base -D
'uid=admin,ou=system' -w secret "(objectclass=*)"
ldap_simple_bind: Invalid credentials
C:\>ldapsearch -h magritte -p 10389 -b "ou=users,ou=system" -s base -D
"uid=admin,ou=system" -w secret "(objectclass=*)"
ou=users,ou=system
objectClass=organizationalUnit
objectClass=top
ou=users
The same effect does not happen e.g. on Solaris9/bash with Suns own
ldapsearch. Here it doesn't matter whether one uses -D '...' or -D "..."
(this is why the example docs probably worked for the author, s/he used
a different environment).
Tell us whether it works for you now when you use -D "...". If yes, we
should update the examples.
Greetings from Hamburg,
Stefan
| |
| Jeff Lansing 2005-12-19, 5:45 pm |
| Stephan,
> Which OS and LDAP clients do you use? I was able to reproduce it on
> Windows XP with the IBM TivoliDS LDAP client:
....
> Tell us whether it works for you now when you use -D "...". If yes, we
> should update the examples.
I am using Windows XP with openldap 2.2.19. If I change the quotes as you
suggest then the examples work ok.
Thanks,
Jeff
| |
| Stefan Zoerner 2005-12-19, 5:45 pm |
| Jeff Lansing wrote:
>
> I am using Windows XP with openldap 2.2.19. If I change the quotes as you
> suggest then the examples work ok.
>
Thank you for your valuable feedback, Jeff. In order to prevent others
from this trap I have modified the type of quotes in the LDAP command
line tool examples here:
http://directory.apache.org/subproj...entication.html
How about your other problem? Does it still exist? You told us about a
code snippet like this:
InitialDirContext ctx = new InitialDirContext();
LdapName name = new LdapName("ou=users");
Attributes attributes = new LockableAttributesImpl();
attributes.put("uid", "jdoe");
NamingEnumeration ne = ctx.search(name, attributes);
Can you provide information about the JNDI config you use (file
jndi.properties, for instance)? Is it the LDAP provider from Sun, and
are you talking about the network with plain LDAP?
If so, I do not understand why you use class LockableAttributesImpl,
which is not part of JNDI. In order to create portable client code,
class javax.naming.directory.BasicAttributes should work for you.
Greetings, Stefan
| |
| Jeff Lansing 2005-12-19, 5:45 pm |
| Stefan,=20
> How about your other problem? Does it still exist? You told us about a =
> code snippet like this:
>=20
> InitialDirContext ctx =3D new InitialDirContext();
> LdapName name =3D new LdapName("ou=3Dusers");
> Attributes attributes =3D new LockableAttributesImpl();
> attributes.put("uid", "jdoe");
> NamingEnumeration ne =3D ctx.search(name, attributes);
>=20
> Can you provide information about the JNDI config you use (file=20
> jndi.properties, for instance)? Is it the LDAP provider from Sun, and=20
> are you talking about the network with plain LDAP?
The other problem was my fault. I didn't realize that the password =
attribute
was now returned as a byte[]. (I think formerly it was a String.)
We have embedded ApacheDS in our application. We could use the Sun =
provider,
but by embedding the directory, it starts up and stops at the same time =
as
our other services. Of course we can also talk to the directory itself =
with
an LDAP client (JXplorer, say).
Our application is based on the Globus ws-core, which uses JNDI for all =
of
its configuration, based on (lots of) jndi-config.xml files. We added an
additional layer by writing a custom InitialContextFactory that returns
InitialContexts that wrap the LDAP ones, but translate J2EE style names =
to
LdapNames (i.e., java:/comp/env/foo gets translated to dn=3Dfoo, =
dn=3Denv,
dn=3Dcomp, ou=3Dj2ee, ou=3Dsystem), and vice-versa. In this way we keep =
all of the
Globus configuration in the directory, where it can be dynamically =
modified,
persisted, etc. without changing any of their code.
Jeff
| |
| Emmanuel Lecharny 2005-12-19, 5:45 pm |
| Hi Jeff,
btw, what about the test you launched friday? Has it ran ok? No
synchronization problems, no memory leaks?
Thanks for the feedback !
--Emmanuel
| |
| Jeff Lansing 2005-12-19, 5:45 pm |
| So far no synchronization problems. I don't know about memory leaks; I'll
start watching for that.
Jeff
-----Original Message-----
From: Emmanuel Lecharny [mailto:elecharny-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org]
Sent: Monday, December 19, 2005 1:01 PM
To: Apache Directory Developers List
Subject: RE: [ApacheDS] authentication problem
Hi Jeff,
btw, what about the test you launched friday? Has it ran ok? No
synchronization problems, no memory leaks?
Thanks for the feedback !
--Emmanuel
|
|
|
|
|