|
Home > Archive > Apache Directory Project > December 2007 > [bigbang] Internal bind problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[bigbang] Internal bind problem
|
|
| Enrique Rodriguez 2007-12-18, 7:11 pm |
| Hi, Directory developers,
I'm trying to get the kerbero-client working, to replace JAAS and to
get some integration tests live for SASL GSSAPI. I found the
following problem trying to get SASL GSSAPI working in 'bigbang'. The
problem is that in the findPrincipal# method of DefaultBindHandler, an
LdapPrincipal is created to do an internal bind to the backend.
However, this bind is rejected because the name must be normalized
(see exception). FWIW, I noticed ServerDNConstants has a String
constant for the normalized name. Can this be used to "shotgun"
create a normalized admin principal?
What is the recommended way to bind to the directory service internally?
The code where the bind is attempted (in DefaultBindHandler):
....
LdapPrincipal principal = new LdapPrincipal(
new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN
), AuthenticationLevel.SIMPLE );
ctx = ldapServer.getDirectoryService().getJndiContext(
principal, ldapServer.getSearchBaseDn() );
....
The resulting exception (which is swallowed, BTW):
java.lang.IllegalStateException: Names used for principals must be normalized!
at org.apache.directory.server.core.authn.LdapPrincipal.<init>(LdapPrincipal.java:72)
at org.apache.directory.server.ldap.support.DefaultBindHandler.findPrincipal(DefaultBindHandler.java:514)
at org.apache.directory.server.ldap.support.DefaultBindHandler.getSubject(DefaultBindHandler.java:469)
at org.apache.directory.server.ldap.support.DefaultBindHandler.handleSaslAuth(DefaultBindHandler.java:317)
at org.apache.directory.server.ldap.support.DefaultBindHandler.bindMessageReceived(DefaultBindHandler.java:727)
at org.apache.directory.server.ldap.support.BindHandler.messageReceived(BindHandler.java:48)
at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:141)
...
Enrique
| |
| Emmanuel Lecharny 2007-12-19, 7:11 am |
| Hi Enrique,
you can use the ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED constant.
It's a normalized form of the admin principal.
Try this guy, and tell us if it solve the problem.
Emmanuel
Enrique Rodriguez wrote:
> Hi, Directory developers,
>
> I'm trying to get the kerbero-client working, to replace JAAS and to
> get some integration tests live for SASL GSSAPI. I found the
> following problem trying to get SASL GSSAPI working in 'bigbang'. The
> problem is that in the findPrincipal# method of DefaultBindHandler, an
> LdapPrincipal is created to do an internal bind to the backend.
> However, this bind is rejected because the name must be normalized
> (see exception). FWIW, I noticed ServerDNConstants has a String
> constant for the normalized name. Can this be used to "shotgun"
> create a normalized admin principal?
>
> What is the recommended way to bind to the directory service internally?
>
> The code where the bind is attempted (in DefaultBindHandler):
> ...
> LdapPrincipal principal = new LdapPrincipal(
> new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN
> ), AuthenticationLevel.SIMPLE );
> ctx = ldapServer.getDirectoryService().getJndiContext(
> principal, ldapServer.getSearchBaseDn() );
> ...
>
> The resulting exception (which is swallowed, BTW):
>
> java.lang.IllegalStateException: Names used for principals must be normalized!
> at org.apache.directory.server.core.authn.LdapPrincipal.<init>(LdapPrincipal.java:72)
> at org.apache.directory.server.ldap.support.DefaultBindHandler.findPrincipal(DefaultBindHandler.java:514)
> at org.apache.directory.server.ldap.support.DefaultBindHandler.getSubject(DefaultBindHandler.java:469)
> at org.apache.directory.server.ldap.support.DefaultBindHandler.handleSaslAuth(DefaultBindHandler.java:317)
> at org.apache.directory.server.ldap.support.DefaultBindHandler.bindMessageReceived(DefaultBindHandler.java:727)
> at org.apache.directory.server.ldap.support.BindHandler.messageReceived(BindHandler.java:48)
> at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:141)
> ...
>
> Enrique
>
>
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
| |
| Enrique Rodriguez 2007-12-19, 7:11 pm |
| On Dec 19, 2007 12:14 AM, Emmanuel Lecharny <elecharny-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hi Enrique,
>
> you can use the ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED constant.
> It's a normalized form of the admin principal.
I saw this constant, but the problem is that the LdapPrincipal
constructor calls LdapDN#isNormalized() and throws the
IllegalStateException. I would need to create the LdapDN with the
above normalized constant AND somehow set isNormalized to return
'true'.
Anyway, I got around this (for now) by noticing that an alternate form
of the LdapPrincipal constructor won't evaluate the
LdapDN#isNormalized and thus won't ever throw the
IllegalStateException. I just have to pass in a null userPassword.
This doesn't feel like a real solution, but it does allow me to have
SASL GSSAPI integration tests working again.
Enrique
| |
| Alex Karasulu 2007-12-19, 7:11 pm |
| Hi Enrique,
You're right we have to find a better way to deal with this problem. I did
not have the time to do this right but I added the exception to warn folks
like you from some serious bugs that could result from not using a
normalized DN.
I really would stay away from using the overloaded version of the method
that does not require a normalized DN , if you could please make that one
throw an exception as well. The best thing to do is to normalize the DN.
You can do this by getting a handle on the directoryService and using that
to get access to the attributeType registry. Then use this to get the
normalizer to attribute type mapping that is fed into the normalize() method
as the argument.
HTH,
Alex
On Dec 19, 2007 4:43 PM, Enrique Rodriguez <enriquer9-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On Dec 19, 2007 12:14 AM, Emmanuel Lecharny <elecharny-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> I saw this constant, but the problem is that the LdapPrincipal
> constructor calls LdapDN#isNormalized() and throws the
> IllegalStateException. I would need to create the LdapDN with the
> above normalized constant AND somehow set isNormalized to return
> 'true'.
>
> Anyway, I got around this (for now) by noticing that an alternate form
> of the LdapPrincipal constructor won't evaluate the
> LdapDN#isNormalized and thus won't ever throw the
> IllegalStateException. I just have to pass in a null userPassword.
> This doesn't feel like a real solution, but it does allow me to have
> SASL GSSAPI integration tests working again.
>
> Enrique
>
| |
| Enrique Rodriguez 2007-12-19, 7:11 pm |
| On Dec 19, 2007 2:33 PM, Alex Karasulu <akarasulu-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
> ...
> I really would stay away from using the overloaded version of the method
> that does not require a normalized DN , if you could please make that one
> throw an exception as well. The best thing to do is to normalize the DN.
> You can do this by getting a handle on the directoryService and using that
> to get access to the attributeType registry. Then use this to get the
> normalizer to attribute type mapping that is fed into the normalize() method
> as the argument.
1) OK, these are more the steps to get this working that I was
picturing. I will try this.
2) I haven't looked yet, but KdcServer fails if anonymous access is
disabled. I suspect this is due to a similar issue, that KdcServer is
not yet wired properly to access the directory service using a proper
admin principal.
3) I will add the check to throw an IllegalStateException to the
other form of the LdapPrincipal constructor.
4) I noticed SaslGssapiBindITest got moved to 'protocol-kerberos'. I
suspect this was to get it out of the way and you guys were going to
revisit it. Anyway, I have it working again, but this time with the
kerberos-client, so I expect it should be in 'server-unit', alongside
the other integration tests, so I will check in what I have and move
it there. Can you ACK this change?
Enrique
| |
| Alex Karasulu 2007-12-19, 7:11 pm |
| Yeah thanks Enrique go ahead.
Alex
On Dec 19, 2007 6:10 PM, Enrique Rodriguez <enriquer9-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On Dec 19, 2007 2:33 PM, Alex Karasulu <akarasulu-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
> one
> DN.
> that
> method
>
> 1) OK, these are more the steps to get this working that I was
> picturing. I will try this.
>
> 2) I haven't looked yet, but KdcServer fails if anonymous access is
> disabled. I suspect this is due to a similar issue, that KdcServer is
> not yet wired properly to access the directory service using a proper
> admin principal.
>
> 3) I will add the check to throw an IllegalStateException to the
> other form of the LdapPrincipal constructor.
>
> 4) I noticed SaslGssapiBindITest got moved to 'protocol-kerberos'. I
> suspect this was to get it out of the way and you guys were going to
> revisit it. Anyway, I have it working again, but this time with the
> kerberos-client, so I expect it should be in 'server-unit', alongside
> the other integration tests, so I will check in what I have and move
> it there. Can you ACK this change?
>
> Enrique
>
| |
| Alex Karasulu 2007-12-19, 7:11 pm |
| On Dec 19, 2007 6:10 PM, Enrique Rodriguez <enriquer9-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On Dec 19, 2007 2:33 PM, Alex Karasulu <akarasulu-1oDqGaOF3Lkdnm+yROfE0A@public.gmane.org> wrote:
> one
> DN.
> that
> method
>
> 1) OK, these are more the steps to get this working that I was
> picturing. I will try this.
>
Let me know if you need a hand or have any questions.
> 2) I haven't looked yet, but KdcServer fails if anonymous access is
> disabled. I suspect this is due to a similar issue, that KdcServer is
> not yet wired properly to access the directory service using a proper
> admin principal.
>
Hmmm yeah it might be. This big bang shook up a lot of things even though
it will all get better. However I think we need to figure out some testing
strategy besides just the unit tests to make sure all is doing well.
>
> 3) I will add the check to throw an IllegalStateException to the
> other form of the LdapPrincipal constructor.
>
Thanks!
> 4) I noticed SaslGssapiBindITest got moved to 'protocol-kerberos'. I
> suspect this was to get it out of the way and you guys were going to
> revisit it. Anyway, I have it working again, but this time with the
> kerberos-client, so I expect it should be in 'server-unit', alongside
> the other integration tests, so I will check in what I have and move
> it there. Can you ACK this change?
>
Yeah I emailed immediately below for this. Having this stuff in server-unit
will enable us to do what we did in core-unit with the integration tests
(the speedups).
Alex
|
|
|
|
|