Bug 50751 - JNDIRealm invokes getAttributes with no attribute ids. Prevents using DOMAIN\{0} to login.
Summary: JNDIRealm invokes getAttributes with no attribute ids. Prevents using DOMAIN\...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.29
Hardware: All All
: P2 minor (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-10 12:11 UTC by Brandon DuRette
Modified: 2011-04-10 07:02 UTC (History)
0 users



Attachments
Patch for this issue vs. 6_0_29. (957 bytes, application/octet-stream)
2011-02-10 12:11 UTC, Brandon DuRette
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brandon DuRette 2011-02-10 12:11:43 UTC
Created attachment 26633 [details]
Patch for this issue vs. 6_0_29.

I would like to configure JNDIRealm to authenticate to an Active Directory server using userPattern=DOMAIN\{0}. Active Directory will accept this username in bind requests, however context.getAttributes(...) will fail if that name is used. JNDIRealm makes a request for user attributes before logging in, even when there are no user attributes to request. As a result, the above configuration fails with an InvalidNameException:

javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34 -
0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
vece ]; remaining name 'DOMAIN\username

I have a patch for this (against 6.0.29) that I will attach. The patch fixes the issue for my specific case (bind mode, no roles), but it seems like there is a more fundamental problem in accessing the user's attributes before the user is even authenticated. This makes sense if it is configured for password comparison mode, but for bind mode it seems unnecessary until the user's password is validated. If only there were a way to get the DN of the authenticated user (not just the name that was used to authenticate), then it would be straightforward to fix this to query for roles after auth. I could not find such an API. I would be happy to write that patch if someone can point me in the right direction on that API.

More discussion on this issue from the tomcat-users list:

http://mail-archives.apache.org/mod_mbox/tomcat-users/201102.mbox/%3CAANLkTinTS3qBx5Wb6jLXCzozv+wTXQ9XwtJHN0O=FAXn@mail.gmail.com%3E
Comment 1 Mark Thomas 2011-02-11 09:52:51 UTC
I applied a slightly different patch for this issue that acheives the same results. Note that the JNDI realm assumes that anonymous access is allowed in some cumstances.

Fixed in 7.0.x for 7.0.9 onwards.

Proposed for 6.0.x.
Comment 2 Mark Thomas 2011-04-10 07:02:59 UTC
Fixed in 6.0.x and will be included in 6.0.33 onwards.