Bug 50751

Summary: JNDIRealm invokes getAttributes with no attribute ids. Prevents using DOMAIN\{0} to login.
Product: Tomcat 6 Reporter: Brandon DuRette <brandond>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: minor    
Priority: P2    
Version: 6.0.29   
Target Milestone: default   
Hardware: All   
OS: All   
Attachments: Patch for this issue vs. 6_0_29.

Description Brandon DuRette 2011-02-10 12:11:43 UTC 
Created attachment 26633 [details]
Patch for this issue vs. 6_0_29.

I would like to configure JNDIRealm to authenticate to an Active Directory server using userPattern=DOMAIN\{0}. Active Directory will accept this username in bind requests, however context.getAttributes(...) will fail if that name is used. JNDIRealm makes a request for user attributes before logging in, even when there are no user attributes to request. As a result, the above configuration fails with an InvalidNameException:

javax.naming.InvalidNameException: DOMAIN\username: [LDAP: error code 34 -
0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0,
vece ]; remaining name 'DOMAIN\username

I have a patch for this (against 6.0.29) that I will attach. The patch fixes the issue for my specific case (bind mode, no roles), but it seems like there is a more fundamental problem in accessing the user's attributes before the user is even authenticated. This makes sense if it is configured for password comparison mode, but for bind mode it seems unnecessary until the user's password is validated. If only there were a way to get the DN of the authenticated user (not just the name that was used to authenticate), then it would be straightforward to fix this to query for roles after auth. I could not find such an API. I would be happy to write that patch if someone can point me in the right direction on that API.

More discussion on this issue from the tomcat-users list:

http://mail-archives.apache.org/mod_mbox/tomcat-users/201102.mbox/%3CAANLkTinTS3qBx5Wb6jLXCzozv+wTXQ9XwtJHN0O=FAXn@mail.gmail.com%3E
Comment 1 Mark Thomas 2011-02-11 09:52:51 UTC 
I applied a slightly different patch for this issue that acheives the same results. Note that the JNDI realm assumes that anonymous access is allowed in some cumstances.

Fixed in 7.0.x for 7.0.9 onwards.

Proposed for 6.0.x.
Comment 2 Mark Thomas 2011-04-10 07:02:59 UTC 
Fixed in 6.0.x and will be included in 6.0.33 onwards.