[daisy] Organizational units confusing LDAP authentication

Caleb Callaway caleb at autometrix.com
Mon Jul 2 10:12:51 CDT 2007 

Paul Focke wrote:
> Caleb Callaway wrote:
>> Here are two entries my LDAP directory:
>>
>>    dn: cn=test,dc=autometrix,dc=com
>>    uid: test
>>    cn: test
>>    givenName: test
>>    sn: test
>>    mail: test at autometrix.com
>>    objectClass: person
>>    objectClass: organizationalPerson
>>    objectClass: inetOrgPerson
>>    objectClass: posixAccount
>>    objectClass: shadowAccount
>>    loginShell: /bin/bash
>>    uidNumber: 1020
>>    gidNumber: 100
>>    homeDirectory: /home/test
>>    gecos: test
>>    shadowLastChange: 13692
>>    userPassword:: e1NTSEF9NWliT1phdTlxZWYzQU9ydjRCVGJMR25kWlBHNXlLWTA=
>>
>>    dn: cn=temp,ou=People,dc=autometrix,dc=com
>>    uid: temp
>>    cn: temp
>>    givenName: temp
>>    sn: temp
>>    mail: temp at autometrix.com
>>    objectClass: person
>>    objectClass: organizationalPerson
>>    objectClass: inetOrgPerson
>>    objectClass: posixAccount
>>    objectClass: shadowAccount
>>    loginShell: /bin/bash
>>    uidNumber: 1020
>>    gidNumber: 100
>>    homeDirectory: /home/temp
>>    gecos: temp
>>    userPassword:: e1NTSEF9RkRSVUJJZXplUFNibGROOXVGYkxyQkQyeVp3OEhubzE=
>>
>> I've used both accounts to login on a Ubuntu laptop with libnss-ldap. 
>> The passwords are updatable  by ldapasswd, etc. I've temporarily 
>> assigned read access to '*' in my slapd.conf file, so passwords are 
>> available to everyone.
>>
>> Here is the relevant bit of myconfig.xml:
>>
>>    <target path="/daisy/repository/authentication/ldap">
>>        <configuration>
>>          <scheme name="ldap1" description="Test LDAP config">
>>            <environment>
>>              <property name="java.naming.factory.initial"
>>    value="com.sun.jndi.ldap.LdapCtxFactory"/>
>>              <property name="java.naming.provider.url"
>>    value="ldap://192.168.1.3"/>
>>              <property name="java.naming.security.authentication"
>>    value="simple"/>
>>              <!-- <property name="java.naming.security.protocol"
>>    value="ssl"/> -->
>>              <property name="java.naming.security.principal"
>>    value="cn=$daisyLogin,ou=People,dc=autometrix,dc=com"/>
>>            </environment>
>>            <cache enabled="false" maxCacheSize="3000"
>>    maxCacheDuration="1800000"/>
>>            <autoCreateUser>
>>              <roles>
>>                <role>User</role>
>>              </roles>
>>              <defaultRole>User</defaultRole>
>>              <updateableByUser>true</updateableByUser>
>>            </autoCreateUser>
>>          </scheme>
>>        </configuration>
>>      </target>
>>
>> Using the following value doesn't allow EITHER user to authentic:
>>
>>    <property name="java.naming.security.principal" 
>> value="cn=$daisyLogin,ou=People,dc=autometrix,dc=com"/>
>>
>> If I change it like so, the 'test' user can authentic without a 
>> problem (yes, I did restart the repo daemon--and the wiki, just to be 
>> sure):
>>
>>    <property name="java.naming.security.principal" 
>> value="cn=$daisyLogin,dc=autometrix,dc=com"/>
>>
>> The ONLY difference is the removal of the organizational unit 'People'.
>>
>> The request-error-log has the following when trying to login as temp 
>> (with either value of java.naming.security.principal):
>>
>> [ERROR  ] <2007-06-29 09:54:03,890> 
>> (daisy.repository.httpconnector.request-errors): Error authenticating 
>> user.
>> org.outerj.daisy.repository.user.UserNotFoundException: The user with 
>> login "temp" does not exist
>>        at 
>> org.outerj.daisy.repository.serverimpl.user.LocalUserManagementStrategy.getUser(LocalUserManagementStrategy.java:390) 
>>
>>        at 
>> org.outerj.daisy.repository.commonimpl.user.UserCache.getUser(UserCache.java:87) 
>>
>>        at 
>> org.outerj.daisy.repository.commonimpl.user.CommonUserManager.getUser(CommonUserManager.java:80) 
>>
>>        at 
>> org.outerj.daisy.repository.commonimpl.user.UserManagerImpl.getUser(UserManagerImpl.java:73) 
>>
>>        at 
>> org.outerj.daisy.authentication.impl.UserAuthenticatorImpl.authenticate(UserAuthenticatorImpl.java:104) 
>>
>>        at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
>>        at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
>>
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at 
>> org.apache.avalon.activation.impl.ApplianceInvocationHandler.invoke(ApplianceInvocationHandler.java:129) 
>>
>>        at $Proxy7.authenticate(Unknown Source)
>>        at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
>>        at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
>>
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at 
>> org.apache.avalon.activation.impl.BlockInvocationHandler.invoke(BlockInvocationHandler.java:108) 
>>
>>        at $Proxy9.authenticate(Unknown Source)
>>        at 
>> org.outerj.daisy.repository.serverimpl.LocalRepositoryManager.getRepository(LocalRepositoryManager.java:159) 
>>
>>        at sun.reflect.GeneratedMethodAccessor10.invoke(Unknown Source)
>>        at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
>>
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at 
>> org.apache.avalon.activation.impl.ApplianceInvocationHandler.invoke(ApplianceInvocationHandler.java:129) 
>>
>>        at $Proxy14.getRepository(Unknown Source)
>>        at 
>> org.outerj.daisy.httpconnector.HttpConnectorImpl$DaisyUserRealm.authenticate(HttpConnectorImpl.java:360) 
>>
>>        at 
>> org.mortbay.http.BasicAuthenticator.authenticate(BasicAuthenticator.java:64) 
>>
>>        at 
>> org.mortbay.http.SecurityConstraint.check(SecurityConstraint.java:442)
>>        at 
>> org.mortbay.http.HttpContext.checkSecurityConstraints(HttpContext.java:1326) 
>>
>>        at 
>> org.mortbay.http.handler.SecurityHandler.handle(SecurityHandler.java:81)
>>        at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)
>>        at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)
>>        at org.mortbay.http.HttpServer.service(HttpServer.java:909)
>>        at 
>> org.mortbay.http.HttpConnection.service(HttpConnection.java:816)
>>        at 
>> org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)
>>        at 
>> org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
>>        at 
>> org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) 
>>
>>        at 
>> org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
>>        at 
>> org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)
>>
>> I've tried Bruno's test code from this thread as well: 
>> http://lists.cocoondev.org/pipermail/daisy/2006-February/003178.html 
>> Works without a problem.
>>
>
> Did you set  the authenticator ?
>
> <target path="/daisy/repository/authentication/authenticator">
>    <configuration>
>      <!-- Indicates which authentication scheme to use, if any, to 
> automatically create new users. -->
>      
> <authenticationSchemeForUserCreation>ldap1</authenticationSchemeForUserCreation> 
>
>    </configuration>
>  </target>
>
>
>
> Paul
> _______________________________________________
> daisy community mailing list
> Professional Daisy support: 
> http://outerthought.org/site/services/daisy/daisysupport.html
> mail to: daisy at lists.cocoondev.org
> list information: http://lists.cocoondev.org/mailman/listinfo/daisy
>
No, I hadn't. That did the trick, thanks!

More information about the daisy mailing list