[
https://issues.apache.org/jira/browse/DERBY-4989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12991632#comment-12991632
]
Thomas Hill commented on DERBY-4989:
------------------------------------
thanks
-> when omitting the use of the custom security manager when requesting for the
network server to be brought down the shutdown succeeds
-> in regards to the optional possibility to protect the server shutdown by
using system wide settings - I understand this offers some benefit, however
real benefit imho would only come if shut down would be a system priviledge
that either only a system account or a dbo user would have, or that could be
granted to indiviudal users as needed - but in the current implementation even
when using system wide properties it would still be every user having the
possibility to bring the server down - please correct me if I am wrong on this.
for the sake of simplicity I have chosen to expand the policy file (by hard
coding the path names into the policy file) - also good to know here that there
are multiple options to do this
As far as documentation is concerned - yes, the existing documentation should
be enhanced with some key hints - for example with a statement that a custom
security manager should not be referenced when shutting down. The challenge
here I would however see as being the decision of what should and needs to be
mentioned on the existing docs and what would be better documented in a
different set of documentation (like e.g. the Derby Wiki) to provide an
end-to-end view on how to achieve specific goals like "How to set up the
network server in an insecure/hosted environment" bringing together all the
features Derby is offering, i.e. SSL support, LDAP integration, SQL
authorization. Such kind of documentation imho should best come from the
community (and I am also looking at the man in the mirror here) and not eat up
precious time of the development team. I will try to at least provide some
input on the wiki as soon as I have completed my round trip of all topics
mentioned and as soon I have found out how this wiki thing actually works....
> LDAP authentication not working when using network client driver and database
> level properties
> ----------------------------------------------------------------------------------------------
>
> Key: DERBY-4989
> URL: https://issues.apache.org/jira/browse/DERBY-4989
> Project: Derby
> Issue Type: Bug
> Components: Network Client
> Environment: Network Server running under Debian 5.0 stable, Win XP
> Service Pack 3 Client, Derby Version 10.7.1.1, ApacheDS 1.5.7
> Reporter: Thomas Hill
> Attachments: LDAPrepro.txt, ldaprepro.tar.gz, mypolicy,
> screenshot-1.jpg
>
>
> The network server client driver is not recognising LDAP authentication
> provider configuration when database properties are being used.
> When trying to connect with the network client driver error 08004 'userid or
> password invalid' is thrown:
> [derby][SQLException <at> 22c95b] java.sql.SQLException
> [derby][SQLException <at> 22c95b] SQL state = 08004
> [derby][SQLException <at> 22c95b] Error code = 40000
> [derby][SQLException <at> 22c95b] Message = Connection authentication
> failure occurred. Reason: userid or password invalid.
> The same database level properties when connecting using the embedded driver
> lead to a successful login and everything is working as expected with this
> driver.
> Notes:
> As there are two other options in setting up the LDAP authentication
> provider, here is the behaviour observed for the network driver in these
> scenarios:
> 1) when using system-level properties, socket permission errors are given
> when running with the JAVA security manager enabled; so additional
> configuration in form of setting up a custom Security Manager is required
> 2) when supplying the properties as command line arguments at server start-up
> the properties are recognised (and authorisation is validated as expected
> without changes required to the default Basic Security Manager)
> Here is the output of sysinfo for my environment and the script used for
> setting the database level properties:
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication',
> 'true');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider','LDAP');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.server','myserver:10389');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.ldap.searchBase','o=THMB');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.ldap.searchFilter','derby.user');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.thill','uid=thill,o=THMB');
> CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.sqlAuthorization',
> 'true');
> sysinfo for the server
> ------------------ Java Information ------------------
> Java Version: 1.6.0_22
> Java Vendor: Sun Microsystems Inc.
> Java home: /usr/lib/jvm/java-6-sun-1.6.0.22/jre
> Java classpath: /var/lib/derby/db-derby-10.7.1.1-bin/lib/derbyrun.jar
> OS name: Linux
> OS architecture: i386
> OS version: 2.6.26-2-686
> Java user name: root
> Java user home: /root
> Java user dir: /root
> java.specification.name: Java Platform API Specification
> java.specification.version: 1.6
> java.runtime.version: 1.6.0_22-b04
> --------- Derby Information --------
> JRE - JDBC: Java SE 6 - JDBC 4.0
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derby.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbytools.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbynet.jar] 10.7.1.1 - (1040133)
> [/var/lib/derby/db-derby-10.7.1.1-bin/lib/derbyclient.jar] 10.7.1.1 -
> (1040133)
> ------------------------------------------------------
> ----------------- Locale Information -----------------
> Current Locale : [English/United States [en_US]]
> Found support for locale: [cs]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [de_DE]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [es]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [fr]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [hu]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [it]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [ja_JP]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [ko_KR]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [pl]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [pt_BR]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [ru]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [zh_CN]
> version: 10.7.1.1 - (1040133)
> Found support for locale: [zh_TW]
> version: 10.7.1.1 - (1040133)
> ------------------------------------------------------
> sysinfo for the client
> ------------------ Java-Informationen ------------------
> Java-Version: 1.6.0_23
> Java-Anbieter: Sun Microsystems Inc.
> Java-Home: C:\Programme\Java\jre6
> Java-Klassenpfad: C:\Programme\Apache
> Derby\db-derby-10.7.1.1-bin\lib\derbyrun.jar
> Name des Betriebssystems: Windows XP
> Architektur des Betriebssystems: x86
> Betriebssystemversion: 5.1
> Java-Benutzername: Thomas
> Java-Benutzerausgangsverzeichnis: C:\Dokumente und Einstellungen\Thomas
> Java-Benutzerverzeichnis: C:\Daten\derby\keys
> java.specification.name: Java Platform API Specification
> java.specification.version: 1.6
> java.runtime.version: 1.6.0_23-b05
> --------- Derby-Informationen --------
> JRE - JDBC: Java SE 6 - JDBC 4.0
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derby.jar] 10.7.1.1 -
> (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbytools.jar] 10.7.1.1
> - (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbynet.jar] 10.7.1.1 -
> (1040133)
> [C:\Programme\Apache Derby\db-derby-10.7.1.1-bin\lib\derbyclient.jar]
> 10.7.1.1 - (1040133)
> ------------------------------------------------------
> ----------------- Informationen zur Ländereinstellung -----------------
> Aktuelle Ländereinstellung: [Deutsch/Deutschland [de_DE]]
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [cs]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [de_DE]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [es]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [fr]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [hu]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [it]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [pl]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [pt_BR]
> Version: 10.7.1.1 - (1040133)
> Es wurde Unterstützung für die folgende Ländereinstellung gefunden: [ru]
> Version: 10.7.1.1 - (1040133)
> ------------------------------------------------------
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
