[
https://issues.apache.org/jira/browse/KNOX-590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Minder updated KNOX-590:
------------------------------
Description:
The user-auth-test and system-user-auth-test knoxcli.sh command do not handle
configuration with userSearchAttributeName+userObjectClass+searchBase
correctly. There are a number of issues.
# If main.ldapRealm.userSearchAttributeName is present they must all be present.
# If main.ldapRealm.userSearchAttributeName is present then
main.ldapRealm.userDnTemplate must not be present.
# If main.ldapRealm.contextFactory is present then all params "below" that in
the dot notation must follow it in the topology file (e.g.
main.ldapRealm.contextFactory.url,
main.ldapRealm.contextFactory.systemUsername,
main.ldapRealm.contextFactory.systemPassword, etc)
# Missing main.ldapRealm.searchBase results in a NullPointerException at
runtime.
# Missing main.ldapRealm.userObjectClass results in a NullPointerException at
runtime.
# Using user-auth-test and system-user-auth-test with a valid configuration
results in this error even though the same topology works at runtime. Note the
misleading information about "Illegal principal name: LDAP Access". Looking at
the code suggest this occurs because the search results return no results.
This doesn't mean the LDAP Access principal is necessarily invalid does it?
{code}
~/Projects/knox-rev/install/knox-0.7.0-SNAPSHOT> bin/knoxcli.sh
system-user-auth-test --cluster default --d
Authentication failed for token submission
[org.apache.shiro.authc.UsernamePasswordToken - LDAP Access, rememberMe=false].
Possible unexpected error? (Typical or expected login exceptions should extend
from AuthenticationException).
Illegal principal name: LDAP Access
org.apache.shiro.authc.AuthenticationException: Authentication failed for token
submission [org.apache.shiro.authc.UsernamePasswordToken - LDAP Access,
rememberMe=false]. Possible unexpected error? (Typical or expected login
exceptions should extend from AuthenticationException).
at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
at
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:916)
at
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:989)
at
org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1321)
at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:135)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1516)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
Caused by: java.lang.IllegalArgumentException: Illegal principal name: LDAP
Access
at
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.getUserDn(KnoxLdapRealm.java:577)
at
org.apache.shiro.realm.ldap.JndiLdapRealm.getLdapPrincipal(JndiLdapRealm.java:342)
at
org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:371)
at
org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
at
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:177)
at
org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
... 18 more
Unable to successfully bind to LDAP server with topology credentials
{code}
was:
The user-auth-test and system-user-auth-test knoxcli.sh command do not handle
configuration with userSearchAttributeName+userObjectClass+searchBase
correctly. There are a number of issues.
# If main.ldapRealm.userSearchAttributeName.userSearchAttributeName is present
they must all be present.
# If main.ldapRealm.userSearchAttributeName.userSearchAttributeName is present
then main.ldapRealm.userDnTemplate must not be present.
# If main.ldapRealm.contextFactory is present then all params "below" that must
follow it in the topology file (e.g. main.ldapRealm.contextFactory.url,
main.ldapRealm.contextFactory.systemUsername,
main.ldapRealm.contextFactory.systemPassword, etc)
# Missing main.ldapRealm.searchBase results in a NullPointerException at
runtime.
# Missing main.ldapRealm.userObjectClass results in a NullPointerException at
runtime.
# Using user-auth-test and system-user-auth-test with a valid configuration
results in this error even though the same topology works at runtime. Note the
misleading information about "Illegal principal name: LDAP Access". Looking at
the code suggest this occurs because the search results return no results.
This doesn't mean the LDAP Access principal is necessarily invalid does it?
{code}
~/Projects/knox-rev/install/knox-0.7.0-SNAPSHOT> bin/knoxcli.sh
system-user-auth-test --cluster default --d
Authentication failed for token submission
[org.apache.shiro.authc.UsernamePasswordToken - LDAP Access, rememberMe=false].
Possible unexpected error? (Typical or expected login exceptions should extend
from AuthenticationException).
Illegal principal name: LDAP Access
org.apache.shiro.authc.AuthenticationException: Authentication failed for token
submission [org.apache.shiro.authc.UsernamePasswordToken - LDAP Access,
rememberMe=false]. Possible unexpected error? (Typical or expected login
exceptions should extend from AuthenticationException).
at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
at
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:916)
at
org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:989)
at
org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1321)
at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:135)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1516)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
Caused by: java.lang.IllegalArgumentException: Illegal principal name: LDAP
Access
at
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.getUserDn(KnoxLdapRealm.java:577)
at
org.apache.shiro.realm.ldap.JndiLdapRealm.getLdapPrincipal(JndiLdapRealm.java:342)
at
org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:371)
at
org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
at
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:177)
at
org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
... 18 more
Unable to successfully bind to LDAP server with topology credentials
{code}
> Knoxcli.sh user-auth-test and system-user-auth-test not working with
> userSearchAttributeName
> --------------------------------------------------------------------------------------------
>
> Key: KNOX-590
> URL: https://issues.apache.org/jira/browse/KNOX-590
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxCLI
> Affects Versions: 0.7.0
> Reporter: Kevin Minder
> Assignee: Zachary Blanco
> Fix For: 0.7.0
>
> Attachments: default.xml
>
>
> The user-auth-test and system-user-auth-test knoxcli.sh command do not handle
> configuration with userSearchAttributeName+userObjectClass+searchBase
> correctly. There are a number of issues.
> # If main.ldapRealm.userSearchAttributeName is present they must all be
> present.
> # If main.ldapRealm.userSearchAttributeName is present then
> main.ldapRealm.userDnTemplate must not be present.
> # If main.ldapRealm.contextFactory is present then all params "below" that in
> the dot notation must follow it in the topology file (e.g.
> main.ldapRealm.contextFactory.url,
> main.ldapRealm.contextFactory.systemUsername,
> main.ldapRealm.contextFactory.systemPassword, etc)
> # Missing main.ldapRealm.searchBase results in a NullPointerException at
> runtime.
> # Missing main.ldapRealm.userObjectClass results in a NullPointerException at
> runtime.
> # Using user-auth-test and system-user-auth-test with a valid configuration
> results in this error even though the same topology works at runtime. Note
> the misleading information about "Illegal principal name: LDAP Access".
> Looking at the code suggest this occurs because the search results return no
> results. This doesn't mean the LDAP Access principal is necessarily invalid
> does it?
> {code}
> ~/Projects/knox-rev/install/knox-0.7.0-SNAPSHOT> bin/knoxcli.sh
> system-user-auth-test --cluster default --d
> Authentication failed for token submission
> [org.apache.shiro.authc.UsernamePasswordToken - LDAP Access,
> rememberMe=false]. Possible unexpected error? (Typical or expected login
> exceptions should extend from AuthenticationException).
> Illegal principal name: LDAP Access
> org.apache.shiro.authc.AuthenticationException: Authentication failed for
> token submission [org.apache.shiro.authc.UsernamePasswordToken - LDAP Access,
> rememberMe=false]. Possible unexpected error? (Typical or expected login
> exceptions should extend from AuthenticationException).
> at
> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
> at
> org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
> at
> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
> at
> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
> at
> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:916)
> at
> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:989)
> at
> org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1321)
> at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:135)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
> at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1516)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
> at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101)
> at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
> at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
> Caused by: java.lang.IllegalArgumentException: Illegal principal name: LDAP
> Access
> at
> org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.getUserDn(KnoxLdapRealm.java:577)
> at
> org.apache.shiro.realm.ldap.JndiLdapRealm.getLdapPrincipal(JndiLdapRealm.java:342)
> at
> org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:371)
> at
> org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
> at
> org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:177)
> at
> org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
> at
> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
> at
> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
> at
> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
> ... 18 more
> Unable to successfully bind to LDAP server with topology credentials
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
