[ https://issues.apache.org/jira/browse/KNOX-590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Minder resolved KNOX-590. ------------------------------- Resolution: Fixed > Knoxcli.sh user-auth-test and system-user-auth-test not working with > userSearchAttributeName > -------------------------------------------------------------------------------------------- > > Key: KNOX-590 > URL: https://issues.apache.org/jira/browse/KNOX-590 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI > Affects Versions: 0.7.0 > Reporter: Kevin Minder > Assignee: Zachary Blanco > Fix For: 0.7.0 > > Attachments: default.xml > > > The user-auth-test and system-user-auth-test knoxcli.sh command do not handle > configuration with userSearchAttributeName+userObjectClass+searchBase > correctly. There are a number of issues. > # If main.ldapRealm.userSearchAttributeName is present they must all be > present. > # If main.ldapRealm.userSearchAttributeName is present then > main.ldapRealm.userDnTemplate must not be present. > # If main.ldapRealm.contextFactory is present then all params "below" that in > the dot notation must follow it in the topology file (e.g. > main.ldapRealm.contextFactory.url, > main.ldapRealm.contextFactory.systemUsername, > main.ldapRealm.contextFactory.systemPassword, etc) > # If main.ldapRealm.userSearchAttributeName is present, a missing > main.ldapRealm.searchBase results in a NullPointerException at runtime. > # If main.ldapRealm.userSearchAttributeName is present, a missing > main.ldapRealm.userObjectClass results in a NullPointerException at runtime. > # Using user-auth-test and system-user-auth-test with a valid configuration > results in this error even though the same topology works at runtime. Note > the misleading information about "Illegal principal name: LDAP Access". > Looking at the code suggest this occurs because the search results return no > results. This doesn't mean the LDAP Access principal is necessarily invalid > does it? > {code} > ~/Projects/knox-rev/install/knox-0.7.0-SNAPSHOT> bin/knoxcli.sh > system-user-auth-test --cluster default --d > Authentication failed for token submission > [org.apache.shiro.authc.UsernamePasswordToken - LDAP Access, > rememberMe=false]. Possible unexpected error? (Typical or expected login > exceptions should extend from AuthenticationException). > Illegal principal name: LDAP Access > org.apache.shiro.authc.AuthenticationException: Authentication failed for > token submission [org.apache.shiro.authc.UsernamePasswordToken - LDAP Access, > rememberMe=false]. Possible unexpected error? (Typical or expected login > exceptions should extend from AuthenticationException). > at > org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214) > at > org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) > at > org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) > at > org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:916) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.testSysBind(KnoxCLI.java:989) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPSysBindCommand.execute(KnoxCLI.java:1321) > at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:135) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) > at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1516) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at org.apache.hadoop.gateway.launcher.Command.run(Command.java:101) > at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > Caused by: java.lang.IllegalArgumentException: Illegal principal name: LDAP > Access > at > org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.getUserDn(KnoxLdapRealm.java:577) > at > org.apache.shiro.realm.ldap.JndiLdapRealm.getLdapPrincipal(JndiLdapRealm.java:342) > at > org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:371) > at > org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295) > at > org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.doGetAuthenticationInfo(KnoxLdapRealm.java:177) > at > org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) > at > org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) > ... 18 more > Unable to successfully bind to LDAP server with topology credentials > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)