[
https://issues.apache.org/jira/browse/OAK-2897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tobias Bocanegra updated OAK-2897:
----------------------------------
Description:
regression of OAK-2783....
On my local instance, I have tested the 4 combination of the new attributes in
org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
@adminPool.lookupOnValidate (true)
@userPool.lookupOnValidate (true)
and found that only when both are set to true, I was able to login with
credentials from LDAP server. see table below for time stamps of the four
tested combinations.
I have setup a test harness at http://10.36.65.137:4502. It is configured for
LDAP server on my laptop, which provides user001 ... user010. All have same
password, '1234'.
Note: I have not repeated the above tests on the test harness due to time
constraints.
|| time || adminPool.lookupOnValidate || userPool.lookupOnValidate || logon
user001 ||
| 16.05.2015 11:14:59.066 | false | true | NG @ 16.05.2015 11:16:37.431 (1) |
| 16.05.2015 11:18:40.627 | false | false | NG @ 16.05.2015 11:19:54.971 (2) |
| 16.05.2015 11:21:31.757 | true | false | NG @ ??. No error in LDAP.log. But
username and pwd not match |
| 16.05.2015 11:24:16.277 | true | true | OK |
Excerpts from ldap.log
{code}
(1) 16.05.2015 11:16:37.435 *ERROR* [qtp2069601494-1250]
org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
Error while connecting to the ldap server.
java.util.NoSuchElementException: Could not create a validated object, cause:
ValidateObject failed
(2) 16.05.2015 11:19:54.971 *ERROR* [qtp2069601494-1249]
org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
Error while connecting to the ldap server.
java.util.NoSuchElementException: Could not create a validated object, cause:
ValidateObject failed
at
org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1233)
at
org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:56)
{code}
was:
Depending of the LDAP server configuration, it fails to connect as the server
doesn't allow the connection validation query.
It fails on
{quote}
Caused by: java.util.NoSuchElementException: Could not create a validated
object, cause: ValidateObject failed
at
org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1233)
at
org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:56)
at
org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:532)
... 92 common frames omitted
{quote}
Based on customer analyze of Oak code this is the reason it fails:
{quote}
I think I have found a solution for the problem. While the system is
initializing the connection it tries to validate the connection. This is the
reason for the strange search request:
SearchRequest
baseDn : ''
filter : '(objectClass=*)'
scope : base object
Because such kind of requests are not allowed in the client's ldap system the
connection is being rejected (as invalid). It is configurable if the connection
should be validated. The class
org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
contains this code
if (config.getAdminPoolConfig().getMaxActive() != 0) {
adminPool = new LdapConnectionPool(adminConnectionFactory);
adminPool.setTestOnBorrow(true);
adminPool.setMaxActive(config.getAdminPoolConfig().getMaxActive());
adminPool.setWhenExhaustedAction(GenericObjectPool.WHEN_EXHAUSTED_BLOCK);
}
A solution for our Problem would most probably be to change the connectionPool
configuration adminPool.setTestOnBorrow(false);
This Parameter comes sadly not from the identity provider configuration.
Is there a way to change this this parameter without creating an own
implementation of the identity provider?
{quote}
> CLONE - Make LDAP connection pool 'testOnBorrow' configurable
> -------------------------------------------------------------
>
> Key: OAK-2897
> URL: https://issues.apache.org/jira/browse/OAK-2897
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-ldap
> Affects Versions: 1.2
> Reporter: Tobias Bocanegra
> Assignee: Tobias Bocanegra
> Priority: Minor
> Labels: docs-impacting, resilience
> Fix For: 1.3.0, 1.0.14, 1.2.3
>
>
> regression of OAK-2783....
> On my local instance, I have tested the 4 combination of the new attributes
> in
> org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
> @adminPool.lookupOnValidate (true)
> @userPool.lookupOnValidate (true)
> and found that only when both are set to true, I was able to login with
> credentials from LDAP server. see table below for time stamps of the four
> tested combinations.
> I have setup a test harness at http://10.36.65.137:4502. It is configured
> for LDAP server on my laptop, which provides user001 ... user010. All have
> same password, '1234'.
> Note: I have not repeated the above tests on the test harness due to time
> constraints.
> || time || adminPool.lookupOnValidate || userPool.lookupOnValidate || logon
> user001 ||
> | 16.05.2015 11:14:59.066 | false | true | NG @ 16.05.2015 11:16:37.431 (1) |
> | 16.05.2015 11:18:40.627 | false | false | NG @ 16.05.2015 11:19:54.971 (2) |
> | 16.05.2015 11:21:31.757 | true | false | NG @ ??. No error in LDAP.log.
> But username and pwd not match |
> | 16.05.2015 11:24:16.277 | true | true | OK |
> Excerpts from ldap.log
> {code}
> (1) 16.05.2015 11:16:37.435 *ERROR* [qtp2069601494-1250]
> org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
> Error while connecting to the ldap server.
> java.util.NoSuchElementException: Could not create a validated object, cause:
> ValidateObject failed
> (2) 16.05.2015 11:19:54.971 *ERROR* [qtp2069601494-1249]
> org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider
> Error while connecting to the ldap server.
> java.util.NoSuchElementException: Could not create a validated object, cause:
> ValidateObject failed
> at
> org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1233)
> at
> org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:56)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
