Yes, that commit is exactly the issue I am having. Unfortunately, the restriction added by that patch doesn't work for us, so I have decided to just stick with the version we have working. I would recommend making sure to add sufficient notice in the documentation of the LDAP that this restriction is in place, as it makes the LDAP authentication system much less flexible.
As for a recommendation on how to fix, I've been mostly focusing on working to get my configuration correct, and would need to become much more familiar with the source to feel comfortable offering any suggestions. Sorry! Thanks, Kevin -----Original Message----- From: Eric Charles [mailto:[email protected]] Sent: Wednesday, March 21, 2012 10:12 AM To: James Users List Subject: Re: LDAP User Repository only works when userIdAttribute is 'cn' Hi Kevin, Thx for reporting and testing. You can view the history of on [1] and make diffs (example [2]). You can see https://issues.apache.org/jira/browse/JAMES-1313 in the commit log. Is this related to the issue you have? Do you have any idea on how to fix this for you taking into account previous patches? Thx, Eric [1] http://svn.apache.org/viewvc/james/server/trunk/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java?view=log [2] http://svn.apache.org/viewvc/james/server/trunk/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java?r1=1088681&r2=1179514&diff_format=h On 21/03/12 14:38, Dion, Kevin wrote: > I have an ADLDS instance on a server running James beta2 I had been using to > provide the user repository for James. Previously, I was using the attribute > 'uid' for the userIdAttribute in the configuration. When upgrading to beta4, > this no longer works. When attempting to login, I get an 'Unable to retrieve > user from ldap' error, with the following exception showing in the > userrepository log: > > javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: > 'OU=Users,DC=SYSTEM,DC=DOMAIN,DC=ORG' > ]; remaining name 'uid=cbrown,ou=users,dc=system,dc=domain,dc=org' > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066) > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749) > at > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) > at > javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) > at > org.apache.james.util.retry.naming.directory.RetryingDirContext$24.operation(RetryingDirContext.java:473) > at > org.apache.james.util.retry.ExceptionRetryHandler.perform(ExceptionRetryHandler.java:84) > at > org.apache.james.util.retry.naming.NamingExceptionRetryHandler.perform(NamingExceptionRetryHandler.java:58) > at > org.apache.james.util.retry.naming.directory.RetryingDirContext.search(RetryingDirContext.java:468) > at > org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.buildUser(ReadOnlyUsersLDAPRepository.java:575) > at > org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.getUserByName(ReadOnlyUsersLDAPRepository.java:648) > at > org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.test(ReadOnlyUsersLDAPRepository.java:737) > at > org.apache.james.adapter.mailbox.store.UserRepositoryAuthenticator.isAuthentic(UserRepositoryAuthenticator.java:51) > at > org.apache.james.mailbox.store.StoreMailboxManager.login(StoreMailboxManager.java:269) > at > org.apache.james.mailbox.store.StoreMailboxManager.login(StoreMailboxManager.java:276) > at > org.apache.james.imap.processor.AbstractAuthProcessor.doAuth(AbstractAuthProcessor.java:56) > at > org.apache.james.imap.processor.LoginProcessor.doProcess(LoginProcessor.java:57) > at > org.apache.james.imap.processor.LoginProcessor.doProcess(LoginProcessor.java:37) > at > org.apache.james.imap.processor.AbstractMailboxProcessor.doProcess(AbstractMailboxProcessor.java:100) > at > org.apache.james.imap.processor.AbstractMailboxProcessor.process(AbstractMailboxProcessor.java:89) > at > org.apache.james.imap.processor.AbstractMailboxProcessor.doProcess(AbstractMailboxProcessor.java:83) > at > org.apache.james.imap.processor.AbstractMailboxProcessor.doProcess(AbstractMailboxProcessor.java:66) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:52) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imap.processor.base.AbstractChainedProcessor.process(AbstractChainedProcessor.java:54) > at > org.apache.james.imapserver.netty.ImapChannelUpstreamHandler.messageReceived(ImapChannelUpstreamHandler.java:181) > at > org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75) > at > org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558) > at > org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777) > at > org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) > at > org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:327) > at > org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:305) > at > org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:207) > at > org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:75) > at > org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558) > at > org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:777) > at > org.jboss.netty.handler.execution.ChannelUpstreamEventRunnable.run(ChannelUpstreamEventRunnable.java:44) > at > org.jboss.netty.handler.execution.OrderedMemoryAwareThreadPoolExecutor$ChildExecutor.run(OrderedMemoryAwareThreadPoolExecutor.java:312) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:619) > > I believe the source of this error comes from the following location: > > ... > at > org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.buildUser(ReadOnlyUsersLDAPRepository.java:575) > at > org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.getUserByName(ReadOnlyUsersLDAPRepository.java:648) > ... > > > Looking at the differences in the getUserByName method between beta2 (1) and > beta4 (2), the newer beta4 implementation calls buildUser, but instead of > passing in a user's DN (as called for by the builduser input parameter), > creates a pseudo-dn using the userIdAttribute and the supplied username. i.e. > a proper DN would be of the form "cn=Charlie Brown, > ,ou=users,dc=system,dc=domain,dc=org" but getUserByName calls buildUser with > 'uid=cbrown,ou=users,dc=system,dc=domain,dc=org'. This leads to a failure in > the LDAP lookup > > Changing userIdAttribute to 'cn' and supplying the appropriate login > information does provide correct login, however it should be possible for > users to specify a different attribute for login purposes. > > Links to referenced source for comparison: > > (1) > http://svn.apache.org/repos/asf/james/server/tags/james-server-3.0-beta2/ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java > > (2) > https://svn.apache.org/repos/asf/james/server/tags/james-server-3.0-beta4/data-ldap/src/main/java/org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.java > > > > Kevin > > -- eric | http://about.echarles.net | @echarles --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
