0 Replies Latest reply: Feb 10, 2012 8:46 AM by 562563 RSS

    Glassfish LDAP group search results in Exception

      I'm trying to get my group search running but I keep getting the same exception

           at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
           at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
           at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
           at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
           at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)

      There's only on post on the web with the same problem and there is is not fixed.

      This is the domain.xml

      <auth-realm name="EpsLdapRealm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
      <property name="directory" value="ldap://myldap:389"></property>
      <property name="base-dn" value="ou=Users,o=xxx"></property>
      <property name="jaas-context" value="ldapRealm"></property>
      <property name="search-bind-dn" value="cn=saepsman,ou=Users,ou=e-Directory,ou=Services,o=xxx"></property>
      <property name="search-bind-password" value="xxxxx"></property>
      <property name="search-filter" value="(&amp;(objectClass=user)(uid=%s))"></property>
      <property description="null" name="assign-groups" value="USER"></property>
      <property name="group-search-filter" value="(&amp;(objectClass=groupOfNames)(member=%d))"></property>
      <property name="group-base-dn" value="ou=AccessControl,o=xxx"></property>

      Authentication works fine, but group assignments do not work. When I remove the group-search-filter I get no error but then also no groups are assigned.

      The group I am trying to map is

      And I do the following mapping in glassfish-web.xml


      I also have used


      I also get the following log message indicating that the search-bin-dn and password are OK. I can also browse the LDAP tree with the credentials in Softerra LDAP Browser.

      Error during LDAP search with filter [(&(objectClass=groupOfNames)(member=cn=cdamen,ou=Users,o=xxx))].|#]

      When I look at the look at the LDAPRealm source code I see it is failing on the following statement

      int sz = grpAttr.size();

      This looks like to me that it means that some group was found but there are no group attributes. But there are when I query with Softerra, strange...

      * Search for group membership using the given connection.
      private List groupSearch(DirContext ctx, String baseDN,
      String filter, String target)
      List groupList = new ArrayList();

      try {
      String[] targets = new String[1];
      targets[0] = target;

      SearchControls ctls = new SearchControls();

      NamingEnumeration e = ctx.search(baseDN,
      filter.replaceAll(Matcher.quoteReplacement("\\"), Matcher.quoteReplacement("\\\\")), ctls);

      while(e.hasMore()) {
      SearchResult res = (SearchResult)e.next();
      Attribute grpAttr = res.getAttributes().get(target);
      int sz = grpAttr.size();
      for (int i=0; i<sz; i++) {
      String s = (String)grpAttr.get(i);

      } catch (Exception e) {
      _logger.log(Level.WARNING, "ldaprealm.searcherror", filter);
      _logger.log(Level.WARNING, "security.exception", e);

      return groupList;

      Hope anyone knows the solution.