Issue #68 invalid

LDAP Authentication - problem 2001 (NO_OBJECT)

Benjamin Leov
created an issue

Hi,

This may not be a bug, but I cannot seem to get LDAP to work properly when trying to specify users within OU's that are buried three levels deep from the base DN. I am trying to only select users based on a "memberOf" attribute, and can create a ldap query that selects them (using JXplorer), but when using this query in the search filter, it does not work. The query looks like this:

{{{ (&(memberOf=(CN=JavaDevelopers,OU=Developers,OU=Services, OU=Organisation,DC=mycompany,DC=net)(sAMAccountName={0}))) }}}

Im using an authenticated LDAP connection, and I can get it to work if I specify the full path to a OU (minus the "Users" OU of course) that contains some users in the base DN, however I cannot do this as the users are spread across different OU's. Changing the search scope seems to have no effect. The full exception Im getting is: {{{ at java.lang.Thread.run(Unknown Source) [na:1.7.0] 23:36:39.301 [qtp1879666187-17] ERROR sonia.scm.auth.ldap.LDAPAuthenticationHand ler - exception occured during user search javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DS ID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Organisation,DC=mycompany,DC=net' }}}

Sorry if this is a silly question, and thanks for creating a great scm manager!

Comments (5)

  1. Sebastian Sdorra repo owner
    • changed status to open

    Error code 32 sounds that your ou could not be found, has your bind user enough rights to read this ou? I think your search filter has to much braces.

    (&(memberOf=(CN=JavaDevelopers,OU=Developers,OU=Services,
    OU=Organisation,DC=mycompany,DC=net)(sAMAccountName={0})))
    

    Should be:

    (&(memberOf=CN=JavaDevelopers,OU=Developers,OU=Services,
    OU=Organisation,DC=mycompany,DC=net)(sAMAccountName={0}))
    

    Could you please post your whole configuration and all of the sonia.scm.auth.ldap.LDAPAuthenticationHandler log entries?

  2. Benjamin Leov reporter

    I'm using the same login details that I'm using with JXExplorer, and I've also used another application which can find the users, so it can't be a permission problem. I must have mis-typed the brackets; if the query is incorrect you get a different error message. Here is the full configuration on that page.

    ID Attribute Name: sAMAccountName

    Fullname Attribute Name: cn

    Mail Attribute Name: mail

    Group Attribute Name: memberOf

    Base DN: OU=Organisation,DC=mycompany,DC=net

    Connection DN: myauthuser

    Connection Password: mypassword

    Host URL: ldap:server:389

    Search Filter: (&(memberOf=CN=JavaDevelopers,OU=Developers,OU=Services,OU=Organisation,DC=mycompany,DC=net)(sAMAccountName={0}))

    Group Search Filter: <Blank>

    Search Scope: sub

    People Unit: OU=Users

    Groups Unit: <Blank>

    Enabled: True

    I've tried various combinations in the Group Unit, but for the moment I would just like to get it working without worrying about groups.

    The full stack trace is as follows.

    15:15:42.986 [qtp1879666187-23] ERROR sonia.scm.auth.ldap.LDAPAuthenticationHandler - exception occured during user search
    javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
    	'OU=Organisation,DC=mycompany,DC=net'
    		at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) ~[na:1.7.0]
    	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) ~[na:1.7.0]
    	at javax.naming.directory.InitialDirContext.search(Unknown Source) ~[na:1.7.0]
    	at sonia.scm.auth.ldap.LDAPAuthenticationHandler.getUserSearchResult(LDAPAuthenticationHandler.java:701) [scm-auth-ldap-plugin-1.5.jar:na]
    	at sonia.scm.auth.ldap.LDAPAuthenticationHandler.authenticate(LDAPAuthenticationHandler.java:269) [scm-auth-ldap-plugin-1.5.jar:na]
    	at sonia.scm.auth.ldap.LDAPAuthenticationHandler.authenticate(LDAPAuthenticationHandler.java:141) [scm-auth-ldap-plugin-1.5.jar:na]
    	at sonia.scm.web.security.ChainAuthenticatonManager.doAuthentication(ChainAuthenticatonManager.java:206) [classes/:na]
    	at sonia.scm.web.security.ChainAuthenticatonManager.authenticate(ChainAuthenticatonManager.java:132) [classes/:na]
    	at sonia.scm.web.security.BasicSecurityContext.authenticate(BasicSecurityContext.java:119) [classes/:na]
    	at sonia.scm.api.rest.resources.AuthenticationResource.authenticate(AuthenticationResource.java:128) [classes/:na]
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0]
    	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.7.0]
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.7.0]
    	at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.7.0]
    	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:288) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1469) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1400) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1349) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1339) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:537) [jersey-bundle-1.8.jar:1.8]
    	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:699) [jersey-bundle-1.8.jar:1.8]
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) [servlet-api-2.5.jar:2.5]
    	at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at sonia.scm.filter.SecurityFilter.doFilter(SecurityFilter.java:123) [classes/:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:102) [scm-core-1.7.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at sonia.scm.filter.GZipFilter.doFilter(GZipFilter.java:78) [classes/:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:102) [scm-core-1.7.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at sonia.scm.filter.BaseUrlFilter.doFilter(BaseUrlFilter.java:100) [classes/:na]
    	at sonia.scm.web.filter.HttpFilter.doFilter(HttpFilter.java:102) [scm-core-1.7.jar:na]
    	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118) [guice-servlet-3.0.jar:na]
    	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) [guice-servlet-3.0.jar:na]
    	at sonia.scm.boot.BootstrapFilter.doFilter(BootstrapFilter.java:104) [classes/:na]
    	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1323) [jetty-servlet-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:476) [jetty-servlet-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:517) [jetty-security-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:937) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406) [jetty-servlet-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:871) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.Server.handle(Server.java:346) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:589) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1065) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:823) [jetty-http-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:220) [jetty-http-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:411) [jetty-server-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:535) [jetty-io-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40) [jetty-io-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:529) [jetty-util-7.4.5.v20110725.jar:7.4.5.v20110725]
    	at java.lang.Thread.run(Unknown Source) [na:1.7.0]
    
  3. Sebastian Sdorra repo owner

    The error code 32 means that the OU=Users,OU=Organisation,DC=mycompany,DC=net (People Unit + Base DN) does not exists. If this dn does not exists you could use an empty "People Unit". Could you please post the whole log of an authentication with enabled debug log.

    Enable debug logging:

    • Edit scm-server/conf/logging.xml
    • Change the line from: <logger name="sonia.scm" level="INFO" />
    • to: <logger name="sonia.scm" level="TRACE" />
  4. Benjamin Leov reporter

    Removing the People Unit worked. Sorry for wasting your time. I really like this project, and I hope it does well. I have some suggestions for enhancements, such as being able to have repository groups, but I wont put them onto this issue. I'm not sure if you want me to change the status, so I'll leave it for you to close/mark invalid. Thanks for your help.

  5. Log in to comment