Using cmapserver 5.04, 1 GB of RAM on an Ubuntu Linux 10.04 server.
I recently had to reorganize my LDAP directory from scratch. (Note to future sysadmins: sometimes you think you're making the right choice of structures when you're really not.) Ugh. The structural changes were significant, so I'm re-installing cmapserver from scratch as well. I still have all the old settings and maps safely tucked away.
Anyway, cmapserver is now unable to authenticate to LDAP using the new structure. It seems like cmapserver isn't even binding correctly to search the LDAP tree, but I can't tell exactly. I've poured through the logs and I don't recognize anything untoward, though to be honest I'm not sure precisely what I'm seeing.
I think I've set the appropriate lines for users and groups in serverconfig. I know the DNs are correct because I can bind and query the LDAP server on a command line using the same values.
I can authenticate only with the cmap_admin credentials I made when first installing cmapserver if I set the login type to regular or both -- that's the built-in administrator for admin tools. If I set the login type to ldap only, I cannot authenticate at all with any credentials. That includes with the CMapTools software or view any concept maps with a web browser.
If I go into CMapTools as the built-in admin, I can remove all the old permissions on my maps, but when I try to add new users by browsing LDAP, I am asked for a login and password before the directory will search. I have tried every login and password I can think of -- LDAP administrator login included -- but nothing will search the tree. This is why I think there's a binding problem.
Here's the relevant LDAP entries in the serverconfig. Just to clarify:
*The vmail account is used by other web apps to bind. It certainly works for them.
* I've tried specifying vmail by both DN and UID. Neither works.
* The ip entry "ldap" resolves in DNS to the right location. I can ping it from the cmapserver box and do command line queries with "ldap" as the specific hostname.
Code: Select all
# LDAP Configuration for Permissions
#
# These settings enable the CmapServer to use an LDAP directory for user
# authentication when defining permissions for folders.
# Authentication mode: standard permissions, LDAP permissions, or both
# If this line is missing or blank, then standard permissions is assumed
# Valid values: authentication.standard
# authentication.ldap
#
# Example (for both): user.authentication = authentication.standard,authentication.ldap
#
user.authentication=authentication.standard,authentication.ldap
#user.authentication=authentication.standard
# User ID of the root folder administrator for an LDAP-enabled server.
# This User ID should match an entry in the LDAP server.
#
ldap.root.folder.account=vmail
# Password of the root folder administrator for an LDAP-enabled server.
# This password should match the password stored in the LDAP server.
#
# IMPORTANT: Once the server is launched, the password will be encrypted.
# To replace the encrypted password: shutdown the server, remove the
# encrypted_<some random characters>\\= (no quotes) completely,
# type in the new password for the value, then save this file and launch the
# CmapServer again. All passwords that were replaced in this file will again
# be encrypted once the CmapServer has been launched.
#
ldap.root.folder.password=encrypted_z6lE3arjKfmW+jNgfrDVA24QJg5BdTdO1wcfLE\=
# IP address or hostname of the LDAP server
#
# Example: ldap.user.directory.ip = myhost.mydomain.com
#
ldap.user.directory.ip=ldap
# Port number of the LDAP server
#
ldap.user.directory.port=389
# Protocol to use for communication with the LDAP server.
# If a secure mode is selected, the certificates from the PKI
# settings above will be used, if they have been specified.
# Valid values: normal, tls, or ssl
#
# Example: ldap.user.directory.connection.mode=normal
ldap.user.directory.connection.mode=normal
# DN of the container where individual users are stored
#
# Example: ldap.user.directory.usersBaseDN = ou=People,dc=mydomain,dc=com
#
ldap.user.directory.usersBaseDN=ou\=Users,domainName\=seeyourselfteaching.com,o\=domains,dc\=seeyourselfteaching,dc\=com
# DN of the container where groups are stored
#
# Example: ldap.user.directory.groupsBaseDN = ou=Groups,dc=mydomain,dc=com
#
ldap.user.directory.groupsBaseDN=ou\=Groups,domainName\=seeyourselfteaching.com,o\=domains,dc\=seeyourselfteaching,dc\=com
# Name of the attribute which holds the user's ID
#
ldap.user.directory.userAttr=uid
# Name of the attribute which holds the group's ID
#
ldap.user.directory.groupAttr=cn
Code: Select all
(CLASS: nlk.acl.directory.ldap.LDAPUserDirectory METHOD: getUserDN LINE: 588)
LDAPUserDirectory: unable to lookup user DN with anonymous access, will not try again
(CLASS: nlk.acl.directory.ldap.LDAPUserDirectory METHOD: getUserDN LINE: 589)
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at us.ihmc.net.ssl.SSLInitialContextFactory.getContext(SSLInitialContextFactory.java:171)
at us.ihmc.net.ssl.SSLInitialContextFactory.getInitialContext(SSLInitialContextFactory.java:93)
at nlk.acl.directory.ldap.LDAPHelper.bind(LDAPHelper.java:63)
at nlk.acl.directory.ldap.LDAPUserDirectory.getUserDN(LDAPUserDirectory.java:569)
at nlk.acl.directory.ldap.LDAPUserDirectory.bind(LDAPUserDirectory.java:511)
at nlk.acl.directory.ldap.LDAPUserDirectory.authenticateUser(LDAPUserDirectory.java:142)
at nlk.base.LDAPAuthenticator.authenticateUser(LDAPAuthenticator.java:24)
at nlk.acl.NewCmapACLManager.checkPermission(NewCmapACLManager.java:148)
at nlk.acl.NewCmapACLManager.checkPermission(NewCmapACLManager.java:37)
at nlk.resio.ServletHelper.checkPermissions(ServletHelper.java:1888)
at nlk.htmlview.HtmlView.generateHtmlFolderView(HtmlView.java:157)
at nlk.resio.SBReadResourceServlet.doGet(SBReadResourceServlet.java:563)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Unknown Source)