[Anthill-pro] LDAP
Ryan Smith
rws at urbancode.com
Mon Mar 23 10:28:08 CST 2009
Peter,
The user that is used to access LDAP does not have privileges to
retrieve attributes on the user entry. Are you using anonymous access?
Ryan
Buschmann, Peter D wrote:
> Ryan,
>
> That change produced this on my next login attempt (I substituted a few
> x's and 0's) ->
>
> 2009-03-23 10:34:20,018 INFO
> http-xx.xx.xx.xx.com%2F00.000.00.00-80-Processor17
> com.urbancode.anthill3.domain.security.Authority - A
> uthentication failed for System :: myid
> 2009-03-23 10:34:20,033 INFO
> http-xx.xx.xx.xx.com%2F00.000.00.00-80-Processor17
> com.urbancode.anthill3.domain.security.Authority - A
> uthentication failed for Anthill :: myid
> 2009-03-23 10:34:20,440 DEBUG
> http-xx.xx.xx.xx.com%2F00.000.00.00-80-Processor17
> com.urbancode.anthill3.domain.authorization.ldap.LDA
> PAuthorizationRealm - LDAP Role Mapping configured
> 2009-03-23 10:34:20,440 DEBUG
> http-xx.xx.xx.xx.com%2F00.000.00.00-80-Processor17
> com.urbancode.anthill3.domain.authorization.ldap.LDA
> PAuthorizationRealm - LDAP Role Mapping Method: Attribute
> 2009-03-23 10:34:20,565 DEBUG
> http-xx.xx.xx.xx.com%2F00.000.00.00-80-Processor17
> com.urbancode.anthill3.domain.authorization.ldap.LDA
> PAuthorizationRealm - Error occurred during LDAP Authorization: User
> does not have sufficient priviledges to login
> com.urbancode.anthill3.domain.security.AuthorizationException: User does
> not have sufficient priviledges to login
> at
> com.urbancode.anthill3.domain.authorization.ldap.LDAPAuthorizationRealm.
> getUserRoles(LDAPAuthorizationRealm.java:269)
> at
> com.urbancode.anthill3.domain.authentication.ldap.LDAPLoginModule.getUse
> rRoles(LDAPLoginModule.java:429)
> at
> com.urbancode.anthill3.domain.authentication.ldap.LDAPLoginModule.create
> UserAsNeeded(LDAPLoginModule.java:498)
> at
> com.urbancode.anthill3.domain.authentication.ldap.LDAPLoginModule.commit
> (LDAPLoginModule.java:120)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> at
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at
> javax.security.auth.login.LoginContext.login(LoginContext.java:580)
> at
> com.urbancode.anthill3.web.admin.security.LoginTasks.authenticateUser(Lo
> ginTasks.java:233)
> at
> com.urbancode.anthill3.web.admin.security.LoginTasks.authenticateUser(Lo
> ginTasks.java:164)
> at
> com.urbancode.anthill3.web.admin.security.LoginTasks.authenticate(LoginT
> asks.java:435)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> com.urbancode.anthill3.web.controller.ControllerServlet.doPost(Controlle
> rServlet.java:313)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:269)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:188)
> at
> com.urbancode.anthill3.web.util.LicenseFilter.doFilter(LicenseFilter.jav
> a:78)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:188)
> at
> com.urbancode.anthill3.web.util.SecurityFilter.doFilter(SecurityFilter.j
> ava:129)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:188)
> at
> com.urbancode.anthill3.web.util.AuthorityFilter.doFilter(AuthorityFilter
> .java:67)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:188)
> at
> com.urbancode.anthill3.web.security.DisableSessionUrlFilter.doFilter(Dis
> ableSessionUrlFilter.java:127)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:188)
> at
> com.urbancode.anthill3.web.security.SecureSessionFilter.doFilter(SecureS
> essionFilter.java:114)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:188)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
> e.java:213)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
> e.java:174)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :117)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:108)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
> 51)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
> 4)
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
> essConnection(Http11BaseProtocol.java:665)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
> .java:528)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
> erWorkerThread.java:81)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:689)
> at java.lang.Thread.run(Thread.java:595)
>
> The 'System' and 'Anthill' authentication failures seem fine, as this ID
> is not set up there (but it is in LDAP).
>
> I can login with the ID set up in AHP to an LDAP browser, and see the
> entries that I'm looking for. Also, I have mapped a role that I have
> within LDAP to a role defined within AHP. And presumably the
> authentication can work, as it seems to work fine when the authorization
> realm is Anthill (and when the test ID and password are validated when
> changing the authorization realm).
>
> So I'm puzzled as to what is producing the "User does not have
> sufficient priviledges to login" message during the actual login
> attempt.
>
>
> Peter
>
> -----Original Message-----
> From: anthill-pro-bounces at lists.urbancode.com
> [mailto:anthill-pro-bounces at lists.urbancode.com] On Behalf Of Ryan Smith
> Sent: Monday, March 23, 2009 10:19 AM
> To: AnthillPro user and support list.
> Subject: Re: [Anthill-pro] LDAP
>
> Peter,
>
> If the authorization realm does not allow a user to login if they have 0
>
> roles. It sounds like we are getting no roles from LDAP. Try adding this
>
> line to the bottom of the server's conf/server/log4j.properties file:
>
> log4j.logger.com.urbancode.anthill3.domain.authorization.ldap=DEBUG
>
> Wait 1 minute and attempt the login again while tailing the server's
> output log. There should be debugging statements that will help us
> troubleshoot it.
>
>
> Ryan Smith
>
> Buschmann, Peter D wrote:
>
>> Mark,
>>
>> Under "Authorization", we have a realm named "Active Directory" (plus
>> the Default "Anthill"). The "Active Directory" "Role Attribute" is
>>
> set
>
>> to "memberOf", which is the attribute under the LDAP user entry that
>> contains role names.
>>
>> Under "Authentication", we have an "LDAP" realm. When I set LDAP's
>> authorization realm to "Anthill", I can login with my AD ID. However,
>> while I can change LDAP's authorization realm to "Active Directory"
>> (using my ID and pswd as the test ID and test password), I get the
>> message, "Invalid login, please try again" when I subsequently try to
>> login to AHP.
>>
>> Do you know what is wrong, or how I can enable logging for this?
>>
>>
>> Peter
>>
>> -----Original Message-----
>> From: anthill-pro-bounces at lists.urbancode.com
>> [mailto:anthill-pro-bounces at lists.urbancode.com] On Behalf Of Mark
>> Melvin
>> Sent: Monday, March 23, 2009 8:16 AM
>> To: AnthillPro user and support list.
>> Subject: RE: [Anthill-pro] LDAP
>>
>> Hi Curtis,
>>
>> I am using LDAP as well. Let me know if you have any questions. I
>> can't guarantee I can answer them, but I'll try. ;)
>>
>> Mark.
>>
>> --------------------------------------------
>>
>>
>>
>>> -----Original Message-----
>>> From: anthill-pro-bounces at lists.urbancode.com
>>> [mailto:anthill-pro-bounces at lists.urbancode.com] On Behalf Of
>>> Yanko, Curtis
>>> Sent: March 18, 2009 12:17 PM
>>> To: rws at urbancode.com; AnthillPro user and support list.
>>> Subject: [Anthill-pro] LDAP
>>>
>>>
>>> Is anyone using LDAP groups to grant access to roles in AHP?
>>>
>>>
>>> ==========
>>> Curtis Yanko
>>> Application & Developer Infrastructure Services
>>> Source->Build->Deploy
>>> W: 860.702.9059
>>> M: 860.881.2050
>>>
>>>
> _______________________________________________
> Anthill-pro mailing list
> Anthill-pro at lists.urbancode.com
> http://lists.urbancode.com/mailman/listinfo/anthill-pro
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
More information about the Anthill-pro
mailing list