I am seeing this when I try to login with CAS which is authenticating against AD over LDAP.
SEVERE: Servlet.service() for servlet cas threw exception
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name '/'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at org.springframework.ldap.core.LdapTemplate$3.executeSearch(LdapTemplate.java:231)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:588)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:546)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:401)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:421)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:441)
Up to that point I was authenticated by the BindLdapAuthenticationHandler, resolved, it generated a query builder and then threw this.
I think it is failing when it is trying to get attributes back. Why is the remaining name '/'?
Remaining name is a part of a DN that wasn't actually found at a certain level of a DIT. For example when you search cn=johns,ou=marketing,dc=example,dc=com and ou=marketing,dc=example,dc=com exists but cn=johns does not exists inside of ou=marketing then the remaning name would be cn=johns.
'/' does not look like a valid RDN. I would recommend to verify what you pass as a search base. Most likely it's an invalid DN string.
LDAP error code 32 means "no such object", in this case, perhaps the base object of the search did not exist.
Related
I'm trying to run Apache Kafka on Windows Server 2016 with the following configurations
server.propertiers:
delete.topic.enable=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.protocol=SASL_PLAINTEXT
listeners=SASL_PLAINTEXT://127.0.0.1:9092
advertised.listeners=SASL_PLAINTEXT://localhost:9092
listener.security.protocol.map=SASL_PLAINTEXT:SASL_PLAINTEXT
kafka_server_jaas.conf:
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="username"
password="password"
user_kafkaadmin="password2";
};
Client {};
start-kafka.bat:
#echo off
SET KAFKA_OPTS = "-Djava.security.auth.login.config=C:\Kafka\config\kafka_server_jaas.conf"
C:\Kafka\bin\windows\kafka-server-start.bat C:\Kafka\config\server.properties
However I'm getting the following error
ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or 'sasl_plaintext.KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set
at org.apache.kafka.common.security.JaasContext.defaultContext(JaasContext.java:133)
at org.apache.kafka.common.security.JaasContext.load(JaasContext.java:98)
at org.apache.kafka.common.security.JaasContext.loadServerContext(JaasContext.java:70)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:121)
at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:85)
at kafka.network.Processor.<init>(SocketServer.scala:747)
at kafka.network.SocketServer.newProcessor(SocketServer.scala:394)
at kafka.network.SocketServer$$anonfun$kafka$network$SocketServer$$addDataPlaneProcessors$1.apply$mcVI$sp(SocketServer.scala:279)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:160)
at kafka.network.SocketServer.kafka$network$SocketServer$$addDataPlaneProcessors(SocketServer.scala:278)
at kafka.network.SocketServer$$anonfun$createDataPlaneAcceptorsAndProcessors$1.apply(SocketServer.scala:241)
at kafka.network.SocketServer$$anonfun$createDataPlaneAcceptorsAndProcessors$1.apply(SocketServer.scala:238)
at scala.collection.mutable.ResizableArray$class.foreach(ResizableArray.scala:59)
at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:48)
at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:238)
at kafka.network.SocketServer.startup(SocketServer.scala:121)
at kafka.server.KafkaServer.startup(KafkaServer.scala:263)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
at kafka.Kafka$.main(Kafka.scala:84)
at kafka.Kafka.main(Kafka.scala)
Am I missing something in the configuration?
Thank you,
Try to remove spaces before and after the equal sign:
SET KAFKA_OPTS=-Djava.security.auth.login.config=C:\Kafka\config\kafka_server_jaas.conf
Because normally you should not put a space on either side of the equal sign. A space before the equal sign will become part of the name; a space after the equal sign will become part of the value.
I have a small script (spring/groovy/ldap) that finds, in Active Directory, the 'management tree' under a person,
i.e. from a 'root person' the script finds the root person's direct reports then uses recursion: for each direct report find their direct reports, etc.
the directReports users attribute specifies a list of DN's in the form:
CN=Simpson\, Homer,OU=OU_0731DevOps,OU=OU_0100Monitor Services,OU=OU_0001U*Nuclear Energy Corporation,OU=OU_UNuclearUsers,DC=corp,DC=unucleargrp,DC=com
The script does an "ldap lookup" for each direct report by DN, e.g.:
obj = ldapTemplate.lookup(pDn, new UserAttributesMapper())
Problem
The ldap lookup throws an InvalidNameException
[LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090787
I've tried various combinations of escaping but still get the error.
What am I missing???
More Info
This url https://social.technet.microsoft.com/wiki/contents/articles /5312.active-directory-characters-to-escape.aspx shows which characters to escape:
Active Directory requires that the following ten characters be escaped
with the backslash "\" escape character if they appear in any of the
individual components of a distinguished name:
Comma ,
Backslash character \
Pound sign (hash sign) #
Plus sign +
Less than symbol <
Greater than symbol >
Semicolon ;
Double quote (quotation mark) "
Equal sign =
Leading or trailing spaces
Tools
Groovy
Spring Boot
JVM
thanks!
I found the answer by poking around with LDAPNameBuilder.
TLDR:
ldapTemplate.lookup requires stripping off the "DC.." portion of the DN.*
If you know a cleaner/more-official solution, please post!
LDAP Lookup fails with a DN like this:
This DN has "DC=.." components and fails using spring ldap lookup.
CN=Simpson\, Homer,OU=OU_0731DevOps,OU=OU_0100Monitor Services,OU=OU_0001U*Nuclear Energy Corporation,OU=OU_UNuclearUsers,DC=corp,DC=unucleargrp,DC=com
LDAP succeeds with this (no "DC" components):
This DN has no "DC=" components. Spring LDAP template provides the basedn.
CN=Simpson\, Homer,OU=OU_0731DevOps,OU=OU_0100Monitor Services,OU=OU_0001U*Nuclear Energy Corporation
Context Reminder
This application traverses 'management tree.' It gets a persons managees by the 'directReports' attribute (which lists the full-DN's of each direct report). This application wanted to lookup that user by his/her DN.
Tweak/Example
This tweak got the ldap lookup to work:
User lookupUserByDn(String pDn) {
// needed this to get it to work
String dn=pDn.replace(",${ldapConfig.base}","")
ldapTemplate.lookup(dn, new UserAttributesMapper())
}
for the record, my application.yml ldap portion looked like this:
spring:
ldap:
urls: ldap://dc.corp.unucleargrp.com:389
base: DC=corp,DC=unucleargrp,DC=com
username: username_val
password : password_val
According to this https://docs.spring.io/spring-ldap/docs/2.3.1.RELEASE/reference/#contextsource-configuration
Removing the base attribute, All operations going back and forth will use full DNs.
I want to get all details of AD users which are being deleted .
As per my info when users are deleted from Active Directory they are stored in container with CN=Deleted Objects
Now When i search Users with searchBase = "DC=domain, DC=local".Everything works fine and i get data for all users with their name , mobile etc.
But when i apply searchBase ="CN=Deleted Objects,DC=azdomain, DC=local" i get error as
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Deleted Objects,DC=azdomain, DC=local'
what does this error means ? , Also i am not able find any post related to same issue on internet .
Please help me with this .
Trying to enable user account and getting below error. If I go to directly to that windows machine after creating user (using java api) and update password (manually using UI on windows machine) like "password1" and then try to enable password using java it works fine.
Here is how I am setting password while creating user
BasicAttribute basicAttribute1=new BasicAttribute("userPassword","password1".getBytes(StandardCharsets.US_ASCII));
context.setAttribute(basicAttribute1);
Then trying to change useraccount control to 512 and getting
"errorMessage": "[LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000]; remaining name 'CN=SachinVTendulkar,OU=SDCWASD001,OU=Users,OU=Mycity,OU=Enterprise Support'"
Seems I am not setting password correctly while creating user with java - I am creating user with userAccountControl-514 and with password along with other attributes like names etc (first I want to create in disable mode)
Then when I just try to enable user, getting this problem. And for same user if I go to windows machine and update password and then try to enable with java it works fine - so that rule out other issues like ldaps etc.
Logs when I create user for reference:
log of creating user : creating new user : JohnSmith , in DN : CN=JohnSmith,OU=SDCWASD001,OU=Users,OU=MyCity,OU=Enterprise Support , with context: org.springf.ldap.core.DirContextAdapter: dn=CN=JohnSmith,OU=SDCWASD001,OU=Users,OU=MyCity,OU=Enterprise Support {mail=adsadsa51#test.com, Description=Test account, CN=JohnSmith, objectclass[0]=top, objectclass[1]=Person, objectclass[2]=organizationalPerson, objectclass[3]=user, userPassword=summer01, sAMAccountName=adsadsa51, userPrincipalName=adsadsa51#test.com, givenName=John, displayName=JohnSmith, name=JOHNSMITH, physicalDeliveryOfficeName=0, sn=Smith, userAccountControl=514}
Then to enable user, I do following and getting that error (I do this in seperate call)
ModificationItem[] mods=new ModificationItem[1];
mods[0]=new ModificationItem(DirContext.REPLACE_ATTRIBUTE,new BasicAttribute("userAccountControl",Integer.toString(512)));
ldapTemplate.modifyAttributes(dn, mods);
Try setting the unicodePwd value on the account. Something like:
final byte[] quotedPasswordBytes = ('"'+password+'"').getBytes("UTF-16LE");
container.put(new BasicAttribute("unicodePwd", quotedPasswordBytes));
Resolution is to use SSL for password attribute updates.
Can you be more specific about what this entails?
I am trying to configure Active Directory (AD LDS) for use with my application. I am using ForeignJNDIProvider in Weblogic app server to configure the settings for AD. From my Java based application, I do a lookup on InitialContext as shown below:
InitialContext iCtx = new InitialContext();
DirContext dir = (DirContext) iCtx.lookup(<JNDI name>);
The second code line above fails with the following error:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3067)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at weblogic.jndi.internal.ForeignOpaqueReference.getReferent(ForeignOpaqueReference.java:70)
at weblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.java:96)
at weblogic.jndi.internal.ServerNamingNode.resolveObject(ServerNamingNode.java:377)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:856)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:209)
at weblogic.jndi.internal.WLEventContextImpl.lookup(WLEventContextImpl.java:254)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:411)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
I tried looking up what error 533 in AD meant. The only answer I got was that it meant "Account Disabled". I am not sure this is the case. How can I fix this?
Got it...solved the problem by changing the value for attribute msDS-UserAccountDisabled to false. AD accounts when created are disabled by default.
Resource: http://technet.microsoft.com/en-us/library/cc725934
For me, the error was in the attribute "userAccountControl". I had to change it from 546 (ACCOUNTDISABLE | PASSWD_NOTREQD | NORMAL_ACCOUNT) to 512 (NORMAL_ACCOUNT). Also see: http://support.microsoft.com/kb/305144/de