I'm using XNAT with LDAP (Active Directory) authentication (as
described at
http://nrg.wikispaces.com/Enhanced+Authentication+Options
), and recently an account became unable to log in. The AD account
works normally in interactive lookups and the myriad applications
using AD for authentication, including two other instances of XNAT on
two other systems configured identically, except for names &
addresses, with the same scripts. In particular, they're using
identical authentication.properties files, using the same account to
bind.
webapps/xnat/logs/xdat.log gets the following error and stack trace
upon attempting to log in with the problem account ("theusername",
here) on the problem system:
<timestamp> [http-8080-9] ERROR
org.nrg.xnat.security.LDAPAuthenticator - theusername:Error retrieving
DN for theusername from server
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data
525, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:
175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:
193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:
136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:
66)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:
667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:
288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:
134)
at
org.nrg.xnat.security.LDAPAuthenticator.openContext(LDAPAuthenticator.java:
191)
at
org.nrg.xnat.security.LDAPAuthenticator.verifyLogin(LDAPAuthenticator.java:
410)
at
org.nrg.xnat.security.LDAPAuthenticator.authenticate(LDAPAuthenticator.java:
580)
at
org.nrg.xnat.security.LDAPAuthenticator.authenticate(LDAPAuthenticator.java:
495)
at
org.nrg.xdat.security.Authenticator.Authenticate(Authenticator.java:
60)
at
org.nrg.xdat.turbine.modules.actions.XDATLoginUser.doPerform(XDATLoginUser.java:
89)
at
org.apache.turbine.modules.actions.VelocityAction.doPerform(VelocityAction.java:
46)
at
org.apache.turbine.util.velocity.VelocityActionEvent.perform(VelocityActionEvent.java:
82)
at
org.apache.turbine.modules.actions.VelocityAction.perform(VelocityAction.java:
72)
at org.apache.turbine.modules.ActionLoader.exec(ActionLoader.java:96)
at
org.apache.turbine.modules.pages.DefaultPage.doBuild(DefaultPage.java:
113)
at org.apache.turbine.modules.Page.build(Page.java:53)
at org.apache.turbine.modules.PageLoader.exec(PageLoader.java:98)
at org.apache.turbine.Turbine.doGet(Turbine.java:751)
at org.apache.turbine.Turbine.doPost(Turbine.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
191)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
465)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
852)
at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:
489)
at java.lang.Thread.run(Thread.java:619)
<timestamp> [http-8080-9] ERROR
org.nrg.xdat.turbine.modules.actions.XDATLoginUser -
org.nrg.xdat.security.XDATUser$PasswordAuthenticationException:
Invalid Login and/or Password
at
org.nrg.xnat.security.LDAPAuthenticator.authenticate(LDAPAuthenticator.java:
512)
at
org.nrg.xdat.security.Authenticator.Authenticate(Authenticator.java:
60)
at
org.nrg.xdat.turbine.modules.actions.XDATLoginUser.doPerform(XDATLoginUser.java:
89)
at
org.apache.turbine.modules.actions.VelocityAction.doPerform(VelocityAction.java:
46)
at
org.apache.turbine.util.velocity.VelocityActionEvent.perform(VelocityActionEvent.java:
82)
at
org.apache.turbine.modules.actions.VelocityAction.perform(VelocityAction.java:
72)
at org.apache.turbine.modules.ActionLoader.exec(ActionLoader.java:96)
at
org.apache.turbine.modules.pages.DefaultPage.doBuild(DefaultPage.java:
113)
at org.apache.turbine.modules.Page.build(Page.java:53)
at org.apache.turbine.modules.PageLoader.exec(PageLoader.java:98)
at org.apache.turbine.Turbine.doGet(Turbine.java:751)
at org.apache.turbine.Turbine.doPost(Turbine.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
191)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
465)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
852)
at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:
489)
at java.lang.Thread.run(Thread.java:619)
The account was recently moved to a different OU, so the DN has
changed. It doesn't look like the DN being submitted gets logged.
Adding "logger.debug("DN:" + dn);" before the try block at
LDAPAuthenticator.java:409, updating the deployment and changing from
ERROR to DEBUG at log4j.properties:66 & 75, relaunching, and showing
attempting a login with the account shows the old DN-- containing the
old OU-- is being used, printing this immediately before printing the
stack trace:
<timestamp> [http-8080-1] DEBUG
org.nrg.xnat.security.LDAPAuthenticator - DN:CN=theusername,OU=old
ou,OU=shown here,DC=iowa,DC=uiowa,DC=edu
Any idea why this isn't refreshing on a particular system? In general,
how should I avoid and fix the problem? I don't know why it would only
happen on one XNAT system vs. the others.
Thanks,
Adam
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To post to this group, send email to
xnat_di...@googlegroups.com.
To unsubscribe from this group, send email to
xnat_discussi...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/xnat_discussion?hl=en.