Passwords and Fedora

[Peter .]

Hi,

I am having a problem with a new Islandora install. I am using Fedora 3.6.2, FedoraGSearch 2.6 and Solr 4.6.1. I see the services are running in Tomcat Manager but when I try to configure Islandora I get the message: Unable to authenticate when connecting to to Fedora Server (Version 3.6.2). Please configure the Drupal Filter. I have looked at Drupal Filter and it looks correct to me. I tried executing:

curl -u fedoraAdmin:fedoraAdminPassword -X POST http://localhost:8080/fedora/objects/new\?namespace\=test

and I get Fedora: 401 as a response. I am assuming that the problem is that it didn't authenticate (unless there are other reasons to get this message). Which brings me to question about passwords - my password has special characters in it like !,#,(,^,%,$ (as examples), could this be the problem? If not, what else could it be?

Getting desparate here.

[Peter .]

In the fedora log, this is the error I am gettng:

ERROR 2014-03-10 11:00:25.899 [http-8080-1] (AuthFilterJAAS) javax.security.auth.login.LoginException: Login Failure: all modules ignored

[Peter .]

I did find that the jaas.conf file was overwritten and I updated the contents as specified in the documentation. I still cannot connect but get the following error:

ERROR 2014-03-10 11:11:53.016 [http-8080-1] (AuthFilterJAAS) javax.security.auth.login.LoginException: unable to find LoginModule class: ca.upei.roblib.fedora.servletfilter.DrupalAuthModule

[Peter .]

After checking the file out I discovered that it was permission issue. Having corrected that, the next error I get is:

ERROR 2014-03-10 11:20:54.712 [http-8080-2] (DrupalAuthModule) Could not parse Drupal Servlet Filter Config file.

The permissions are correct on this file - tomcat owns it and is part of the tomcat group. It also has permission 775 on it. Any ideas?

Thanks.

[Nigel Banks]

Your config file might not be valid?

https://wiki.duraspace.org/pages/viewpage.action?pageId=34658929

[Peter .]

Hi Nigel,

That is exactly what I have in the file. Here is the complete listing:

fedora-auth
{
org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule required
debug=true;
ca.upei.roblib.fedora.servletfilter.DrupalAuthModule required
debug=true;
};

fedora-auth-xmlusersfile
{
        org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule required
        debug=true;
};

fedora-auth-ldap-bind
{
        org.fcrepo.server.security.jaas.auth.module.LdapModule required
        host.url="ldap://dev01.muradora.org"
        auth.type="simple"
        bind.mode="bind"
        bind.filter="uid={0},ou=people,dc=muradora,dc=org"
        debug=true;
};

fedora-auth-ldap-bind-search-bind
{
        org.fcrepo.server.security.jaas.auth.module.LdapModule required
        host.url="ldap://dev01.muradora.org"
        auth.type="simple"
        bind.mode="bind-search-bind"
        bind.user="uid=binduser,ou=people,dc=muradora,dc=org"
        bind.pass="murabind"
        search.base="ou=people,dc=muradora,dc=org"
        search.filter="(uid={0})"
        attrs.fetch="cn,sn,mail,displayName,carLicense"
        debug=true;
};

fedora-auth-ldap-bind-search-compare
{
        org.fcrepo.server.security.jaas.auth.module.LdapModule required
        host.url="ldap://dev01.muradora.org"
        auth.type="simple"
        bind.mode="bind-search-compare"
        bind.user="uid=binduser,ou=people,dc=muradora,dc=org"
        bind.pass="murabind"
        search.base="ou=people,dc=muradora,dc=org"
        search.filter="(uid={0})"
        attrs.fetch="cn,sn,mail,displayName,carLicense"
        debug=true;
};

I am using drupalauthfilter-3.6.2 with Fedora-3.6.2 so that should be the right combination as well. This is why I think this might be special characters in a password issue (this discussion seems to imply that as well).

[Nigel Banks]

Sorry I meant the drupal filter.xml

[Peter .]

I can confirm that the problem is special characters in the password. After changing the password to exclude special chars, islandora now connects to fedora. This should be documented to prevent other people from having the same issues (preferably mentioned at the beginning of the document when people are creating the drupal database). While MySQL and Drupal are fine with using special characters, fcrepo-drupalauthfilter isn't. fcrepo-drupalauthfilter should be fixed to permit these characters as most password generators these days (including the one used at our institution) always includes them to make more secure passwords. I am sure more people will run into this issue in the future.

[dai...@discoverygarden.ca]

Hey Peter,

The issue you were having is actually less of a "bug with the Drupal filter" and more just "the way XML works"; XML treats those characters as part of the markup unless they're manually encoded or escaped. It has to be this way - otherwise, the language would have no way to tell the difference between markup and actual content. For example, an ampersand flags the start of an encoded character (the format being an ampersand, then the code for the character you want to use, then a closing semicolon), so if you have one in a password, an XML parser wouldn't read it as an ampersand - rather, it would consider the XML invalid because an encoded character was started but not completed.

Consider using the same password you were using before, but encoding any special characters so that the Drupal filter XML file is valid (e.g. & as & or $ as $). Hope that helps!

 - QA Dan

[Peter .]

Thanks, for clearing that up. I will give that a try next time.