I have been fixing up some funny Spring/Acegi<->LDAP issue in the past two days. What I was trying to achieve is some AOP using
BeanNameAutoProxyCreator to intercept invocations to methods of a particular interface/class, so that it authenticates against an LDAP repository and validate if a user has one of the specified roles. Something wasn't really working at the
DefaultLdapAuthoritiesPopulator -- the authorities/roles list was empty.
Now, it's solved, yes it is.. with shame.
I turned on an even detailed debug logging and that's when I started to realized my.. stupidity ;-)
conn=2 op=1 SRCH base="ou=groups,dc=my,dc=com,dc=customware" scope=2 deref=3
filter="(member=uid=clim,ou=people,dc=my,dc=com,dc=customware)"
conn=2 op=1 SRCH attr=cn
bdb_idl_fetch_key: [01872a84]
bdb_idl_fetch_key: @ou=groups,dc=my,dc=com,dc=customware
<= bdb_equality_candidates: (member) index_param failed (18) => access_allowed: search access to "ou=groups,dc=my,dc=com,dc=customware" "member" requested
<= root access granted => access_allowed: search access to "cn=mule01,ou=groups,dc=my,dc=com,dc=customware" "member" requested
<= root access granted dnMatch 0 "uid=clim,ou=people,dc=my,dc=com,dc=customware" "uid=clim,ou=people,dc=my,dc=com,dc=customware" => access_allowed: read access to "cn=mule01,ou=groups,dc=my,dc=com,dc=customware" "entry" requested
<= root access granted => access_allowed: read access to "cn=mule01,ou=groups,dc=my,dc=com,dc=customware" "cn" requested
<= root access granted => access_allowed: search access to "cn=managers,ou=groups,dc=my,dc=com,dc=customware" "member" requested
<= root access granted dnMatch -1 "uid=clim,cn=people,dc=my,dc=com,dc=customware" "uid=clim,ou=people,dc=my,dc=com,dc=customware" send_ldap_result: err=0 matched="" text="" conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Did you see that? I will do it again:
dnMatch 0
"uid=clim,ou=people,dc=my,dc=com,dc=customware"
"uid=clim,ou=people,dc=my,dc=com,dc=customware"
...
dnMatch -1
"uid=clim,cn=people,dc=my,dc=com,dc=customware"
"uid=clim,ou=people,dc=my,dc=com,dc=customware"
cn=people and
ou=people?!
dn: ou=people,dc=my,dc=com,dc=customware
...
dn: cn=managers,ou=groups,dc=my,dc=com,dc=customware
member: uid=clim,cn=people,dc=my,dc=com,dc=customware
...
dn: uid=clim,ou=people,dc=my,dc=com,dc=customware
...
WTF! Worse than failure hey! LDAP did not fail me at the time I was importing from the LDIF with invalid
member attribute value. I could have saved a few hours to do something.. more
significant than sitting in front of my Eclipse to figure out why wasn't
DirContext.search() returning any results. In fact, I have learned a very good lesson.
- yc, rantinggggggggggg!