-
Bug
-
Resolution: Fixed
-
Medium
-
0.4.5
-
None
The following LDAP exception occurs when reading in a group named !Website Feedback/Support from an Active Directory server:
org.springframework.ldap.UncategorizedLdapException: Operation failed; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'cn=!Website Feedback/Support, ou=Distribution Lists, ou=Groups, dc=corp, dc=example, dc=com' javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'cn=!Website Feedback/Support, ou=Distribution Lists, ou=Groups, dc=corp, dc=example, dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3025) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
This exception then propergates to the wire layer as an exception on the client:
org.codehaus.xfire.XFireRuntimeException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Could not parse message. org.codehaus.xfire.fault.XFireFault: Could not parse message. at org.codehaus.xfire.fault.Soap11FaultSerializer.readMessage(Soap11FaultSerializer.java:78) at org.codehaus.xfire.fault.SoapFaultSerializer.readMessage(SoapFaultSerializer.java:28)
- incorporates
-
CWD-1069 Groups that contain backslashes ('\') cannot be modified from Crowd
-
- Closed
-
- relates to
-
JRASERVER-13470 LDAP authentication fail when slash "/" exist in DN
-
- Closed
-
[CWD-183] Problems with LDAP group or user names that contain / or \.
Issue raised in Spring LDAP http://opensource.atlassian.com/projects/spring/browse/LDAP-50
I have narrowed this down to actually being caused by Spring LDAP.
To replicate this issue, create a group with a name that contains a '/' or a '\'
'\' is being encoded and end up throwing the following exception:
16:42:27,972 ERROR org.codehaus.xfire.handler.DefaultFaultHandler: Fault occurred! org.springframework.ldap.UncategorizedLdapException: Operation failed; nested exception is javax.naming.NamingException: problem generating object using object factory [Root exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.support.TokenMgrError: Lexical error at line 1, column 22. Encountered: "\\" (92), after : ""]; remaining name 'dc=ad,dc=atlassian,dc=com' javax.naming.NamingException: problem generating object using object factory [Root exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.support.TokenMgrError: Lexical error at line 1, column 22. Encountered: "\\" (92), after : ""]; remaining name 'dc=ad,dc=atlassian,dc=com' at com.sun.jndi.ldap.LdapSearchEnumeration.createItem(LdapSearchEnumeration.java:111) at com.sun.jndi.ldap.LdapNamingEnumeration.nextAux(LdapNamingEnumeration.java:256) at com.sun.jndi.ldap.LdapNamingEnumeration.nextImpl(LdapNamingEnumeration.java:236) at com.sun.jndi.ldap.LdapNamingEnumeration.next(LdapNamingEnumeration.java:184) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:271) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:231) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:561) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:475) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:423) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:444) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:464) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.buildDN(SpringLDAPConnector.java:151) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.getGroupDN(SpringLDAPConnector.java:173) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.isGroupMember(SpringLDAPConnector.java:316) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.findGroupMemberships(SpringLDAPConnector.java:806) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.findGroupMemberships(DirectoryManagerGeneric.java:2027) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:287) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:181) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:88) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176) at $Proxy3.findGroupMemberships(Unknown Source) at com.atlassian.crowd.service.soap.SecurityServerGeneric.findGroupMemberships(SecurityServerGeneric.java:733) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:287) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:181) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:88) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176) at $Proxy5.findGroupMemberships(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.codehaus.xfire.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:54) at org.codehaus.xfire.service.binding.ServiceInvocationHandler.sendMessage(ServiceInvocationHandler.java:271) at org.codehaus.xfire.service.binding.ServiceInvocationHandler$1.run(ServiceInvocationHandler.java:84) at org.codehaus.xfire.service.binding.ServiceInvocationHandler.execute(ServiceInvocationHandler.java:132) at org.codehaus.xfire.service.binding.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:107) at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131) at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64) at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:38) at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:287) at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:130) at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:116) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.opensymphony.webwork.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:189) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.opensymphony.webwork.dispatcher.ActionContextCleanUp.doFilter(ActionContextCleanUp.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.support.TokenMgrError: Lexical error at line 1, column 22. Encountered: "\\" (92), after : "" at org.springframework.ldap.support.DistinguishedName.parse(DistinguishedName.java:134) at org.springframework.ldap.support.DistinguishedName.<init>(DistinguishedName.java:89) at org.springframework.ldap.support.DirContextAdapter.<init>(DirContextAdapter.java:131) at org.springframework.ldap.support.DefaultDirObjectFactory.getObjectInstance(DefaultDirObjectFactory.java:56) at javax.naming.spi.DirectoryManager.createObjectFromFactories(DirectoryManager.java:218) at javax.naming.spi.DirectoryManager.getObjectInstance(DirectoryManager.java:197) at com.sun.jndi.ldap.LdapSearchEnumeration.createItem(LdapSearchEnumeration.java:105) ... 87 more Caused by: org.springframework.ldap.support.TokenMgrError: Lexical error at line 1, column 22. Encountered: "\\" (92), after : "" at org.springframework.ldap.support.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:693) at org.springframework.ldap.support.DnParserImpl.jj_ntk(DnParserImpl.java:253) at org.springframework.ldap.support.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:102) at org.springframework.ldap.support.DnParserImpl.rdn(DnParserImpl.java:62) at org.springframework.ldap.support.DnParserImpl.dn(DnParserImpl.java:27) at org.springframework.ldap.support.DistinguishedName.parse(DistinguishedName.java:130) ... 93 more
and '/' is throwing the following exception:
16:34:30,034 INFO crowd.integration.directory.connector.SpringLDAPConnector: Performing search: containerDN = cn=Website Feedback/Support, ou=Groups, dc=ad, dc=atlassian, dc=com - filter = (member=cn=Monkey Boy, cn=Users, dc=ad, dc=atlassian, dc=com) 16:34:30,050 ERROR org.codehaus.xfire.handler.DefaultFaultHandler: Fault occurred! org.springframework.ldap.UncategorizedLdapException: Operation failed; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0]; remaining name 'cn=Website Feedback/Support, ou=Groups, dc=ad, dc=atlassian, dc=com' javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 remaining name 'cn=Website Feedback/Support, ou=Groups, dc=ad, dc=atlassian, dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3025) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737) at com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:993) at com.sun.jndi.toolkit.ctx.ComponentContext.c_resolveIntermediate_nns(ComponentContext.java:152) at com.sun.jndi.toolkit.ctx.AtomicContext.c_resolveIntermediate_nns(AtomicContext.java:342) at com.sun.jndi.toolkit.ctx.ComponentContext.p_resolveIntermediate(ComponentContext.java:381) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:360) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) at org.springframework.ldap.LdapTemplate$4.executeSearch(LdapTemplate.java:227) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:268) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:231) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:561) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:475) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:423) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:444) at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:464) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.isMemeber(SpringLDAPConnector.java:307) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.isGroupMember(SpringLDAPConnector.java:319) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.findGroupMemberships(SpringLDAPConnector.java:806) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.findGroupMemberships(DirectoryManagerGeneric.java:2027)
Complete fix for forward-slashes in group and user names. Partial fix for backslashes.
There's a bug in the JDK that means that DNs with backslashes can be incorrectly escaped, making modifications to them impossible from Crowd. This means that attempting to add or remove a user from a group that contains a blacklash in the name may fail.
We're going to resolve this issue and track the remainder of the fix on the linked
CWD-1069.