Project

General

Profile

Bug #7857

CnIdentityLDAPImpl.createGroup() allows non-existent uniqueMember, disabling the service entirely

Added by Chris Jones over 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jing Tao
Category:
d1_identity_manager
Target version:
-
Start date:
2016-08-03
Due date:
% Done:

100%

Story Points:
Sprint:

Description

While trying to create a group using MetacatUI, I mistakenly typed the group name into the wrong input, causing the group name to be added to another group as a group member instead. While the MetacatUI form should validate the existence of the member before adding it to the group, we can't assume all clients will do so. CNIdentityLDAPImpl likely needs to validate all group member DNs before allowing groups to be created or updated. Heres the relevant errors in /var/log/tomcat7/cn.log on cn-stage-unm-2.test.dataone.org:

At group creation:

[ WARN] 2016-08-03 17:43:06,740 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0002-8121-2341
[ WARN] 2016-08-03 17:43:06,767 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-1758-9950
[ WARN] 2016-08-03 17:43:06,791 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-2192-431X
[ WARN] 2016-08-03 17:43:06,829 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0002-8121-2341
[ WARN] 2016-08-03 17:43:06,830 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0002-8121-2341
[ WARN] 2016-08-03 17:43:06,830 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-1758-9950
[ WARN] 2016-08-03 17:43:06,832 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-2192-431X
[ WARN] 2016-08-03 17:43:06,833 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: A Bogus User
[ WARN] 2016-08-03 17:43:06,834 (CNIdentityLDAPImpl:createGroup:174) Could not check whether member subject is a group: [LDAP: error code 32 - No Such Object]

After group creation and hitting https://cn-stage-2.test.dataone.org/cn/v2/accounts :

[ERROR] 2016-08-03 17:43:06,931 (CNIdentityLDAPImpl:lookupGroups:878) Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=A Bogus User,dc=dataone,dc=org'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3113)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1850)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1773)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276)
at org.dataone.cn.ldap.LDAPService.getAttributeValues(LDAPService.java:248)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1091)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.lookupGroups(CNIdentityLDAPImpl.java:867)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1308)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1105)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:790)
at org.dataone.cn.rest.web.identity.v2.IdentityController.getSubjectInfo(IdentityController.java:366)

and then

[ERROR] 2016-08-03 17:43:06,934 (CNIdentityLDAPImpl:getSubjectInfo:829) Problem looking up entry: uid=http://orcid.org/0000-0002-8121-2341,dc=dataone,dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
org.dataone.service.exceptions.ServiceFailure: Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.lookupGroups(CNIdentityLDAPImpl.java:879)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1308)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1105)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:790)
at org.dataone.cn.rest.web.identity.v2.IdentityController.getSubjectInfo(IdentityController.java:366)

and finally

[ERROR] 2016-08-03 17:44:09,706 (CNIdentityLDAPImpl:listSubjects:973) Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
org.dataone.service.exceptions.ServiceFailure: Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.lookupGroups(CNIdentityLDAPImpl.java:879)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1308)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.listSubjects(CNIdentityLDAPImpl.java:947)
at org.dataone.cn.rest.web.identity.v2.IdentityController.listSubjects(IdentityController.java:297)

Also see https://projects.ecoinformatics.org/ecoinfo/issues/7079

Related issues

Duplicates Infrastructure - Bug #7565: LDAP configuration issue on production Closed 2015-12-28

History

#1 Updated by Chris Jones over 8 years ago

  • Description updated (diff)

#2 Updated by Ben Leinfelder over 8 years ago

  • Duplicates Bug #7565: LDAP configuration issue on production added

#3 Updated by Ben Leinfelder over 8 years ago

According to SVN history, this was addressed in March 2016 with r17818. I see it in trunk and the 2.2.0 tag of d1_identity_manager.

#4 Updated by Ben Leinfelder over 8 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 30

Sure enough, cn-stage-2 is using d1_identity_manager v2.1.1 and the fix is NOT in that tag. Production is using v2.2.0 so it is there.

I think the thing to do is upgrade cn-stage-2, ya?

#5 Updated by Chris Jones over 8 years ago

Thanks Ben - makes sense! Thanks for looking.

#6 Updated by Jing Tao over 7 years ago

  • Assignee changed from Ben Leinfelder to Jing Tao

#7 Updated by Jing Tao over 7 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 30 to 100

Confirmed with Chris that the bug was fixed in 2.2.0. So close the ticket.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)