Bug #7857: CnIdentityLDAPImpl.createGroup() allows non-existent uniqueMember, disabling the service entirely - CN REST - DataONE Tasks

Bug #7857

While trying to create a group using MetacatUI, I mistakenly typed the group name into the wrong input, causing the group name to be added to another group as a group member instead. While the MetacatUI form should validate the existence of the member before adding it to the group, we can't assume all clients will do so. CNIdentityLDAPImpl likely needs to validate all group member DNs before allowing groups to be created or updated. Heres the relevant errors in /var/log/tomcat7/cn.log on cn-stage-unm-2.test.dataone.org:

At group creation:
<pre>
[ WARN] 2016-08-03 17:43:06,740 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0002-8121-2341
[ WARN] 2016-08-03 17:43:06,767 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-1758-9950
[ WARN] 2016-08-03 17:43:06,791 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-2192-431X
[ WARN] 2016-08-03 17:43:06,829 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0002-8121-2341
[ WARN] 2016-08-03 17:43:06,830 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0002-8121-2341
[ WARN] 2016-08-03 17:43:06,830 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-1758-9950
[ WARN] 2016-08-03 17:43:06,832 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: http://orcid.org/0000-0003-2192-431X
[ WARN] 2016-08-03 17:43:06,833 (CNIdentityLDAPImpl:constructDn:690) Subject not a valid DN: A Bogus User
[ WARN] 2016-08-03 17:43:06,834 (CNIdentityLDAPImpl:createGroup:174) Could not check whether member subject is a group: [LDAP: error code 32 - No Such Object]
</pre>

After group creation and hitting https://cn-stage-2.test.dataone.org/cn/v2/accounts :
<pre>
[ERROR] 2016-08-03 17:43:06,931 (CNIdentityLDAPImpl:lookupGroups:878) Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=A Bogus User,dc=dataone,dc=org'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3113)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1850)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1773)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276)
at org.dataone.cn.ldap.LDAPService.getAttributeValues(LDAPService.java:248)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1091)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.lookupGroups(CNIdentityLDAPImpl.java:867)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1308)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1105)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:790)
at org.dataone.cn.rest.web.identity.v2.IdentityController.getSubjectInfo(IdentityController.java:366)
</pre>

and then

<pre>
[ERROR] 2016-08-03 17:43:06,934 (CNIdentityLDAPImpl:getSubjectInfo:829) Problem looking up entry: uid=http://orcid.org/0000-0002-8121-2341,dc=dataone,dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
org.dataone.service.exceptions.ServiceFailure: Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.lookupGroups(CNIdentityLDAPImpl.java:879)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1308)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1105)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:822)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.getSubjectInfo(CNIdentityLDAPImpl.java:790)
at org.dataone.cn.rest.web.identity.v2.IdentityController.getSubjectInfo(IdentityController.java:366)
</pre>

and finally
<pre>
[ERROR] 2016-08-03 17:44:09,706 (CNIdentityLDAPImpl:listSubjects:973) Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
org.dataone.service.exceptions.ServiceFailure: Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.lookupGroups(CNIdentityLDAPImpl.java:879)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.processAttributes(CNIdentityLDAPImpl.java:1308)
at org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl.listSubjects(CNIdentityLDAPImpl.java:947)
at org.dataone.cn.rest.web.identity.v2.IdentityController.listSubjects(IdentityController.java:297)
</pre>

Also see https://projects.ecoinformatics.org/ecoinfo/issues/7079

Back

Project

General

Profile

Infrastructure » CN REST

Bug #7857