By: Tyson Mahendran user 14 Apr 2020 at 1:36 p.m. CDT

15 Responses
Tyson Mahendran gravatar
Cache Refresh works when the external ldap server enabled with anonymous access. When I disable the anonymous access on the ldap server... the cache refresh fail with the following error: **I am using community version of gluu server [4.1] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:204) - Exception happened while executing cache refresh synchronization org.gluu.persist.exception.operation.ConfigurationException: Failed to create LDAP bind connection pool! Result code: '49' at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:58) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:23) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory$Proxy$_$$WeldClientProxy.createEntryManager(Unknown Source) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnection(CacheRefreshTimer.java:1155) ~[classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnection(CacheRefreshTimer.java:1127) ~[classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnections(CacheRefreshTimer.java:1115) ~[classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.processImpl(CacheRefreshTimer.java:271) ~[classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.processInt(CacheRefreshTimer.java:199) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer$Proxy$$$WeldSubclass.processInt(Unknown Source) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.process(CacheRefreshTimer.java:183) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer$Proxy$$$_WeldSubclass.process$$super(Unknown Source) [classes/:?] at sun.reflect.GeneratedMethodAccessor293.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.gluu.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-4.1.0.Final.jar:?] at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_222] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]

By Michael Schwartz staff 14 Apr 2020 at 1:40 p.m. CDT

Michael Schwartz gravatar
You have only provided 1/2 of the picture. What is the error from the backend LDAP server?

By Tyson Mahendran user 14 Apr 2020 at 1:48 p.m. CDT

Tyson Mahendran gravatar
What I don't understand is that the new version of gluu server removed the anonymous bind based on this : https://support.gluu.org/installation/7147/anonymous-ldap-binding/#at59316 but what I am seeing is the opposite behavior, when the anonymous access enabled on the backed LDAP server; the refresh works. However, when I disable the anonymous access, I am getting the following error: here is the error from oxtrust_persistence.log, 2020-04-14 18:02:43,628 ERROR [Thread-152] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:83) - Failed to create connection pool with properties: {maxconnections=2, useSSL=false, servers=ip:port} com.unboundid.ldap.sdk.LDAPBindException: INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1374) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1256) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1197) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1050) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:974) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:904) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:799) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolImpl(LdapConnectionProvider.java:268) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolWithWaitImpl(LdapConnectionProvider.java:238) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.init(LdapConnectionProvider.java:155) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.create(LdapConnectionProvider.java:75) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapAuthConnectionProvider.<init>(LdapAuthConnectionProvider.java:21) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:55) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:23) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory$Proxy$_$$_WeldClientProxy.createEntryManager(Unknown Source) [oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnection(CacheRefreshTimer.java:1155) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnection(CacheRefreshTimer.java:1127) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.prepareLdapServerConnections(CacheRefreshTimer.java:1115) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.processImpl(CacheRefreshTimer.java:271) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.processInt(CacheRefreshTimer.java:199) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer$Proxy$_$$_WeldSubclass.processInt(Unknown Source) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer.process(CacheRefreshTimer.java:183) [classes/:?] at org.gluu.oxtrust.ldap.cache.service.CacheRefreshTimer$Proxy$_$$_WeldSubclass.process$$super(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_222] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_222] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.gluu.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-4.1.0.Final.jar:?] at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_222] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]

By Michael Schwartz staff 14 Apr 2020 at 2:17 p.m. CDT

Michael Schwartz gravatar
Same answer. Provide the error from the backend LDAP server log.

By Aliaksandr Samuseu staff 14 Apr 2020 at 2:42 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Tyson. Result code 49 should mean Invalid bind credentials, most likely that's your issue. Please share dump of your CR settings. Here are steps for LDAP-based Gluu Server setup: 1. Move into container 2. Put your LDAP admin's password in `/tmp/.dpw` (it's the same as default web UI admin's password was right after installation) 3. Dump the CR's properties: `#/opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 5 '&(objectclass=oxtrustconfiguration)' oxTrustConfCacheRefresh` 4. Share it here. You may want to remove passwords from output Also, please provide the data Michael mentioned. Somewhere in your external LDAP directory there should be a log that may contain an error explaining the situation.

By Tyson Mahendran user 14 Apr 2020 at 3:50 p.m. CDT

Tyson Mahendran gravatar
I don't see any movement in backend ldap server... here is the output from ldap search: ``` /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -Z -X -D 'cn=directory manager' -w 'pass' -b 'o=gluu' -z 5 '&(objectclass=oxtrustconfiguration)' oxTrustConfCacheRefresh dn: ou=oxtrust,ou=configuration,o=gluu oxTrustConfCacheRefresh: { "sourceConfigs": [ { "configId": "sandbox", "bindDN": "uid=admin,ou=system", "bindPassword": "pass", "servers": [ "ip:port" ], "maxConnections": 2, "useSSL": false, "baseDNs": [ "ou=people,o=Org" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 } ], "inumConfig": { "configId": "local_inum", "bindDN": "cn=directory manager", "bindPassword": "pass", "servers": [ "localhost:1636" ], "maxConnections": 10, "useSSL": true, "baseDNs": [ "ou=cache-refresh,o=site" ], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": true, "version": 0, "level": 0 }, "targetConfig": { "configId": null, "bindDN": null, "bindPassword": null, "servers": [], "maxConnections": 2, "useSSL": false, "baseDNs": [], "primaryKey": null, "localPrimaryKey": null, "useAnonymousBind": false, "enabled": false, "version": 0, "level": 0 }, "ldapSearchSizeLimit": 1000, "keyAttributes": [ "uid" ], "keyObjectClasses": [ "person" ], "sourceAttributes": [ "uid" ], "customLdapFilter": "(&(uid=*)(objectclass=inetOrgPerson))", "updateMethod": "copy", "defaultInumServer": true, "keepExternalPerson": true, "useSearchLimit": true, "attributeMapping": [ { "source": "uid", "destination": "uid" } ], "snapshotFolder": "/var/gluu/identity/cr-snapshots", "snapshotMaxCount": 10 } ```

By Tyson Mahendran user 15 Apr 2020 at 1:42 p.m. CDT

Tyson Mahendran gravatar
Here is the log from external ldap server: [15:44:48] DEBUG [org.apache.directory.api.ldap.model.schema.SyntaxChecker] - MSG_13701_SYNTAX_VALID (referral) [15:44:48] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> BindOperation : BindContext for Dn '', credentials <> [15:44:48] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: BindContext for Dn '', credentials <> [15:44:48] INFO [org.apache.directory.server.core.authn.AbstractAuthenticator]** ** - Cannot authenticate as anonymous, the server does not allow it** ** [15:44:48] INFO [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Unexpected failure for Authenticator org.apache.directory.server.core.authn.AnonymousAuthenticator@45099dd3 : [15:44:48] INFO [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Cannot bind to the server [15:44:48] DEBUG [org.apache.directory.api.ldap.model.schema.SyntaxChecker] - MSG_13701_SYNTAX_VALID (20200415194448.230Z) [15:44:48] DEBUG [org.apache.directory.api.ldap.model.schema.SyntaxChecker] - MSG_13701_SYNTAX_VALID (20200415194448.231000Z#000000#001#000000) [15:44:48] DEBUG [org.apache.directory.api.CODEC_LOG] - MSG_14003_ENCODED_LDAP_MESSAGE (MessageType : BIND_RESPONSE Message ID : 1 BindResponse Ldap Result Result code : (INVALID_CREDENTIALS) invalidCredentials Matched Dn : 'null' Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user : org.apache.directory.api.ldap.model.exception.LdapAuthenticationException: ERR_229 Cannot authenticate user at org.apache.directory.server.core.authn.AuthenticationInterceptor.bind(AuthenticationInterceptor.java:726) at org.apache.directory.server.core.DefaultOperationManager.bind(DefaultOperationManager.java:510) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSimpleAuth(BindRequestHandler.java:200) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:651) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:64) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:243) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:223) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1019) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1141) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:87) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:88) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:541) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:493) at java.lang.Thread.run(Unknown Source)

By Tyson Mahendran user 15 Apr 2020 at 2:41 p.m. CDT

Tyson Mahendran gravatar
Please let me know if you need any more information regards to this issue... I'm eagerly waiting for a resolution to this issue. We cannot have anonymous access to our backend ldap server. I really appreciate your support

By Aliaksandr Samuseu staff 17 Apr 2020 at 5:17 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Tyson. Please note we can't guarantee a timely answer under community support. We need prioritize our customers, first of all. I'll let you know when the dev team will confirm whether this an expected behaviour, or not.

By Aliaksandr Samuseu staff 20 Apr 2020 at 2:49 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Tyson. Apparently, there was a bug like that, which should have been fixed in 4.1.1 You can download the patched WAR from [here](https://ox.gluu.org/maven/org/gluu/oxtrust-server/4.1.1.Final/oxtrust-server-4.1.1.Final.war), it should be compatible with your version. Stop "identity" service in the container, back up original `/opt/gluu/jetty/identity/webapps/identity.war` file just in case, then overwrite it with the patched WAR, and start the service.

By Tyson Mahendran user 20 Apr 2020 at 3:44 p.m. CDT

Tyson Mahendran gravatar
Thanks for the update and I followed your recommendation by replacing the identity.war but I am still seeing the same issue and same error in the logs... any thought?

By Aliaksandr Samuseu staff 20 Apr 2020 at 3:52 p.m. CDT

Aliaksandr Samuseu gravatar
I'm confirming with the developer whether the fix is already added to 4.1.1. Will let you know tomorrow.

By Tyson Mahendran user 20 Apr 2020 at 3:53 p.m. CDT

Tyson Mahendran gravatar
Thanks for the quick response

By Tyson Mahendran user 30 Apr 2020 at 3:21 p.m. CDT

Tyson Mahendran gravatar
Hi Aliaksandr, Have you had chance to confirm with the developer if the fix is in 4.1.1? It seems like it's not part of it based on my testing with the provided war file. Please confirm. thanks, Tyson

By Tyson Mahendran user 05 May 2020 at 10:30 a.m. CDT

Tyson Mahendran gravatar
Hi, Any update?

By Mohib Zico staff 13 May 2020 at 10:20 a.m. CDT

Mohib Zico gravatar
I can confirm, it's fixed in 4.1.1.