#1 2014-03-21 14:39:36

tomharney
Member
Registered: 2014-03-11

LDAP Issue - RS2.1.4-5528

I followed the instructions for LDAP provided here and the import worked brilliantly.

http://blog.datenwerke.net/2013/08/Repo … ation.html

However, the LDAP hook (hookldappam.groovy) to enable LDAP authentication doesn't seem to be working.

I've been reading up on the Groovy Shell, for those who aren't aware you can access the shell in Report Server by pressing CTRL-ALT-T after clicking on File System in Administration, and I thought at one time I could get a list of commands by entering "help".   Maybe in an older version?

But when I do this I get the following:   -terminal: help: command not found

And according to Code Haus, help should work.
http://groovy.codehaus.org/Groovy+Shell … l-Commands

Other things I tried:

1)  I looked in the user table ( rs_user ) in the Report Server database in Postgres and noticed the password field was blank for LDAP imported users.  So I set it to a random password.  Still no luck.

I hesitate to make too much noise but I don't know how I can debug the problem.  I want to figure it out on my own but I'm stuck.  Can anyone provide any guidance?

I think I'm going to add print out statements to the script although I'm not sure where the output will go.  I assumed that LDAP authentication problems would appear in the catalina logs in Tomcat but no such luck.

Offline

#2 2014-04-02 18:50:26

tomharney
Member
Registered: 2014-03-11

Re: LDAP Issue - RS2.1.4-5528

No follow-up on this?  How do I debug LDAP issues in Groovy?  I'm not seeing any output in the logs.  I'm going to try to downgrade to an earlier version; I've been operating on the bleeding edge.

Offline

#3 2014-04-02 20:08:13

Thorsten J. Krause
Guest

Re: LDAP Issue - RS2.1.4-5528

Hi,

the groovy shell and the terminal are not the same thing. Actually they dont't have very much in common besides the fact that the terminal can be used to execute groovy scripts. A list of available commands in the terminal is available by pressing the [tab] (autocomplete) key. Additionally, most commands feature an -? option, which displays a short help text (e.g. ls -?)).

The blank password fields are probably all right - the ldap authenticator does not use the password field in the user table, but instead uses the user supplied password and tries to connect to the ldap server.

But as you say there are no ldap related messages in the logfiles I think the problem is not directly related to the ldap connection, but something simpler, like the script not being executed at all.

Try to replace your hookldappam.groovy with this version with added debug output:
http://www2.datenwerke.net/files/forum/ … bug.groovy

If you don't see at least the "LDAP INIT" message in your logfiles, the script is not executed at all. Befor you look through the logfiles make certain that startup was completed - in some situations you can access the web application, before all startup scripts finished executing - so just to be sure wait a moment after you restarted tomcat.

That should give us some idea, whats going on.

Cheers,
Thorsten

#4 2015-01-27 04:08:33

tomharney
Member
Registered: 2014-03-11

Re: LDAP Issue - RS2.1.4-5528

I'm just now circling back to this since the new release.

When I attempt to use your script I receive the following error message:

Error on Login Page wrote:

groovy.lang.MissingPropertyException: No such property: logger for class: ldap.LdapPAM
<br>    at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
<br>    at org.codehaus.groovy.runtime.callsite.GetEffectivePogoPropertySite.getProperty(GetEffectivePogoPropertySite.java:86)
<br>    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
<br>    at ldap.LdapPAM.authenticate(Script1.groovy:51)
<br>    at net.datenwerke.security.service.authenticator.AuthenticatorServiceImpl.evaluateTokens(AuthenticatorServiceImpl.java:110)
<br>    at net.datenwerke.security.service.authenticator.AuthenticatorServiceImpl.authenticate(AuthenticatorServiceImpl.java:75)
<br>    at net.datenwerke.security.service.authenticator.AuthenticatorServiceImpl.isAuthenticated(AuthenticatorServiceImpl.java:142)
<br>    at net.datenwerke.rs.authenticator.server.LoginHandlerImpl.isAuthenticated(LoginHandlerImpl.java:81)
<br>    at com.google.inject.persist.jpa.JpaLocalTxnInterceptor.invoke(JpaLocalTxnInterceptor.java:66)
<br>    at net.datenwerke.security.service.security.aop.SecurityCheckInterceptor.invoke(SecurityCheckInterceptor.java:110)
<br>    at net.datenwerke.gf.service.gwtstacktrace.CatchStacktraceInterceptor.invoke(CatchStacktraceInterceptor.java:38)
<br>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<br>    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
<br>    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
<br>    at java.lang.reflect.Method.invoke(Unknown Source)
<br>    at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:561)
<br>    at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
<br>    at net.datenwerke.security.service.security.aop.SecurityCheckInterceptor.invoke(SecurityCheckInterceptor.java:110)
<br>    at net.datenwerke.gf.service.gwtstacktrace.CatchStacktraceInterceptor.invoke(CatchStacktraceInterceptor.java:38)
<br>    at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
<br>    at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
<br>    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
<br>    at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
<br>    at net.datenwerke.security.service.security.aop.SecurityCheckInterceptor.invoke(SecurityCheckInterceptor.java:110)
<br>    at net.datenwerke.gf.service.gwtstacktrace.CatchStacktraceInterceptor.invoke(CatchStacktraceInterceptor.java:38)
<br>    at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
<br>    at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
<br>    at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
<br>    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
<br>    at com.google.inject.persist.PersistFilter.doFilter(PersistFilter.java:89)
<br>    at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
<br>    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
<br>    at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
<br>    at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
<br>    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
<br>    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
<br>    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
<br>    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
<br>    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
<br>    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
<br>    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
<br>    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947)
<br>    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
<br>    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
<br>    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
<br>    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
<br>    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1852)
<br>    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
<br>    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
<br>    at java.lang.Thread.run(Unknown Source)
<br>

Any words of wisdom?  This is the only issue I've experienced thus.  I finally got the LDAP import functioning.  This is a fantastic release!

Offline

#5 2015-01-27 05:35:01

tomharney
Member
Registered: 2014-03-11

Re: LDAP Issue - RS2.1.4-5528

I think I figured it out.  I added Logger inside the class and the error went away (see below).  However, I'm still not able to login even though it appears authentication is successful.  So I suspect its a permissions problem.  What are the minimum permissions required to login to ReportServer?

public class LdapPAM implements ReportServerPAM {
	
	private static final String CLIENT_MODULE_NAME = UserPasswordClientPAM.class.getName();
	private UserManagerService userManagerService;
	Logger logger = Logger.getLogger("LDAP");

Offline

#6 2015-01-28 17:54:03

Thorsten J. Krause
Guest

Re: LDAP Issue - RS2.1.4-5528

Hi Tom,

the minimum is just "ReportServer Access" in "Permission management". But there were also some changes to the authenticator, so perhaps that is the cause of this issue.
First, please try this updated version of the hookldappam script: http://www2.datenwerke.net/files/blog/2 … pam.groovy
The other change concerns the file reportserver.properties: Try setting rs.authenticator.pams to an empty value.

We changed how multiple pams interact in as a consequence we moved the fallback to a local, non-ldap password to the script, so you don't need the regular UserPassword Module any longer.

Cheers,
Thorsten

Board footer

Powered by FluxBB