Bug #58132 DSID-0C090627 | Configuration of non-anon binds to be split from comparison mode
Submitted: 11 Nov 2010 6:47 Modified: 28 Jan 2011 19:23
Reporter: Mark Matthews Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Web Severity:S2 (Serious)
Version:2.3.0 OS:Any
Assigned to: Mark Matthews CPU Architecture:Any

[11 Nov 2010 6:47] Mark Matthews 
Description:
The configuration for LDAP settings needs to split the connection name and passwords fields from the comparison mode, as Active Directory doesn't support anonymous binds, but does support bind-as-user after a non-anonymous bind. We can't currently configure that mode from the UI, even though the LDAP backend code supports it.

How to repeat:
N/A
[11 Nov 2010 6:56] Enterprise Tools JIRA Robot 


Attachment: 10520_anonbinds.png (image/png, text), 30.40 KiB.
[12 Nov 2010 3:25] Roel Van de Paar 
Trying to authenticate against AD (In Win2000 or later, which does not allow anonymous binds) with a anonymous bind, or even using comparison mode, would show this issue as the following error;

javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'CN=...,DC=com '

Where '...' is the FQDN of the user.
[18 Nov 2010 1:00] Enterprise Tools JIRA Robot 
Andy Bang writes: 
In build 2.3.1.2039.
[23 Nov 2010 17:12] Enterprise Tools JIRA Robot 
Marcos Palacios writes: 
Tested with Monitor build 2.3.1.2039 on AD setup. We are getting this error:

Error Nov 23, 2010 4:42:07 AM LDAP Failurejavax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772]; remaining name 'ou=Users,dc=merlin,dc=tv'	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)	at javax.naming.directory.InitialDirContext.search(Unknown Source)	at com.mysql.etools.monitor.bo.LdapAuthenticator.getUserBySearch(LdapAuthenticator.java:1344)	at com.mysql.etools.monitor.bo.LdapAuthenticator.getUser(LdapAuthenticator.java:1236)	at com.mysql.etools.monitor.bo.LdapAuthenticator.authenticate(LdapAuthenticator.java:387)	at com.mysql.etools.monitor.bo.LdapAuthenticator.authenticate(LdapAuthenticator.java:428)	at com.mysql.etools.monitor.bo.UserManager.externalAuthenticate(UserManager.java:265)	at com.mysql.etools.monitor.bo.UserManager.authenticate(UserManager.java:69)	at com.mysql.etools.monitor.bo.UserManager.authenticate(UserManager.java:38)	at com.mysql.merlin.ui.actions.DoAuth.executeInner(DoAuth.java:60)	at com.mysql.merlin.ui.actions.BaseSubmitAction.exec(BaseSubmitAction.java:51)	at com.mysql.merlin.ui.actions.BaseAction$1.call(BaseAction.java:1897)	at com.mysql.merlin.ui.actions.BaseAction$1.call(BaseAction.java:1896)	at com.mysql.merlin.ui.actions.BaseAction.execute(BaseAction.java:1880)	at com.mysql.merlin.ui.actions.BaseAction.execute(BaseAction.java:1895)	at sun.reflect.GeneratedMethodAccessor145.invoke(Unknown Source)	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)	at java.lang.reflect.Method.invoke(Unknown Source)	at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:404)	at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:267)	at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:229)	at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:167)	at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:1)	at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)	at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)	at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:170)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:1)	at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)	at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)	at com.mysql.merlin.ui.interceptors.InitializeInterceptor.intercept(InitializeInterceptor.java:82)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:1)	at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)	at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)	at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:176)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)	at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:1)	at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)	at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)	at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:50)	at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:507)	at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:421)	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)	at net.sf.ehcache.constructs.web.filter.GzipFilter.doFilter(GzipFilter.java:81)	at net.sf.ehcache.constructs.web.filter.Filter.doFilter(Filter.java:92)	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)	at com.mysql.merlin.server.RequestCounterFilter.doFilter(RequestCounterFilter.java:117)	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)	at com.mysql.merlin.ui.filters.AccessLogFilter.doFilter(AccessLogFilter.java:56)	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)	at java.lang.Thread.run(Unknown Source) 

The configuration line is:

Warning Nov 23, 2010 4:40:57 AM Reconfigured, configuration state is: com.mysql.etools.monitor.bo.LdapAuthenticator@d4a1d3[alternateURL=<null>,authByBind=true,authentication=<null>,authoritative=false,connectionAttempt=0,connectionName=Admi****,connectionPassword=****,connectionURL=ldap://vbox-ua-1-vm8:3268,context=<null>,contextFactory=com.sun.jndi.ldap.LdapCtxFactory,curUserPattern=0,derefAliases=<null>,digest=<null>,digestEncoding=<null>,enabled=true,ldapToAdminRoles={},ldapToDbaRoles={},ldapToRoRoles={},ldapToAgentRoles={},md=<null>,protocol=ldap,referrals=follow,roleBase=<null>,roleFormat=<null>,roleMappingEnabled=false,roleName=<null>,roleSearch=<null>,roleSubtree=false,userBase=ou=Users,dc=merlin,dc=tv,userPassword=<null>,userPattern=<null>,userPatternArray=<null>,userPatternFormatArray=<null>,userRoleName=<null>,userSearch=(sAMAccountName={0}),userSearchFormat=java.text.MessageFormat@a1bc966d,userSubtree=true,useStartTls=false,clock=com.mysql.etools.time.RealClock@11f2041,timeouts={},cachedPasswords=< 0 cached passwords >]
[22 Dec 2010 0:27] Enterprise Tools JIRA Robot 
Marcos Palacios writes: 
Verified fixed in Monitor build 2.3.1.2039.
[19 Jan 2011 0:57] Mark Matthews 
This is essentially a UI only change. However, this change in the UI will be required usage by those wanting to use AD with our LDAP functionality, i.e. they will have to put in some user (even with limited privileges) in the non-anonymous bind so that MEM can connect to the directory server.
[28 Jan 2011 19:23] John Russell 
Added to 2.3.1 change log:

To connect MySQL Enterprise Monitor with an Active Directory server
through LDAP, you must specify a user (even one with limited
privileges).