Searching multiple LDAP OUs fails if any are invalid

mariosm1 commented 1 year ago

Version 8.0.3_124

Describe the bug

In a single ldap server block, we are searching two \<organizationalUnit>\</organizationalUnit> elements, A and B.
A is a valid OU and has users, B is invalid.
User from A tries to log in, the authentication will fail because B is an invalid directory.

<LdapConfig>
<!-- Example configuration for Active Directory. -->
<LdapServer>
<host>ad.percussion.com</host>
<port>636</port>
<user>CN=percuser,CN=Users,DC=ad,DC=percussion,DC=com</user>
<password/>
<catalog>shallow</catalog>
<objectAttributeName>samaccountname</objectAttributeName>
<emailAttributeName>emailaddress</emailAttributeName>
<organizationalUnit>OU=Users,DC=ad,DC=percussion,DC=com</organizationalUnit>
<organizationalUnit>
OU=Users,OU=InvalidDirectory,DC=ad,DC=percussion,DC=com
</organizationalUnit>
<secure>true</secure>
</LdapServer>
</LdapConfig>

Authentication failed for directory 'ldap directory 2' and authentication 'ldap authentication'. The error was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100245, problem 2001 (NO_OBJECT), data 0, best match of:

      'OU=Users,OU=InvalidDirectory,DC=ad,DC=percussion,DC=com

]; remaining name ''

natechadwick commented 1 year ago

@matomario8 Which version did you reproduce this on?

mariosm1 commented 1 year ago

@natechadwick 8.0.3_124

mariosm1 commented 1 year ago

Tested on 8.1 where the issue still occurs: I set up a valid LDAP provider and made sure it was working, then added a second invalid ldap provider and which caused ldap connectivity to break. There is no delay or timeout when logging in.

Environment: ts-trees6 under D:\Perc81Test

2023-02-01 15:40:03,017 ERROR [com.percussion.services.security.impl.PSRoleMgr] Error finding users: An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.security.PSCataloger:L:539 Cause:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�] C:com.sun.jndi.ldap.LdapCtx:L:3284
2023-02-01 15:40:03,971 ERROR [com.percussion.services.security.impl.PSRoleMgr] Error finding users: An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.security.PSCataloger:L:539 Cause:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�] C:com.sun.jndi.ldap.LdapCtx:L:3284
2023-02-01 15:40:03,972 ERROR [Security] General directory service failure: com.percussion.security.PSSecurityException: An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.services.security.impl.PSRoleMgr:L:226 Cause:An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.security.PSCataloger:L:539
2023-02-01 15:40:13,974 ERROR [com.percussion.services.security.impl.PSRoleMgr] Error finding users: An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.security.PSCataloger:L:539 Cause:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�] C:com.sun.jndi.ldap.LdapCtx:L:3284
2023-02-01 15:40:13,981 ERROR [Security] General directory service failure: com.percussion.security.PSSecurityException: An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.services.security.impl.PSRoleMgr:L:226 Cause:An unknown naming exception was caught. The error message was: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=percussion,DC=local'
�]; remaining name '' C:com.percussion.security.PSCataloger:L:539

Server log: server.log

percussion / percussioncms

Searching multiple LDAP OUs fails if any are invalid #726