LDAP Error 500 j_spring_security_check

Post your Server Bug Report
Keiran
Posts: 4
Joined: 03 Jan 2017, 22:58
Has thanked: 1 time
Been thanked: 0

LDAP Error 500 j_spring_security_check

Unread post by Keiran »

I'm testing Madsonic for my work and i'm trying to get LDAP working. I have the LDAP authentication setup and working, the user will be cloned into the user database when you log in but I don't get any further and just get an HTML 500 error and the error message below shows in the madsonic-service.log file. I have tested multiple users with the same results. Madsonic version is 6.2.9080. Windows server version is 2012R2. I'm using the newest version of Madsonic for the logo customisation features.

2017-01-04 14:46:44.410:WARN:oejs.ServletHandler:Error Processing URI: /j_spring_security_check - (org.springframework.ldap.InvalidSearchFilterException) Empty filter; nested exception is javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name ''

In the Serverlog it shows:

[2017-01-04 15:26:11,179] WARN LoginFailureLogger - Login failed for [] from [172.*.*.*]

The username appears to not being passed in this instance whereas if I put in the username and and incorrect password then I get the message below indicating that the username is being passed:

[2017-01-04 14:50:17,164] WARN LoginFailureLogger - Login failed for [keiran] from [172.*.*.*]

User being cloned from AD:

[2017-01-04 15:17:38,003] INFO MadsonicLdapBindAuthenticator - cloned from default user 'keiran' for DN cn=Keiran,ou=IT Department...

[2017-01-04 14:43:22,569] WARN HsqlDaoHelper - Checking database schema ...
[2017-01-04 14:43:23,694] INFO HsqlDaoHelper - Done checking database schema.
[2017-01-04 14:43:23,694] INFO HsqlDaoHelper - Checking HSQLDB version: 2.3.4
[2017-01-04 14:43:24,819] INFO SettingsService - Java: 1.8.0_101, OS: Windows Server 2012 R2
[2017-01-04 14:43:24,819] INFO SettingsService - write transcode path to property file: C:\madsonic\transcode
[2017-01-04 14:43:26,085] INFO SettingsService - ffmpeg: ffmpeg version N-82889-g54931fd (21.12.2016) Copyright (c) 2000-2016 the FFmpeg developers
[2017-01-04 14:43:26,085] INFO SettingsService - Madsonic scanMode: NATIVE
[2017-01-04 14:43:26,507] INFO MediaScannerService - Automatic index scan: every 1 day(s)
[2017-01-04 14:43:26,507] INFO MediaScannerService - NEXT: Thu Jan 05 03:00:00 NZDT 2017
[2017-01-04 14:43:26,616] INFO UPnPService - Checking UPnP service...
[2017-01-04 14:43:26,741] INFO PodcastService - Automatic Podcast scan: every 24 hour(s)
[2017-01-04 14:43:26,741] INFO PodcastService - NEXT: Wed Jan 04 14:48:26 NZDT 2017
[2017-01-04 14:43:28,617] INFO UPnPService - Disabling UPnP/DLNA media server
[2017-01-04 14:43:28,617] INFO UPnPService - Checking UPnP service - Done!
[2017-01-04 14:45:46,327] INFO NetworkService - Deleted port mapping for port 4040
[2017-01-04 14:46:38,198] INFO BootstrapVerificationFilter - Servlet container: jetty/8.y.z-SNAPSHOT

Thanks.
User avatar
Madsonic
Administrator
Administrator
Posts: 984
Joined: 07 Dec 2012, 03:58
Answers: 7
Has thanked: 1201 times
Been thanked: 470 times

Re: LDAP Error 500 j_spring_security_check

Unread post by Madsonic »

Hi there,

please recheck your LDAP properties Settings > LDAP

example config @ http://beta.madsonic.org/pages/ldap.jsp#3.1

example login with LDAP user bob on Madsonic 6.2 over ApacheDS LDAP server:


[2017-01-04 07:02:55,029] WARN HsqlDaoHelper - Checking database schema ...
[2017-01-04 07:02:55,865] INFO HsqlDaoHelper - Done checking database schema.
[2017-01-04 07:02:55,865] INFO HsqlDaoHelper - Checking HSQLDB version: 2.3.4
[2017-01-04 07:02:56,186] INFO PlayerDao - Deleted 1 player(s) that haven't been used after Sat Nov 05 07:02:56 CET 2016
[2017-01-04 07:02:56,187] INFO SettingsService - Java: 1.8.0_111, OS: Windows 10
[2017-01-04 07:02:56,190] INFO SettingsService - write transcode path to property file: c:\madsonic\transcode
[2017-01-04 07:02:56,218] INFO SettingsService - ffmpeg: ffmpeg version N-82889-g54931fd (20.12.2016) Copyright (c) 2000-2016 the FFmpeg developers
[2017-01-04 07:02:56,218] INFO SettingsService - Madsonic scanMode: MIXED
[2017-01-04 07:02:56,221] DEBUG VersionService - Resolved local Madsonic version to: 6.2.9100.7ecf976
[2017-01-04 07:02:56,232] DEBUG UserService - Checking User accounts ...
[2017-01-04 07:02:56,284] DEBUG SecurityService - Updated user default
[2017-01-04 07:02:56,288] DEBUG UserService - Checking Default User. Done
[2017-01-04 07:02:56,292] DEBUG SecurityService - Updated user guest
[2017-01-04 07:02:56,293] DEBUG UserService - Checking Guest User. Done
[2017-01-04 07:02:56,303] INFO MediaScannerService - Automatic index scan: every 1 day(s)
[2017-01-04 07:02:56,303] INFO MediaScannerService - NEXT: Thu Jan 05 03:00:00 CET 2017
[2017-01-04 07:02:56,370] INFO UPnPService - Checking UPnP service...
[2017-01-04 07:02:56,515] INFO PodcastService - Automatic Podcast scan: every 24 hour(s)
[2017-01-04 07:02:56,515] INFO PodcastService - NEXT: Wed Jan 04 07:07:56 CET 2017
[2017-01-04 07:02:57,131] INFO UPnPService - Disabling UPnP/DLNA media server
[2017-01-04 07:02:57,131] INFO UPnPService - Checking UPnP service - Done!
[2017-01-04 07:03:07,036] INFO NetworkService - Deleted port mapping for port 8080
[2017-01-04 07:03:27,665] INFO BootstrapVerificationFilter - Servlet container: jetty/8.1.21.v20160908
[2017-01-04 07:04:11,965] DEBUG MadsonicLdapBindAuthenticator - authentication request: bob
[2017-01-04 07:04:12,027] DEBUG MadsonicLdapBindAuthenticator - user 'bob' successfully authenticated in LDAP. DN: uid=bob,ou=users
[2017-01-04 07:04:12,038] DEBUG SecurityService - Cloned from default user: bob
[2017-01-04 07:04:12,038] INFO MadsonicLdapBindAuthenticator - cloned from default user 'bob' for DN uid=bob,ou=users
[2017-01-04 07:04:12,050] DEBUG SecurityService - Updated user default
[2017-01-04 07:04:12,054] DEBUG MadsonicLdapBindAuthenticator - set token for bob
[2017-01-04 07:04:12,071] DEBUG UserDetailsServiceBasedAuthoritiesPopulator - retrieved roles from Madsonic DB: [ROLE_COMMENT, ROLE_COVERART, ROLE_DOWNLOAD, ROLE_LASTFM, ROLE_SEARCH, ROLE_SETTINGS, ROLE_STREAM, ROLE_UPLOAD]
[2017-01-04 07:04:12,285] INFO PlayerDao - Created player 2.
[2017-01-04 07:04:12,288] DEBUG PlayerService - Created player 2 (remoteControlEnabled: true, isStreamRequest: false, username: bob, ip: 0:0:0:0:0:0:0:1).
Keiran
Posts: 4
Joined: 03 Jan 2017, 22:58
Has thanked: 1 time
Been thanked: 0

Re: LDAP Error 500 j_spring_security_check

Unread post by Keiran »

I have checked my LDAP properties again. I have also rolled back to 6.1.8740 and turned on debugging on the logs. The user is being authenticated correctly as per the log below but I get the error below when logging in. Why would the user be able to be created and authenticated if the query is wrong, surely if the user has been authenticated then LDAP is done?

[2017-01-05 08:11:05,971] DEBUG MadsonicLdapBindAuthenticator - authentication request: keiran
[2017-01-05 08:11:06,082] DEBUG MadsonicLdapBindAuthenticator - user 'keiran' successfully authenticated in LDAP. DN: cn=Keiran,ou=IT Department...
[2017-01-05 08:11:06,087] DEBUG SecurityService - Cloned from default user: keiran
[2017-01-05 08:11:06,087] INFO MadsonicLdapBindAuthenticator - cloned from default user 'keiran' for DN cn=Keiran,ou=IT Department...
[2017-01-05 08:11:06,089] DEBUG SecurityService - Updated user default
[2017-01-05 08:11:06,099] DEBUG MadsonicLdapBindAuthenticator - set token for keiran

2017-01-05 08:11:06.101:WARN:oejs.ServletHandler:Error Processing URI: /j_spring_security_check - (org.springframework.ldap.NameNotFoundException) [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:'DC=internal' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=internal' ]; remaining name 'CN=Subsonic Users,OU=Groups'

Thanks for your help.
User avatar
Madsonic
Administrator
Administrator
Posts: 984
Joined: 07 Dec 2012, 03:58
Answers: 7
Has thanked: 1201 times
Been thanked: 470 times

Re: LDAP Error 500 j_spring_security_check

Unread post by Madsonic »

in your case your searchBase for groups is miss-configured:

Windows AD example:

Code: Select all

LDAP URL: ldap://localhost:389/dc=internal,dc=company,dc=com
LDAP search filter: (sAMAccountName={0})
LDAP group searchBase: ou=groups,ou=organisation
LDAP group filter: (member={0})
LDAP group role attribute: ou
LDAP manager DN: cn=ldap,ou=users,ou=organisation,dc=internal,dc=company,dc=com
LDAP manager password: the given password
best regards,
The Madsonic Team
Keiran
Posts: 4
Joined: 03 Jan 2017, 22:58
Has thanked: 1 time
Been thanked: 0

Re: LDAP Error 500 j_spring_security_check

Unread post by Keiran »

Thanks, I have it working now. It's worth noting that there is no "ou" attribute in Active Directory, it would have to be created by extending the AD Schema which is permanent , I am using extensionAttribute15 for testing.

From what I've read, I assume the message below means that the user should have the "User is Administrator" and "User is allowed to play files" boxes ticket when they are created and the "Automatically map ldap group to madsonic role" option is checked on the ldap page? This isn't working for me, there are no errors in any log file. I feel like i'm missing something but can't find an answer in the forum or documentation.

[2017-01-05 12:46:45,359] DEBUG UserDetailsServiceBasedAuthoritiesPopulator - retrieved roles from LDAP: [ROLE_ADMIN, ROLE_STREAM]
User avatar
Madsonic
Administrator
Administrator
Posts: 984
Joined: 07 Dec 2012, 03:58
Answers: 7
Has thanked: 1201 times
Been thanked: 470 times

Re: LDAP Error 500 j_spring_security_check

Unread post by Madsonic »

Keiran wrote:Thanks, I have it working now. It's worth noting that there is no "ou" attribute in Active Directory, it would have to be created by extending the AD Schema which is permanent , I am using extensionAttribute15 for testing.

From what I've read, I assume the message below means that the user should have the "User is Administrator" and "User is allowed to play files" boxes ticket when they are created and the "Automatically map ldap group to madsonic role" option is checked on the ldap page? This isn't working for me, there are no errors in any log file. I feel like i'm missing something but can't find an answer in the forum or documentation.

[2017-01-05 12:46:45,359] DEBUG UserDetailsServiceBasedAuthoritiesPopulator - retrieved roles from LDAP: [ROLE_ADMIN, ROLE_STREAM]
This is true, on Windows LDAP ActiveDirectory there is no default ou attribute, it is used more in the ApacheDS implementation.

In your case: use the cn attribute which reflect also the needed value madsonic.stream for the mapping

Read more about group names http://beta.madsonic.org/pages/ldap.jsp#2

best regards
Keiran
Posts: 4
Joined: 03 Jan 2017, 22:58
Has thanked: 1 time
Been thanked: 0

Re: LDAP Error 500 j_spring_security_check

Unread post by Keiran »

Ok, I have made a new group in AD called madsonic.admin and changed the LDAP group role attribute to cn, it retrieves the role [ROLE_ADMIN] from LDAP when I log in with that user but that user doesn't have admin rights. I have "Automatically map ldap group to Madsonic role" checked. How do I make roles apply to users in Madsonic if the role is being successfully pulled from LDAP?

[2017-01-06 08:47:19,259] INFO SecurityService - Deleted user keiran
[2017-01-06 08:47:27,047] DEBUG MadsonicLdapBindAuthenticator - authentication request: keiran
[2017-01-06 08:47:27,072] DEBUG MadsonicLdapBindAuthenticator - user 'keiran' successfully authenticated in LDAP. DN: cn=Keiran,ou=IT Department
[2017-01-06 08:47:27,074] DEBUG SecurityService - Cloned from default user: keiran
[2017-01-06 08:47:27,075] INFO MadsonicLdapBindAuthenticator - cloned from default user 'keiran' for DN cn=Keiran,ou=IT Department
[2017-01-06 08:47:27,076] DEBUG SecurityService - Updated user default
[2017-01-06 08:47:27,077] DEBUG MadsonicLdapBindAuthenticator - set token for keiran
[2017-01-06 08:47:27,084] DEBUG UserDetailsServiceBasedAuthoritiesPopulator - retrieved roles from LDAP: [ROLE_ADMIN]

Thanks for your help.
burninhell
Posts: 2
Joined: 17 Jan 2017, 12:05
Has thanked: 0
Been thanked: 0

Re: LDAP Error 500 j_spring_security_check

Unread post by burninhell »

I am am struggeling with the same Problem, but unlike Keiran, I did not get it working, yet. So like he described, accounts are cloned fom AD but then the login stops on the j_spring_security_check page. Like him I am using a Windows Active Directory.

Maybe you can see, what is wrong with my config:

LDAP URL :: ldap://dc.domain.local:389/OU=persons,OU=users,OU=family,dc=domain,dc=local
LDAP search filter :: (sAMAccountName={0})
LDAP group searchBase :: OU=groups,OU=family
LDAP group filter :: (member={0})
LDAP group role attribute ::
LDAP manager DN :: cn=Auth Account,OU=persons,OU=users,OU=family,dc=domain,dc=local
LDAP manager password :: the password

so my OUs look like this:
family
-groups
.madsonic.admins(containing the testuser)
-users
-persons
.testuser
burninhell
Posts: 2
Joined: 17 Jan 2017, 12:05
Has thanked: 0
Been thanked: 0

Re: LDAP Error 500 j_spring_security_check

Unread post by burninhell »

I am now as far as Keiran: users can login and in the logs I can see, that the rights are collected from the group memberships, but even if the user is automatically created on first login, he has no rights at all.
User avatar
Madsonic
Administrator
Administrator
Posts: 984
Joined: 07 Dec 2012, 03:58
Answers: 7
Has thanked: 1201 times
Been thanked: 470 times

Re: LDAP Error 500 j_spring_security_check

Unread post by Madsonic »

confirmed, will be fixed with next release. :thumbsup:
These users thanked the author Madsonic for the post:
Keiran
Rating: 7.69%
Post Reply