SREE LDAP failure

From PTAGISWiki

Problem description

The problem first appeared about 12/19/2005 7:07am When LDAP service is interrupted and SREE tries to do an LDAP transaction, SREE enters and error state in which no LDAP transactions succeed and so no users are able to run queries.

This problem was fixed with the jars issued on Jan 14, 2006.

The user sees this error message when trying to run a query:

Error 500--Internal Server Error
java.io.IOException: java.io.IOException: lkrentz doesn't have
scheduler permission. at
inetsoft.sree.RepletEngine.getScheduleTasks(RepletEngine.java:2855) at
jsp_servlet.__runquery._jspService(__runquery.java:428) at
weblogic.servlet.jsp.JspBase.service(JspBase.java:33) at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1053)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:387)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6291)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:97)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3575)
at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2573)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:178) at
weblogic.kernel.ExecuteThread.run(ExecuteThread.java:151)

These errors show up in weblogic stdout (nohup.out):

<Dec 20, 2005 8:58:50 AM PST> <Error> <HTTP>
<BEA-101019>
<[ServletContext(id=12011941,name=sree,context-path=/sree)] Servlet
failed with IOException
java.io.IOException: java.io.IOException: wayl doesn't have scheduler
permission. at
inetsoft.sree.RepletEngine.getScheduleTasks(RepletEngine.java:2855) at
jsp_servlet.__runquery._jspService(__runquery.java:428) at
weblogic.servlet.jsp.JspBase.service(JspBase.java:33) at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1053)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:387)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6291)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:97)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3575)
at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2573)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:178) at
weblogic.kernel.ExecuteThread.run(ExecuteThread.java:151)
>

[ERROR] Dec 20, 2005 9:13:02 AM: connection closed
javax.naming.CommunicationException: connection closed. Root exception
is java.io.IOException: connection closed at
com.sun.jndi.ldap.LdapClient.ensureOpen(LdapClient.java:1648) at
com.sun.jndi.ldap.LdapClient.search(LdapClient.java:594) at
com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1893) at
com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1842) at
com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:939) at
com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:522)
at
com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:155)
at
com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:144)
at javax.naming.InitialContext.lookup(InitialContext.java:347) at
inetsoft.sree.security.ldap.LdapSecurityProvider.getPermission(LdapSecurityProvider.java:589)
at inetsoft.sree.security.ldap.LdapSecurityProvider.getPermission(LdapSecurityProvider.java:544)
at
inetsoft.sree.security.SecurityEngine.getPermission(SecurityEngine.java:362)
at inetsoft.sree.adm.QueryHandler.initLink(QueryHandler.java:165) at
inetsoft.sree.adm.QueryHandler.createQueryTable(QueryHandler.java:141)
at inetsoft.sree.adm.QueryHandler.process(QueryHandler.java:115) at
inetsoft.sree.adm.AdmServlet.otherHandlers(AdmServlet.java:555) at
inetsoft.sree.adm.AdmServlet.process(AdmServlet.java:244) at
inetsoft.sree.adm.AdmServlet$2.run(AdmServlet.java:123) at
inetsoft.util.Tool.invokeThread(Tool.java:2251) at
inetsoft.sree.adm.AdmServlet.doGet(AdmServlet.java:120) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1053)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:387)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6291)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:97)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3575)
at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2573)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:178) at
weblogic.kernel.ExecuteThread.run(ExecuteThread.java:151)

The problem appears to be related to LDAP authentication. I have a simple workaround that seems to cause the LDAP authentication to work again:

1. use SREE Enterprise Manager to go to Main Server > Security > Scheduler Permission
2. click on Add Roles
3. if you get a pop-up window that lets you pick from 7 roles, LDAP authentication is working
4. if you don't, go to Main Server > Security > Directory Server Environment and press the Validate button
5. it should say LDAP setup completed successfully
6. go to Main Server and press the restart button to restart SREE
7. verify that LDAP is now working by repeating steps 1 and 2
8. you should now see the list of roles. Also users should now be able to run queries

Inetsoft has registered this as a bug as of 12/27/2005.

Inetsoft provided a fix and it was installed on development 2/24/2006.

Environment issues

This problem occurs on SREE 7.0 and 6.5. This problem occurs on iPlanet 5.0 and 5.2. The LDAP server on pitblade has been recently upgraded.

Procedure to replicate this bug

Our LDAP server for development is iPlanet 5.2.

pitblade:II:root: > ./ns-slapd -v
Sun Microsystems, Inc.
Sun Java(TM) System Directory Server/5.2_Patch_4 B2005.230.0041

The issue also occurs with our production environment which has iPlanet LDAP server version 5.0 The issue occurs with SREE 6.5 and SREE 7.0. The issue happens anytime SREE tries to perform an LDAP transaction and fails. Then all subsequent requests fail even though the LDAP server is available.

Here are a few more bits from log files:

Using SREE 7.0 and iPlanet 5.2, I begin by restarting SREE:

[INFO] Dec 22, 2005 12:01:13 PM: Servlet restarted.

I run a query and it completes successfully:

[TRACE] Dec 22, 2005 12:04:48 PM: Query data finished loading: 2031

I stop the LDAP server and try to run a query, but LDAP can't be used to verify permissions, so an error is thrown:

[ERROR] Dec 22, 2005 12:07:15 PM: connection closed
javax.naming.CommunicationException: connection closed. Root exception
is java.io.IOException: connection closed
[DEBUG] Dec 22, 2005 12:07:15 PM: No permission setting found:
__inetsoft_schedule
[ERROR] Dec 22, 2005 12:07:16 PM: rday doesn't have scheduler
permission.
java.io.IOException: rday doesn't have scheduler permission.

I restart the LDAP server and try to run a query, but it fails just as if LDAP were unavailable:

[ERROR] Dec 22, 2005 12:10:06 PM: connection closed
javax.naming.CommunicationException: connection closed.  Root exception is java.io.IOException: connection closed
[ERROR] Dec 22, 2005 12:10:06 PM: rday doesn't have scheduler permission.
java.io.IOException: rday doesn't have scheduler permission.

Logging out of the webapp and logging in again has no positive effect. The logs for the LDAP server show other successful transactions, but no attempt from SREE to connect.

[INFO] Dec 22, 2005 12:14:08 PM: Servlet restarted.

After I restart SREE from Enterprise Manager, things are working again.