Open
Description
Currently the NameNotFoundException is wrapped into LdapException in LdapFacade and the whole request fails with:
19-May-2020 10:13:44.859 WARNING [http-nio-8080-exec-496] opengrok.auth.plugin.ldap.LdapFacade.lookup The LDAP name for search 'DN: cn=BAR,l=amer,dc=foo,dc=com , filter: objectclass=* , attributes:
city' was not found on server ldaps://ldap.foo.com timeout: 3000 username: cn=GROKLDAP_HERE,l=amer,dc=foo,dc=com
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=BAR,l=amer,dc=foo,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3179)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at opengrok.auth.plugin.ldap.LdapServer.search(LdapServer.java:227)
at opengrok.auth.plugin.ldap.LdapServer.search(LdapServer.java:193)
at opengrok.auth.plugin.ldap.LdapFacade.lookup(LdapFacade.java:347)
at opengrok.auth.plugin.ldap.LdapFacade.lookup(LdapFacade.java:295)
at opengrok.auth.plugin.ldap.LdapFacade.lookupLdapContent(LdapFacade.java:263)
at opengrok.auth.plugin.ldap.AbstractLdapProvider.lookupLdapContent(AbstractLdapProvider.java:90)
at opengrok.auth.plugin.LdapAttrPlugin.fillSession(LdapAttrPlugin.java:153)
at opengrok.auth.plugin.AbstractLdapPlugin.ensureSessionExists(AbstractLdapPlugin.java:257)
at opengrok.auth.plugin.AbstractLdapPlugin.isAllowed(AbstractLdapPlugin.java:309)
at org.opengrok.indexer.authorization.AuthorizationFramework$3.decision(AuthorizationFramework.java:168)
at org.opengrok.indexer.authorization.AuthorizationPlugin.isAllowed(AuthorizationPlugin.java:189)
at org.opengrok.indexer.authorization.AuthorizationStack.processStack(AuthorizationStack.java:241)
at org.opengrok.indexer.authorization.AuthorizationStack.isAllowed(AuthorizationStack.java:202)
at org.opengrok.indexer.authorization.AuthorizationStack.processStack(AuthorizationStack.java:241)
at org.opengrok.indexer.authorization.AuthorizationStack.isAllowed(AuthorizationStack.java:202)
at org.opengrok.indexer.authorization.AuthorizationFramework.performCheck(AuthorizationFramework.java:563)
at org.opengrok.indexer.authorization.AuthorizationFramework.checkAll(AuthorizationFramework.java:521)
at org.opengrok.indexer.authorization.AuthorizationFramework.isAllowed(AuthorizationFramework.java:161)
at org.opengrok.indexer.web.PageConfig.isAllowed(PageConfig.java:1600)
at org.opengrok.indexer.web.ProjectHelper$2.test(ProjectHelper.java:203)
at org.opengrok.indexer.web.ProjectHelper$2.test(ProjectHelper.java:200)
at java.util.Collection.removeIf(Collection.java:414)
at org.opengrok.indexer.web.ProjectHelper.filterGroups(ProjectHelper.java:200)
at org.opengrok.indexer.web.ProjectHelper.cacheGroups(ProjectHelper.java:237)
at org.opengrok.indexer.web.ProjectHelper.getGroups(ProjectHelper.java:247)
at org.opengrok.indexer.web.ProjectHelper.populateGroups(ProjectHelper.java:168)
at org.opengrok.indexer.web.ProjectHelper.<init>(ProjectHelper.java:93)
at org.opengrok.indexer.web.ProjectHelper.getInstance(ProjectHelper.java:107)
at org.apache.jsp.index_jsp._jspService(index_jsp.java:358)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
This was a fall out from one of the substacks:
<void method="add">
<object class="org.opengrok.indexer.authorization.AuthorizationStack">
<void property="forGroups">
<string>FooTools</string>
</void>
<void property="name">
<string>substack for FooTools</string>
</void>
<void property="flag">
<string>REQUIRED</string>
</void>
<void property="stack">
<void method="add">
<object class="org.opengrok.indexer.authorization.AuthorizationPlugin">
<void property="name">
<string>opengrok.auth.plugin.LdapAttrPlugin</string>
</void>
<void property="flag">
<string>REQUIRED</string>
</void>
<void property="setup">
<void method="put">
<string>configuration</string>
<string>/opengrok/auth/config/ldap-plugin-config-corp.xml</string>
</void>
<void method="put">
<string>attribute</string>
<string>city</string>
</void>
<void method="put">
<string>file</string>
<string>/opengrok/auth/config/whitelists/foo-tools-whitelist-city.txt</string>
</void>
</void>
</object>
</void>
</void>
</object>
</void>This should be perhaps handled more softly and treat this as a authorization denied so that such failure in one substack does not cause the whole request to fail.