Uploaded image for project: 'Java Couchbase JVM Core'
  1. Java Couchbase JVM Core
  2. JVMCBC-826

NullPointerException when LDAP is enabled

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • 2.0.4, 2.1.0
    • None
    • None
    • 1

    Description

      On using LDAP credentials (that work with SDK 2.7.11) we are seeing authentication failures with SDK 3.0.1.

      PROBLEM

      We see the following NullPointerExceptions in the logs.

      com.couchbase.client.core.error.AuthenticationFailureException: Unexpected error during SASL auth {"status":"SUCCESS"}
              at com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.failConnect(SaslAuthenticationHandler.java:431)
              at com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.channelRead(SaslAuthenticationHandler.java:209)
       ...
      Caused by: java.lang.NullPointerException
              at com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.handleListMechsResponse(SaslAuthenticationHandler.java:262)
              at com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.channelRead(SaslAuthenticationHandler.java:202)
              ... 29 more
      

      REPRODUCTION

      Code SDK 3.0.1:

      import com.couchbase.client.java.*;
      import com.couchbase.client.java.kv.*;
       
      public class Demo2 {
          public static void main(String... args) {
              Cluster cluster = Cluster.connect("10.112.194.101", "Administrator", "password");
              Bucket bucket = cluster.bucket("travel-sample");
              Collection collection = bucket.defaultCollection();
              GetResult getResult = collection.get("airline_10");
              System.out.println("Found document: " + getResult);
          }
      }
      

      1. Configure saslauthd on Couchbase Server 6.5.

      [vagrant@node1-cb650-centos7 ~]$ sudo -u couchbase /usr/sbin/testsaslauthd -u guest1 -p guest1password -f /var/run/saslauthd/mux
      0: OK "Success."

      2. Execute the above code using SDK 3.0.1

      Reproduction Trace Level Logs:  ReproductionTraceLevel301

      Not reproducible using SDK 2.7.12: ReproductionTraceLevel2712

      Code SDK 2.7.12:

      import com.couchbase.client.java.Bucket;
      import com.couchbase.client.java.Cluster;
      import com.couchbase.client.java.CouchbaseCluster;
      import com.couchbase.client.java.document.JsonDocument;
       
      import java.util.concurrent.TimeUnit;
       
      public class Demo {
          public static void main(String args[]){
              Cluster cluster = CouchbaseCluster.create("10.112.194.101" );
              cluster.authenticate("Administrator", "password");
              Bucket b1 = cluster.openBucket("travel-sample", 30, TimeUnit.SECONDS);
              JsonDocument document = b1.get("airline_10");
              System.out.print(document);
          }
      }
      

       

      Please also note that the issue is also reproducing with Native LDAP.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          Yes, looks like a legit bug. Looking into it!

          daschl Michael Nitschinger added a comment - Yes, looks like a legit bug. Looking into it!

          Yeah the NPE is a bug, but the behavior is as follows (from the commit msg):

          When the server has LDAP authentication enabled, over KV it will
          only allow PLAIN authentication. Since PLAIN is disabled by default
          no set of SASL mechanisms can be determined.

          The code right now does not handle this case and throws a NPE.

          Instead of failing with an NPE, the code now explicitly fails
          the connection with a descriptive error message instructing the
          user what to do next (either use TLS which is preferred) or
          enable PLAIN on the password authenticator (insecure).

          daschl Michael Nitschinger added a comment - Yeah the NPE is a bug, but the behavior is as follows (from the commit msg): When the server has LDAP authentication enabled, over KV it will only allow PLAIN authentication. Since PLAIN is disabled by default no set of SASL mechanisms can be determined. The code right now does not handle this case and throws a NPE. Instead of failing with an NPE, the code now explicitly fails the connection with a descriptive error message instructing the user what to do next (either use TLS which is preferred) or enable PLAIN on the password authenticator (insecure).

          Insecure code for 3.0.0 - 3.0.2:

              Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(PasswordAuthenticator.builder()
                .username("johndoe")
                .password("password")
                .allowedSaslMechanisms(EnumSet.allOf(SaslMechanism.class))
                .build()
              ));
          

          daschl Michael Nitschinger added a comment - Insecure code for 3.0.0 - 3.0.2: Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(PasswordAuthenticator.builder() .username("johndoe") .password("password") .allowedSaslMechanisms(EnumSet.allOf(SaslMechanism.class)) .build() ));

          People

            daschl Michael Nitschinger
            yuvraj.kanwar Yuvraj Kanwar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty