Skip to main content

Error enable-secure-admin when admin-realm configured to use LDAP

5 replies [Last post]
javashawn
Offline
Joined: 2008-12-18
Points: 0

We have configured our GlassFish 3.1.2.2 domain to change the admin-realm to use LDAP (ActiveDirectory). This works great - I can login to the Admin console using my LDAP account. We had created a domain Template that configured the admin-realm to use LDAP (com.sun.enterprise.security.auth.realm.ldap.LDAPRealm).

Now, we want to turn on Secure Admin; however, we get the following error when we run the following command:
asadmin --user enable-secure-admin

remote failure: Error enabling secure admin : org.jvnet.hk2.config.TransactionFailure: java.lang.NullPointerException
java.lang.NullPointerException
Command enable-secure-admin failed.

The server.log just logs a SEVERE message saying "Error enabled secure admin"

Has anyone seen this issue?

Thanks,
Shawn

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
javashawn
Offline
Joined: 2008-12-18
Points: 0

We have configured our GlassFish 3.1.2.2 domain to change the admin-realm to use LDAP (ActiveDirectory). This works great - I can login to the Admin console using my LDAP account. We had created a domain Template that configured the admin-realm to use LDAP (com.sun.enterprise.security.auth.realm.ldap.LDAPRealm).

Now, we want to turn on Secure Admin; however, we get the following error when we run the following command:
asadmin --user enable-secure-admin

remote failure: Error enabling secure admin : org.jvnet.hk2.config.TransactionFailure: java.lang.NullPointerException
java.lang.NullPointerException
Command enable-secure-admin failed.

The server.log just logs a SEVERE message saying "Error enabled secure admin"

Has anyone seen this issue?

Thanks,
Shawn

tjquinn
Offline
Joined: 2005-03-30
Points: 0

Shawn,

Strange that the server.log didn't have more, such as a stack trace.

Could you please try this:

1. Start the server with the debugger: asadmin start-domain --debug
2. Connect to the server with the debugger of your choice. The server's debugger port is by default 9009.
3. Set a breakpoint when a NullPointerException occurs.
4. Retry the enable-secure-admin command.

When the debugger catches the NPE and pauses execution, capture the current stack and paste it here.

Thanks.

- Tim

javashawn
Offline
Joined: 2008-12-18
Points: 0

Hi Tim,
Thanks for the prompt reply. After reading your post, I realized that I could try increasing the log level of the server-config. Bumping the level for the javax.enterprise.system.tools.admin logger to ALL give me a stack track (note: I cannot paste the exact stack track - I'll transcribe it the best I can):

javax.enterprise.system.tools.admin.com.sun.enterprise.security.admin.cli|_ThreadID=17; _ThreadName=Thread-2;ClassName=org.glassfish.api.ActionReport;MethodName=failure;|Error enabling secure admin
org.jvnet.hk2.config.TransactionFailure: java.lang.NullPointerException
  at com.sun.enterprise.security.admin.cli.EnableSecureAdminCommand.run(EnableSecureAdminCommand.java:151)
  at com.sun.enterprise.security.admin.cli.SecureAdminCommand.execute(SecureAdminCommand.java:891)
  at com.sun.enterprise.v3.admin.CommandRunnerImpl$1.execute(CommandRunnerImpl.java:348)
  at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:363)
  at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:1085)
  at com.sun.enterprise.v3.admin.CommandRunnerImpl.access$1200(CommandRunnerImpl.java:95)
  at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1291)
  at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1259)
  at com.sun.enterprise.v3.admin.AdminAdapter.doCommand(AdminAdapter.java:461)
  at com.sun.enterprise.v3.admin.AdminAdapter.service(AdminAdapter.java:212)
  at com.sun.grizzly.tcp.http11.GrizzlyAdapter.service(GrizzlyAdapter.java:179)
  at com.sun.enterprise.v3.server.HK2Dispatcher.dispatch(HK2Dispatcher.java:117)
...several other higher classes that may not be meaningful...
  at java.lang.Thread.run(Unknown Source)

I suspect this would be the same stacktrace that I'd see if I attached the debugger - if you don't believe this to be the case then I'll attach the debugger per your suggestion.

Thanks,
Shawn

javashawn
Offline
Joined: 2008-12-18
Points: 0

Tim,
I did get a chance to attach the debugger to capture the stacktrace behind the NPE (which is slightly different than the prior stacktrace that I posted from the server.log). From the stacktrace it seems like there's a logic check to verify that the admin account(s) do not have an empty password; however, I would think that this check should NOT be done if the admin-realm uses LDAP?

Here's the abbreviated stacktrac:

Daemon Thread (admin-thread-pool-4848(1)] (Suspended (exception NullPointerException))
    SecureAdminHelperImpl.isAnyAdminUserWithoutPassword() line: 201
    EnableSecureAdmninCommand.ensureNoAdminUsersWithEmptyPassword() line: 149
    EnableSecureAdminCommand.run() line: 137
    EnableSecureAdminCommand(SecureAdminCommand).execute(AdminCommandContext) line: 891
    CommandRunnerImpl$1.execute(AdminCommandContext) line: 348
    CommandRunnerImpl.doCommand(CommandModel, AdminCommand, AdminCommandContext) line: 363
    ...more generic seemingly less important stacktrace
tjquinn
Offline
Joined: 2005-03-30
Points: 0

Hi, Shawn.

I thought I had updated this topic late last week, but apparently my update didn't get saved as I thought.

You have found a bug, and I've opened this issue for it:

http://java.net/jira/browse/GLASSFISH-19525

As noted there, there is no obvious workaround with the existing code although we're still working on that.

- Tim