You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "brent s. (Jira)" <ji...@apache.org> on 2021/08/13 19:57:00 UTC

[jira] [Closed] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

     [ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

brent s. closed DIRSTUDIO-1285.
-------------------------------
    Resolution: Invalid

I made a dumb. Thanks for the help, [~seelmann]!

> Proxied auth leads to wrong DIT/rootDSE being used
> --------------------------------------------------
>
>                 Key: DIRSTUDIO-1285
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: brent s.
>            Priority: Major
>         Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is seemingly never detected.
> For example, the following scenario:
> ----
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under dc=foo,dc=bar* to proxy (back-ldap) the bind request to _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> ----
>  
> When the above bindDN and Server is used, binding successfully takes place. However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile does not change this behavior. _Ensuring that is disabled and specifying e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using the "Fetch Base DNs" button does not change this behavior; it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org