Mina SSL issue and insane DNs

[Radovan Semancik <ra...@evolveum.com>]

Hi,

I done more Active Directory tests with the latest API trunk. There are 
two things you should know:

1. LDAP over SSL with AD fails when getting big things (such as AD 
schema). It ends up in an endless loop. It is obviously a Mina bug and I 
have sent the path to mina dev mailing list. However it might be a good 
idea to coordinate with the mina project and switch the API to the fixed 
mina version. I believe that this bug may appear in any LDAPS connection 
and it is really nasty to diagnose (endless loop, no relevant error, no 
log message).

2. Active directory supports insane DN formats such as 
<GUID=ae36bced-d6dd-cb41-a7e9-ef4f9bd59f0d>. Yes, this is passes ad DN. 
Yes, really like that, including the angle brackets. However 
unbelievable it might be, this kind of DN is in fact required to get 
some attributes (e.g. msds-memberOfTransitive) as these only appear in 
scope=base searches. And this seems to be the only efficient way how to 
get scope=base search when all you know is object GUID. Of course, the 
API complained about the format and failed to process it. So I have 
committed a patch that tolerates these insane formats when relaxed mode 
is set.

-- 
Radovan Semancik
Software Architect
evolveum.com

Re: Mina SSL issue and insane DNs

[Emmanuel Lécharny <el...@gmail.com>]

Le 20/01/16 20:03, Radovan Semancik a écrit :
>
>
>> We should probably think about cutting a release soon, then. I have also
>> injected some changes before taking some vacations, and I was actually
>> thinking about cutting a 1.0.0-RC1 release, instead of another milstone.
>
> OK for me. However, I plan more tests with AD in next week or so.
> Therefore it might be good to wait couple more days. In case these
> tests uncover more AD "features" I will be updating the API right
> away. And I have a strange suspicion that there is more to this ...
:-)

That's fine with me. I have to add the missing Referral Chasing in the
API anyway, and that wil not take me 5 mins...

Re: Mina SSL issue and insane DNs

[Radovan Semancik <ra...@evolveum.com>]

On 01/20/2016 07:53 PM, Emmanuel Lécharny wrote:
> MINA will be fixed and released asap. Thanks for having chased to 
> origine of the pb... Now, would the submitted patch fix the issue ? 

Yes. I believe so. It worked for my tests at the very least.

> We should probably think about cutting a release soon, then. I have also
> injected some changes before taking some vacations, and I was actually
> thinking about cutting a 1.0.0-RC1 release, instead of another milstone.

OK for me. However, I plan more tests with AD in next week or so. 
Therefore it might be good to wait couple more days. In case these tests 
uncover more AD "features" I will be updating the API right away. And I 
have a strange suspicion that there is more to this ...

-- 
Radovan Semancik
Software Architect
evolveum.com

Re: Mina SSL issue and insane DNs

[Emmanuel Lécharny <el...@gmail.com>]

Le 20/01/16 19:24, Radovan Semancik a écrit :
> Hi,
>
> I done more Active Directory tests with the latest API trunk. There
> are two things you should know:
>
> 1. LDAP over SSL with AD fails when getting big things (such as AD
> schema). It ends up in an endless loop. It is obviously a Mina bug and
> I have sent the path to mina dev mailing list. However it might be a
> good idea to coordinate with the mina project and switch the API to
> the fixed mina version. I believe that this bug may appear in any
> LDAPS connection and it is really nasty to diagnose (endless loop, no
> relevant error, no log message).

MINA will be fixed and released asap. Thanks for having chased to
origine of the pb...

Now, would the submitted patch fix the issue ?

>
> 2. Active directory supports insane DN formats such as
> <GUID=ae36bced-d6dd-cb41-a7e9-ef4f9bd59f0d>. Yes, this is passes ad
> DN. Yes, really like that, including the angle brackets. However
> unbelievable it might be, this kind of DN is in fact required to get
> some attributes (e.g. msds-memberOfTransitive) as these only appear in
> scope=base searches. And this seems to be the only efficient way how
> to get scope=base search when all you know is object GUID. Of course,
> the API complained about the format and failed to process it. So I
> have committed a patch that tolerates these insane formats when
> relaxed mode is set.

yuk :/

We should probably think about cutting a release soon, then. I have also
injected some changes before taking some vacations, and I was actually
thinking about cutting a 1.0.0-RC1 release, instead of another milstone.

Thoughts ?

Re: Mina SSL issue and insane DNs

[Stefan Seelmann <ma...@stefan-seelmann.de>]

On 01/20/2016 07:24 PM, Radovan Semancik wrote:
> Hi,
> 
> I done more Active Directory tests with the latest API trunk. There are
> two things you should know:
> 
> 1. LDAP over SSL with AD fails when getting big things (such as AD
> schema). It ends up in an endless loop. It is obviously a Mina bug and I
> have sent the path to mina dev mailing list. However it might be a good
> idea to coordinate with the mina project and switch the API to the fixed
> mina version. I believe that this bug may appear in any LDAPS connection
> and it is really nasty to diagnose (endless loop, no relevant error, no
> log message).

Sounds that may be the cause for an issue a user reported with Studio [1].

[1]
https://mail-archives.apache.org/mod_mbox/directory-users/201601.mbox/browser