[bb] MiscITest failure, take 2

[Emmanuel Lecharny <el...@gmail.com>]

Hi,

I still have failures on MiscITest, on both testDisableAnonymousBinds() 
and testEnableAnonymousBindsOnRootDSE() unit tests.

The reason why we have some failure is because we have disabled 
anonymous bind on the server. The big problem is that it's now handled 
in the Bind handler, which is called while creating the context.

The big problem is that as soon as we are not allowed to do an anonymous 
bind, then we can't anymore create a context. Then any kind of following 
operation will fail, and this is the reason why the tests are failing.

InitialContextCreation should not try to bind the user, unless we are 
not asking for an Anonymous Bind. We hould just create a context, and 
return it to the user. As soon as e will try to do a search, if the 
Anonymous state is not allowed, then it will get an exception.

In fact, the Anonymous bind is not a bind at all, it's just a state we 
get into as soon as we open a session on the server. Until we close the 
session (or it is closed buy the server itself), the user is either in 
Anonymous state or in authenticated state. Switching from one state to 
the other requires either a user action (a Bind with another mechanism, 
an Unbind) or a server action (authent revocation if the authent is 
based on certificate, and the certificate is revoqued or expire during a 
session).

We have to review all the BigBang authentication mechanism as fast as 
possible.

I'm disabling those two tests.

Thanks !

Re: [bb] Status

[Emmanuel Lecharny <el...@gmail.com>]

Alex Karasulu wrote:
> Thanks for the update Emm.  This all sounds good - hope I can free up some
> time to do this.
>   
np at all. If you have time, fine. If you don't, other will pick the 
issues :) That' the beauty of the community ...

btw, Replication is fixed now.

Thanks !

Re: [bb] Status

[Alex Karasulu <ak...@apache.org>]

Thanks for the update Emm.  This all sounds good - hope I can free up some
time to do this.

Alex

On Sun, Jul 13, 2008 at 6:24 AM, Emmanuel Lecharny <el...@gmail.com>
wrote:

> Hi guys,
>
> BigBang is almost ok, but we still have problem in two areas.
>
> - Authentication. We have to review all the authentication mechanism, by
> getting the old LdapProtocol out of our way, and switching to the new
> LdapProtocol. The change will be drastic, but will have the advantage of
> giving us more control on what is done, and also to remove JNDI from this
> part (JNDI is really a burden when it comes to authentication).
>
> We will work on this with Alex next week, it should take us a day to fix
> that.
>
> - Persistent search. None of the tests are currently working. I doubt that
> the new version had ever worked. I let it on Alex plate, as it's a brand new
> implementation, and I don't want to mess with it right now.
>
> We also have problems in replication, but nothing really bad (just the
> OperationContext not being used).
>
> The vote for 1.5.3 is nw closed, I will send a mail about the result, so we
> are ready to get bigbang work and move it to 1.5.4 branch. And then it will
> be the end of the bigbang branch !
>
> Thanks !
>



-- 
Microsoft gives you Windows, Linux gives you the whole house ...

[bb] Status

[Emmanuel Lecharny <el...@gmail.com>]

Hi guys,

BigBang is almost ok, but we still have problem in two areas.

- Authentication. We have to review all the authentication mechanism, by 
getting the old LdapProtocol out of our way, and switching to the new 
LdapProtocol. The change will be drastic, but will have the advantage of 
giving us more control on what is done, and also to remove JNDI from 
this part (JNDI is really a burden when it comes to authentication).

We will work on this with Alex next week, it should take us a day to fix 
that.

- Persistent search. None of the tests are currently working. I doubt 
that the new version had ever worked. I let it on Alex plate, as it's a 
brand new implementation, and I don't want to mess with it right now.

We also have problems in replication, but nothing really bad (just the 
OperationContext not being used).

The vote for 1.5.3 is nw closed, I will send a mail about the result, so 
we are ready to get bigbang work and move it to 1.5.4 branch. And then 
it will be the end of the bigbang branch !

Thanks !

Re: [bb] MiscITest failure, take 2

[Alex Karasulu <ak...@apache.org>]

Ok I hear ya.  However here's a radical thought.  Let's just do away with
the LDAP provider in bb now and switch over to the new one where we are
attempting to clarify and refactor all this.  More inline ...

On Sat, Jul 12, 2008 at 9:09 AM, Emmanuel Lecharny <el...@gmail.com>
wrote:

> Hi,
>
> I still have failures on MiscITest, on both testDisableAnonymousBinds() and
> testEnableAnonymousBindsOnRootDSE() unit tests.
>

Right because the present LDAP protocol provider is convoluted and does not
mesh well with the changes we have made as a result of the bb.


>
> The reason why we have some failure is because we have disabled anonymous
> bind on the server. The big problem is that it's now handled in the Bind
> handler, which is called while creating the context.
>

Right this JNDI context creation to track sessions must go away and I
started working on this in the newldap-protocol module.  It's coming along
and I can use your help there.  Let's just drop trying to make the old
ldap-protocol module work and switch over to the new one.  It will be bumpy
but we can make it work with clarity now that the JNDI context basis to LDAP
session tracking is gone.

We have enough clarity now in the new module to just write out the handling
for the various authentication mechanisms/modes quickly without the wieght
of JNDI to obscure the picture.


>
> The big problem is that as soon as we are not allowed to do an anonymous
> bind, then we can't anymore create a context. Then any kind of following
> operation will fail, and this is the reason why the tests are failing.
>

Let's forget this and move on to the new module.  The old module is just
dorked.


>
> InitialContextCreation should not try to bind the user, unless we are not
> asking for an Anonymous Bind.


See you're thinking with the old ldap-protocol module mindset which puts you
in that box of having to be constrained by the JNDI provider and all the
crap that it brings.


> We hould just create a context, and return it to the user. As soon as e
> will try to do a search, if the Anonymous state is not allowed, then it will
> get an exception.
>

JNDI Contexts go away along with the artificial constraints they imposed on
us.  Let's switch to the newldap-protocol module and carry on from there.

You did a great thing yesterday by getting the integration tests for core
working.  That was the basis step we needed to know that the core is heathy
and ready for us to move on to the protocol side.   Now we throw away this
old module and start fresh using the right data structures to clearly model
anon binds, simple and sasl bind mechanisms.


>
> In fact, the Anonymous bind is not a bind at all, it's just a state we get
> into as soon as we open a session on the server. Until we close the session
> (or it is closed buy the server itself), the user is either in Anonymous
> state or in authenticated state. Switching from one state to the other
> requires either a user action (a Bind with another mechanism, an Unbind) or
> a server action (authent revocation if the authent is based on certificate,
> and the certificate is revoqued or expire during a session).
>
> We have to review all the BigBang authentication mechanism as fast as
> possible.
>
> I'm disabling those two tests.
>

Let's not disable the tests.  Don't feel uncomfortable with the server-unit
stuff not working.  It should not work since the protocol module is now
obsolete.  These tests keep us straight and force us to make the new module
work properly to satisfy the correct requirements expected of it.

Regards,
Alex

-- 
Microsoft gives you Windows, Linux gives you the whole house ...