You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Stefan Seelmann (Jira)" <ji...@apache.org> on 2021/08/12 19:29:00 UTC
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong
DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17398253#comment-17398253 ]
Stefan Seelmann commented on DIRSTUDIO-1285:
--------------------------------------------
Which Studio version do you use? (full version string)
So namingContexts contains both dc=baz,dc=quux and dc=foo,dc=bar, correct?
Can you please clear the "Search Logs", enable the "Search Result Entry Logs" option, open the connection once, then post the "Search Logs" output (anonymize the data please). Disable the "Search Result Entry Logs" afterwards again as it logs a lot otherwise. https://nightlies.apache.org/directory/studio/2.0.0.v20210717-M17/userguide/ldap_browser/tools_search_logs_view.html
> Proxied auth leads to wrong DIT/rootDSE being used
> --------------------------------------------------
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: brent s.
> Priority: Major
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is seemingly never detected.
> For example, the following scenario:
> ----
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
> Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under dc=foo,dc=bar* to proxy (back-ldap) the bind request to _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> ----
>
> When the above bindDN and Server is used, binding successfully takes place. However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile does not change this behavior. _Ensuring that is disabled and specifying e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using the "Fetch Base DNs" button does not change this behavior; it only detects *dc=foo,dc=bar*.
>
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org