brent s. created DIRSTUDIO-1285: ----------------------------------- Summary: Proxied auth leads to wrong DIT/rootDSE being used Key: DIRSTUDIO-1285 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 Project: Directory Studio Issue Type: Bug Affects Versions: 2.0.0 Reporter: brent s.
If using Apache Directory Studio as a client to OpenLDAP using [remote bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is seemingly never detected. For example, the following scenario: ---- BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under dc=foo,dc=bar* to proxy (back-ldap) the bind request to _ldap://foo.domain.tld:389_ using identity assertion. _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. ---- When the above bindDN and Server is used, binding successfully takes place. However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. This is, obviously, incorrect. This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). Ensuring "Get base DNs from Root DSE" is checked in the connection profile does not change this behavior. _Ensuring that is disabled and specifying e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using the "Fetch Base DNs" button does not change this behavior; it only detects *dc=foo,dc=bar*. I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org