brent s. created DIRSTUDIO-1285:
-----------------------------------
Summary: Proxied auth leads to wrong DIT/rootDSE being used
Key: DIRSTUDIO-1285
URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
Project: Directory Studio
Issue Type: Bug
Affects Versions: 2.0.0
Reporter: brent s.
If using Apache Directory Studio as a client to OpenLDAP using [remote
bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity
Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is
seemingly never detected.
For example, the following scenario:
----
BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
_ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
*dc=baz,dc=quux* is configured to proxy all bind requests for *anything under
dc=foo,dc=bar* to proxy (back-ldap) the bind request to
_ldap://foo.domain.tld:389_ using identity assertion.
_ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
----
When the above bindDN and Server is used, binding successfully takes place.
However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_
*dc=baz,dc=quux*! In other words, the DIT that exists on the actual server.
This is, obviously, incorrect.
This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
Ensuring "Get base DNs from Root DSE" is checked in the connection profile does
not change this behavior. _Ensuring that is disabled and specifying e.g._
*dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using
the "Fetch Base DNs" button does not change this behavior; it only detects
*dc=foo,dc=bar*.
I can see both DIT DNs in the root DSE's _namingContexts_ attributes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
