[
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17398875#comment-17398875
]
Stefan Seelmann commented on DIRSTUDIO-1285:
--------------------------------------------
The reason that "dc=baz,dc=quux" is shown as context entry in the DIT is that
for a base object search no entry is returned, see the extract of the logs you
provided below. Can you try to run that ldapsearch command and maybe vary it a
bit (filter, returned attributes)? Is there an access control in place that
this entry is not visible for the used user?
{noformat}
#!SEARCH REQUEST (14) OK
#!CONNECTION ldap://baz.domain.tld:389
#!DATE 2021-08-13T05:44:34.364
# LDAP URL :
ldap://baz.domain.tld:389/dc=baz,dc=quux?hasSubordinates,objectClass??(objectClass=*)
# command line : ldapsearch -H ldap://baz.domain.tld:389 -ZZ -x -D
"cn=joe,dc=foo,dc=bar" -W -b "dc=baz,dc=quux" -s base -a always -z 1
"(objectClass=*)" "hasSubordinates" "objectClass"
# baseObject : dc=baz,dc=quux
# scope : baseObject (0)
# derefAliases : derefAlways (3)
# sizeLimit : 1
# timeLimit : 0
# typesOnly : False
# filter : (objectClass=*)
# attributes : hasSubordinates objectClass
#!SEARCH RESULT DONE (14) OK
#!CONNECTION ldap://baz.domain.tld:389
#!DATE 2021-08-13T05:44:34.385
# numEntries : 0
{noformat}
> Proxied auth leads to wrong DIT/rootDSE being used
> --------------------------------------------------
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: brent s.
> Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is
> seemingly never detected.
> For example, the following scenario:
> ----
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
> Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> ----
>
> When the above bindDN and Server is used, binding successfully takes place.
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server.
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile
> does not change this behavior. _Ensuring that is disabled and specifying
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior;
> it only detects *dc=foo,dc=bar*.
>
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
