[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17398875#comment-17398875 ]
Stefan Seelmann edited comment on DIRSTUDIO-1285 at 8/13/21, 7:23 PM: ---------------------------------------------------------------------- The reason that "dc=baz,dc=quux" is not shown as context entry in the DIT is that for a base object search no entry is returned, see the extract of the logs you provided below. Can you try to run that ldapsearch command and maybe vary it a bit (filter, returned attributes)? Is there an access control in place that this entry is not visible for the used user? {noformat} #!SEARCH REQUEST (14) OK #!CONNECTION ldap://baz.domain.tld:389 #!DATE 2021-08-13T05:44:34.364 # LDAP URL : ldap://baz.domain.tld:389/dc=baz,dc=quux?hasSubordinates,objectClass??(objectClass=*) # command line : ldapsearch -H ldap://baz.domain.tld:389 -ZZ -x -D "cn=joe,dc=foo,dc=bar" -W -b "dc=baz,dc=quux" -s base -a always -z 1 "(objectClass=*)" "hasSubordinates" "objectClass" # baseObject : dc=baz,dc=quux # scope : baseObject (0) # derefAliases : derefAlways (3) # sizeLimit : 1 # timeLimit : 0 # typesOnly : False # filter : (objectClass=*) # attributes : hasSubordinates objectClass #!SEARCH RESULT DONE (14) OK #!CONNECTION ldap://baz.domain.tld:389 #!DATE 2021-08-13T05:44:34.385 # numEntries : 0 {noformat} was (Author: seelmann): The reason that "dc=baz,dc=quux" is shown as context entry in the DIT is that for a base object search no entry is returned, see the extract of the logs you provided below. Can you try to run that ldapsearch command and maybe vary it a bit (filter, returned attributes)? Is there an access control in place that this entry is not visible for the used user? {noformat} #!SEARCH REQUEST (14) OK #!CONNECTION ldap://baz.domain.tld:389 #!DATE 2021-08-13T05:44:34.364 # LDAP URL : ldap://baz.domain.tld:389/dc=baz,dc=quux?hasSubordinates,objectClass??(objectClass=*) # command line : ldapsearch -H ldap://baz.domain.tld:389 -ZZ -x -D "cn=joe,dc=foo,dc=bar" -W -b "dc=baz,dc=quux" -s base -a always -z 1 "(objectClass=*)" "hasSubordinates" "objectClass" # baseObject : dc=baz,dc=quux # scope : baseObject (0) # derefAliases : derefAlways (3) # sizeLimit : 1 # timeLimit : 0 # typesOnly : False # filter : (objectClass=*) # attributes : hasSubordinates objectClass #!SEARCH RESULT DONE (14) OK #!CONNECTION ldap://baz.domain.tld:389 #!DATE 2021-08-13T05:44:34.385 # numEntries : 0 {noformat} > Proxied auth leads to wrong DIT/rootDSE being used > -------------------------------------------------- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug > Affects Versions: 2.0.0 > Reporter: brent s. > Priority: Major > Attachments: connect_disconnect.log, enable_base_dn_server.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > ---- > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > ---- > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org