[jira] [Comment Edited] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

[Stefan Seelmann (Jira)]

    [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17398875#comment-17398875
 ] 

Stefan Seelmann edited comment on DIRSTUDIO-1285 at 8/13/21, 7:23 PM:
----------------------------------------------------------------------

The reason that "dc=baz,dc=quux" is not shown as context entry in the DIT is 
that for a base object search no entry is returned, see the extract of the logs 
you provided below. Can you try to run that ldapsearch command and maybe vary 
it a bit (filter, returned attributes)? Is there an access control in place 
that this entry is not visible for the used user?

{noformat}
#!SEARCH REQUEST (14) OK
#!CONNECTION ldap://baz.domain.tld:389
#!DATE 2021-08-13T05:44:34.364
# LDAP URL     : 
ldap://baz.domain.tld:389/dc=baz,dc=quux?hasSubordinates,objectClass??(objectClass=*)
# command line : ldapsearch -H ldap://baz.domain.tld:389 -ZZ -x -D 
"cn=joe,dc=foo,dc=bar" -W -b "dc=baz,dc=quux" -s base -a always -z 1 
"(objectClass=*)" "hasSubordinates" "objectClass"
# baseObject   : dc=baz,dc=quux
# scope        : baseObject (0)
# derefAliases : derefAlways (3)
# sizeLimit    : 1
# timeLimit    : 0
# typesOnly    : False
# filter       : (objectClass=*)
# attributes   : hasSubordinates objectClass

#!SEARCH RESULT DONE (14) OK
#!CONNECTION ldap://baz.domain.tld:389
#!DATE 2021-08-13T05:44:34.385
# numEntries : 0

{noformat}



was (Author: seelmann):
The reason that "dc=baz,dc=quux" is shown as context entry in the DIT is that 
for a base object search no entry is returned, see the extract of the logs you 
provided below. Can you try to run that ldapsearch command and maybe vary it a 
bit (filter, returned attributes)? Is there an access control in place that 
this entry is not visible for the used user?

{noformat}
#!SEARCH REQUEST (14) OK
#!CONNECTION ldap://baz.domain.tld:389
#!DATE 2021-08-13T05:44:34.364
# LDAP URL     : 
ldap://baz.domain.tld:389/dc=baz,dc=quux?hasSubordinates,objectClass??(objectClass=*)
# command line : ldapsearch -H ldap://baz.domain.tld:389 -ZZ -x -D 
"cn=joe,dc=foo,dc=bar" -W -b "dc=baz,dc=quux" -s base -a always -z 1 
"(objectClass=*)" "hasSubordinates" "objectClass"
# baseObject   : dc=baz,dc=quux
# scope        : baseObject (0)
# derefAliases : derefAlways (3)
# sizeLimit    : 1
# timeLimit    : 0
# typesOnly    : False
# filter       : (objectClass=*)
# attributes   : hasSubordinates objectClass

#!SEARCH RESULT DONE (14) OK
#!CONNECTION ldap://baz.domain.tld:389
#!DATE 2021-08-13T05:44:34.385
# numEntries : 0

{noformat}


> Proxied auth leads to wrong DIT/rootDSE being used
> --------------------------------------------------
>
>                 Key: DIRSTUDIO-1285
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: brent s.
>            Priority: Major
>         Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> ----
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> ----
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org