[jira] [Commented] (DIRSERVER-2421) Referral objects are returned, although they were not requested

Tue, 04 Nov 2025 05:03:06 -0800 


    [ 
https://issues.apache.org/jira/browse/DIRSERVER-2421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035331#comment-18035331
 ] 

Martin Choma commented on DIRSERVER-2421:
-----------------------------------------

I tried upgrade to M27 but it was big chunk, so I decided to upgrade 
incrementally. In M27 I must use Kerby and as far I can tell classes are not 
1:1, so it will be more difficult.

> Referral objects are returned, although they were not requested
> ---------------------------------------------------------------
>
>                 Key: DIRSERVER-2421
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2421
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap, referral
>    Affects Versions: 2.0.0.AM26
>            Reporter: Martin Choma
>            Priority: Major
>         Attachments: AbstractCommonReferrals.ldif, 
> AbstractCommonReferrals2.ldif
>
>
> I have upgraded our EAP testsuite to version ApacheDS 2.0.0.AM26 from 
> 2.0.0.AM25 and some referral tests stopped working. This is descritption of 
> test:
> {code}
>     /**
>      * @tpTestDetails <br/>
>      * Given: Original LDAP includes user 'originalUserBothRole' <br/>
>      * and role 'OriginalRole' located in original LDAP is mapped to them 
> <br/>
>      * and role 'ReferralRole' located in referral LDAP is mapped to them 
> <br/>
>      * and ldap-realm uses filter with (objectclass=referral) for filtering 
> users <br/>
>      * and ldap-realm uses filter without (objectclass=referral) for 
> filtering roles. <br/>
>      * When user 'originalUserBothRole' with correct password tries to 
> authenticate, <br/>
>      * then authentication should succeed and just role 'OriginalRole' should 
> be assigned to user.
>      */
>     @Test
>     @OperateOnDeployment(DEPLOYMENT + USER_REFERRAL_SUFFIX)
>     public void filterUserReferral_originalUserBothRole(@ArquillianResource 
> URL webAppURL) {
> {code}
>     
> Problem is EAP is returning now also ReferralRole in this scenario which is 
> unexpected
> {code}
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "HTTP/1.1 
> 200 OK[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "Expires: 
> 0[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << 
> "Connection: keep-alive[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << 
> "Cache-Control: no-cache, no-store, must-revalidate[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "Pragma: 
> no-cache[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << 
> "Content-Type: text/plain;charset=utf-8[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << 
> "Content-Length: 27[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "Date: 
> Mon, 03 Nov 2025 07:43:58 GMT[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << 
> ",OriginalRole,ReferralRole,"
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> HTTP/1.1 200 OK
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> Expires: 0
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> Connection: keep-alive
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> Cache-Control: no-cache, no-store, must-revalidate
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> Pragma: no-cache
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> Content-Type: text/plain;charset=utf-8
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << 
> Content-Length: 27
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << Date: 
> Mon, 03 Nov 2025 07:43:58 GMT
> {code}
> This is how test setup ldap in EAP
> {code}
> 08:03:29,273 DEBUG 
> [org.wildfly.extras.creaper.core.online.OnlineManagementClient] (main) 
> Executing operation 
> /subsystem=elytron/ldap-realm=elytron-ldap-realm-user-referrals:add(dir-context=elytron-ldap-dir-context,
>  direct-verification=true, identity-mapping={rdn-identifier => uid, 
> search-base-dn => 
> o=FollowReferralObjectQueryLdapCommonReferralsTestCase310e9a7e,o=primary,dc=jboss,dc=org,
>  use-recursive-search => true, filter-name => 
> (|(objectclass=referral)(uid={0})), attribute-mapping => [{from => cn, to => 
> groups, filter => (member={1}), filter-base-dn => 
> o=FollowReferralObjectQueryLdapCommonReferralsTestCase310e9a7e,o=primary,dc=jboss,dc=org}]})
> {code}
> When I compare changes between 2.0.0.AM25 and 2.0.0.AM26 I see this code 
> changed 
> https://github.com/apache/directory-server/compare/2.0.0.AM25...2.0.0.AM26#diff-23c0681a741c6c2e0728ee94ec03ca395b88ec5c118b042e7c736f6962221505L157,
>  which may be changing that part of logic. Although I do not see how that 
> could change behaviour in this way. Any idea?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to