[jira] [Updated] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] brent s. updated DIRSTUDIO-1285: Attachment: enable_base_dn_server.log > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > Attachments: connect_disconnect.log, enable_base_dn_server.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Updated] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] brent s. updated DIRSTUDIO-1285: Attachment: connect_disconnect.log > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > Attachments: connect_disconnect.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398275#comment-17398275 ] Stefan Seelmann commented on DIRSTUDIO-1285: bq. Full version string is 2.0.0.v20210213-M16. I've followed the procedure above but both the log window and the exported log file is completely empty, even with Search Result Entry Logs enabled, before, during, and after the connection and disconnect. This is a known bug in this version. Can you please try to latest version 2.0.0.v20210717-M17 that was release 2 weeks ago? (It also solves some issues with the namingContexts, even if yours sounds different, see changelog https://directory.apache.org/studio/changelog.html) > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Comment Edited] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398267#comment-17398267 ] brent s. edited comment on DIRSTUDIO-1285 at 8/12/21, 8:08 PM: --- Full version string is *2.0.0.v20210213-M16* according to Help > About Apache Directory Studio, though this has been an issue for every version of the software I've used (I've been using it for about a year and a half now and keep it relatively up to date). I tried selecting the version from the dropdown list when creating the issue but wasn't able to find it. That is correct, namingContexts includes both. I've followed the procedure above but both the log window and the exported log file is completely empty, even with _Search Result Entry Logs_ enabled, before, during, and after the connection and disconnect. was (Author: bsaner): Full version string is *2.0.0.v20210213-M16* according to Help > About Apache Directory Studio, though this has been an issue for every version of the software I've used (I've been using it for about a year and a half now and keep it relatively up to date). I tried selecting it from the list but wasn't able to find it. That is correct, namingContexts includes both. I've followed the procedure above but both the log window and the exported log file is completely empty, even with _Search Result Entry Logs_ enabled, before, during, and after the connection and disconnect. > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398267#comment-17398267 ] brent s. commented on DIRSTUDIO-1285: - Full version string is *2.0.0.v20210213-M16* according to Help > About Apache Directory Studio, though this has been an issue for every version of the software I've used (I've been using it for about a year and a half now and keep it relatively up to date). I tried selecting it from the list but wasn't able to find it. That is correct, namingContexts includes both. I've followed the procedure above but both the log window and the exported log file is completely empty, even with _Search Result Entry Logs_ enabled, before, during, and after the connection and disconnect. > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398253#comment-17398253 ] Stefan Seelmann commented on DIRSTUDIO-1285: Which Studio version do you use? (full version string) So namingContexts contains both dc=baz,dc=quux and dc=foo,dc=bar, correct? Can you please clear the "Search Logs", enable the "Search Result Entry Logs" option, open the connection once, then post the "Search Logs" output (anonymize the data please). Disable the "Search Result Entry Logs" afterwards again as it logs a lot otherwise. https://nightlies.apache.org/directory/studio/2.0.0.v20210717-M17/userguide/ldap_browser/tools_search_logs_view.html > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Created] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
brent s. created DIRSTUDIO-1285: --- Summary: Proxied auth leads to wrong DIT/rootDSE being used Key: DIRSTUDIO-1285 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 Project: Directory Studio Issue Type: Bug Affects Versions: 2.0.0 Reporter: brent s. If using Apache Directory Studio as a client to OpenLDAP using [remote bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is seemingly never detected. For example, the following scenario: BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under dc=foo,dc=bar* to proxy (back-ldap) the bind request to _ldap://foo.domain.tld:389_ using identity assertion. _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. When the above bindDN and Server is used, binding successfully takes place. However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. This is, obviously, incorrect. This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). Ensuring "Get base DNs from Root DSE" is checked in the connection profile does not change this behavior. _Ensuring that is disabled and specifying e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using the "Fetch Base DNs" button does not change this behavior; it only detects *dc=foo,dc=bar*. I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org