[jira] [Closed] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] brent s. closed DIRSTUDIO-1285. --- Resolution: Invalid I made a dumb. Thanks for the help, [~seelmann]! > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > Attachments: connect_disconnect.log, enable_base_dn_server.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398892#comment-17398892 ] brent s. commented on DIRSTUDIO-1285: - OH my word. Fixed. I am so sorry for wasting your time; I had the dn.base ACL set to search and not read! Thank you so much for pointing me in the right direction! Closing.(y) > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > Attachments: connect_disconnect.log, enable_base_dn_server.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Comment Edited] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398458#comment-17398458
]
brent s. edited comment on DIRSTUDIO-1285 at 8/13/21, 6:10 AM:
---
[~seelmann] Thanks! That was indeed the cause of the missing log. Updated to
*2.0.0.v20210717-M17* and confirmed the search logs work now.
I have attached two files:
* *connect_disconnect.log* - the one you asked for (though I forgot to disable
the Result Entry logging before disconnecting; my apologies)
* *enable_base_dn_server.log* - this contains the log that occurs when I check
(enable) the "Get base DNs from Root DSE" option for the connection profile in
question. Hopefully it will also prove useful.
Each has been scrubbed and replaced with corresponding values from the example
scenario in this issue's description for consistency.
Below you will find the LDIF for *dc=baz,dc=quux*'s
(_ldap://baz.domain.tld:389_) proxied auth (back-ldap) configuration if you
wish to have a reproducible case. It uses OpenLDAP's OLC ("[dynamic runtime
configuration|https://www.openldap.org/doc/admin24/slapdconf2.html];), again
scrubbed and replaced with values matching the example scenario (including the
Base64'd _olcDbIDAssertBind_ attribute).
{noformat}
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcReadOnly: TRUE
olcSuffix: dc=foo,dc=bar
olcDbIDAssertBind:: YmluZG1ldGhvZD1zaW1wbGUKYmluZGRuPSJjbj1iYXosb3U9U2VydmVy
cyxkYz1mb28sZGM9YmFyIgpjcmVkZW50aWFscz1bUkVEQUNURUQgUEFTU1dPUkRdCnN0YXJ0dGx
zPWNyaXRpY2FsCnRsc19wcm90b2NvbF9taW49MS4yCg==
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://foo.domain.tld
{noformat}
was (Author: bsaner):
[~seelmann] Thanks! That was indeed the cause of the missing log. Updated to
*2.0.0.v20210717-M17* and confirmed the search logs work now.
I have attached two files:
* *connect_disconnect.log* - the one you asked for (though I forgot to disable
the Result Entry logging before disconnecting; my apologies)
* *enable_base_dn_server.log* - this contains the log that occurs when I check
(enable) the "Get base DNs from Root DSE" option for the connection profile in
question. Hopefully it will also prove useful.
Each has been scrubbed and replaced with corresponding values from the example
scenario in this issue's description for consistency.
Below you will find the LDIF for *dc=baz,dc=quux*'s
(_ldap://baz.domain.tld:389_) proxied auth (back-ldap) configuration if you
wish to have a reproducible case. It uses OpenLDAP's OLC ("dynamic runtime
configuration"), again scrubbed and replaced with values matching the example
scenario (including the Base64'd _olcDbIDAssertBind_ attribute).
{noformat}
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcReadOnly: TRUE
olcSuffix: dc=foo,dc=bar
olcDbIDAssertBind:: YmluZG1ldGhvZD1zaW1wbGUKYmluZGRuPSJjbj1iYXosb3U9U2VydmVy
cyxkYz1mb28sZGM9YmFyIgpjcmVkZW50aWFscz1bUkVEQUNURUQgUEFTU1dPUkRdCnN0YXJ0dGx
zPWNyaXRpY2FsCnRsc19wcm90b2NvbF9taW49MS4yCg==
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://foo.domain.tld
{noformat}
> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
> Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is
> seemingly never detected.
> For example, the following scenario:
>
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
> Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
>
>
> When the above bindDN and Server is used, binding successfully takes place.
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server.
> This is, obviously, incorrect.
> This is handled correctly in
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398458#comment-17398458
]
brent s. commented on DIRSTUDIO-1285:
-
[~seelmann] Thanks! That was indeed the cause of the missing log. Updated to
*2.0.0.v20210717-M17* and confirmed the search logs work now.
I have attached two files:
* *connect_disconnect.log* - the one you asked for (though I forgot to disable
the Result Entry logging before disconnecting; my apologies)
* *enable_base_dn_server.log* - this contains the log that occurs when I check
(enable) the "Get base DNs from Root DSE" option for the connection profile in
question. Hopefully it will also prove useful.
Each has been scrubbed and replaced with corresponding values from the example
scenario in this issue's description for consistency.
Below you will find the LDIF for *dc=baz,dc=quux*'s
(_ldap://baz.domain.tld:389_) proxied auth (back-ldap) configuration if you
wish to have a reproducible case. It uses OpenLDAP's OLC ("dynamic runtime
configuration"), again scrubbed and replaced with values matching the example
scenario (including the Base64'd _olcDbIDAssertBind_ attribute).
{noformat}
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcReadOnly: TRUE
olcSuffix: dc=foo,dc=bar
olcDbIDAssertBind:: YmluZG1ldGhvZD1zaW1wbGUKYmluZGRuPSJjbj1iYXosb3U9U2VydmVy
cyxkYz1mb28sZGM9YmFyIgpjcmVkZW50aWFscz1bUkVEQUNURUQgUEFTU1dPUkRdCnN0YXJ0dGx
zPWNyaXRpY2FsCnRsc19wcm90b2NvbF9taW49MS4yCg==
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://foo.domain.tld
{noformat}
> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
> Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is
> seemingly never detected.
> For example, the following scenario:
>
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
> Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
>
>
> When the above bindDN and Server is used, binding successfully takes place.
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server.
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile
> does not change this behavior. _Ensuring that is disabled and specifying
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior;
> it only detects *dc=foo,dc=bar*.
>
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Updated] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] brent s. updated DIRSTUDIO-1285: Attachment: enable_base_dn_server.log > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > Attachments: connect_disconnect.log, enable_base_dn_server.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Updated] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] brent s. updated DIRSTUDIO-1285: Attachment: connect_disconnect.log > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > Attachments: connect_disconnect.log > > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Comment Edited] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398267#comment-17398267 ] brent s. edited comment on DIRSTUDIO-1285 at 8/12/21, 8:08 PM: --- Full version string is *2.0.0.v20210213-M16* according to Help > About Apache Directory Studio, though this has been an issue for every version of the software I've used (I've been using it for about a year and a half now and keep it relatively up to date). I tried selecting the version from the dropdown list when creating the issue but wasn't able to find it. That is correct, namingContexts includes both. I've followed the procedure above but both the log window and the exported log file is completely empty, even with _Search Result Entry Logs_ enabled, before, during, and after the connection and disconnect. was (Author: bsaner): Full version string is *2.0.0.v20210213-M16* according to Help > About Apache Directory Studio, though this has been an issue for every version of the software I've used (I've been using it for about a year and a half now and keep it relatively up to date). I tried selecting it from the list but wasn't able to find it. That is correct, namingContexts includes both. I've followed the procedure above but both the log window and the exported log file is completely empty, even with _Search Result Entry Logs_ enabled, before, during, and after the connection and disconnect. > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398267#comment-17398267 ] brent s. commented on DIRSTUDIO-1285: - Full version string is *2.0.0.v20210213-M16* according to Help > About Apache Directory Studio, though this has been an issue for every version of the software I've used (I've been using it for about a year and a half now and keep it relatively up to date). I tried selecting it from the list but wasn't able to find it. That is correct, namingContexts includes both. I've followed the procedure above but both the log window and the exported log file is completely empty, even with _Search Result Entry Logs_ enabled, before, during, and after the connection and disconnect. > Proxied auth leads to wrong DIT/rootDSE being used > -- > > Key: DIRSTUDIO-1285 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 > Project: Directory Studio > Issue Type: Bug >Affects Versions: 2.0.0 >Reporter: brent s. >Priority: Major > > If using Apache Directory Studio as a client to OpenLDAP using [remote > bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity > Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is > seemingly never detected. > For example, the following scenario: > > BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ > Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ > _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. > *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under > dc=foo,dc=bar* to proxy (back-ldap) the bind request to > _ldap://foo.domain.tld:389_ using identity assertion. > _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. > > > When the above bindDN and Server is used, binding successfully takes place. > However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ > *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. > This is, obviously, incorrect. > This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). > > Ensuring "Get base DNs from Root DSE" is checked in the connection profile > does not change this behavior. _Ensuring that is disabled and specifying > e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this > behavior!_ Using the "Fetch Base DNs" button does not change this behavior; > it only detects *dc=foo,dc=bar*. > > I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Created] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used
brent s. created DIRSTUDIO-1285: --- Summary: Proxied auth leads to wrong DIT/rootDSE being used Key: DIRSTUDIO-1285 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285 Project: Directory Studio Issue Type: Bug Affects Versions: 2.0.0 Reporter: brent s. If using Apache Directory Studio as a client to OpenLDAP using [remote bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is seemingly never detected. For example, the following scenario: BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_ Server (as configured in the connection profile): _ldap://baz.domain.tld:389_ _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*. *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under dc=foo,dc=bar* to proxy (back-ldap) the bind request to _ldap://foo.domain.tld:389_ using identity assertion. _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*. When the above bindDN and Server is used, binding successfully takes place. However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. This is, obviously, incorrect. This is handled correctly in the openLDAP clients (e.g. _ldapsearch_). Ensuring "Get base DNs from Root DSE" is checked in the connection profile does not change this behavior. _Ensuring that is disabled and specifying e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using the "Fetch Base DNs" button does not change this behavior; it only detects *dc=foo,dc=bar*. I can see both DIT DNs in the root DSE's _namingContexts_ attributes. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
