[jira] [Closed] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-13 Thread brent s. (Jira)


 [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

brent s. closed DIRSTUDIO-1285.
---
Resolution: Invalid

I made a dumb. Thanks for the help, [~seelmann]!

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-13 Thread brent s. (Jira)


[ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398892#comment-17398892
 ] 

brent s. commented on DIRSTUDIO-1285:
-

OH my word. Fixed.

I am so sorry for wasting your time; I had the dn.base ACL set to search and 
not read!

Thank you so much for pointing me in the right direction! Closing.(y)

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Comment Edited] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-13 Thread brent s. (Jira)


[ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398458#comment-17398458
 ] 

brent s. edited comment on DIRSTUDIO-1285 at 8/13/21, 6:10 AM:
---

[~seelmann] Thanks! That was indeed the cause of the missing log. Updated to 
*2.0.0.v20210717-M17* and confirmed the search logs work now.

I have attached two files:

* *connect_disconnect.log* - the one you asked for (though I forgot to disable 
the Result Entry logging before disconnecting; my apologies)
* *enable_base_dn_server.log* - this contains the log that occurs when I check 
(enable) the "Get base DNs from Root DSE" option for the connection profile in 
question. Hopefully it will also prove useful.

Each has been scrubbed and replaced with corresponding values from the example 
scenario in this issue's description for consistency.

Below you will find the LDIF for *dc=baz,dc=quux*'s 
(_ldap://baz.domain.tld:389_) proxied auth (back-ldap) configuration if you 
wish to have a reproducible case. It uses OpenLDAP's OLC ("[dynamic runtime 
configuration|https://www.openldap.org/doc/admin24/slapdconf2.html];), again 
scrubbed and replaced with values matching the example scenario (including the 
Base64'd _olcDbIDAssertBind_ attribute).

{noformat}
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcReadOnly: TRUE
olcSuffix: dc=foo,dc=bar
olcDbIDAssertBind:: YmluZG1ldGhvZD1zaW1wbGUKYmluZGRuPSJjbj1iYXosb3U9U2VydmVy
 cyxkYz1mb28sZGM9YmFyIgpjcmVkZW50aWFscz1bUkVEQUNURUQgUEFTU1dPUkRdCnN0YXJ0dGx
 zPWNyaXRpY2FsCnRsc19wcm90b2NvbF9taW49MS4yCg==
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://foo.domain.tld
{noformat}


was (Author: bsaner):
[~seelmann] Thanks! That was indeed the cause of the missing log. Updated to 
*2.0.0.v20210717-M17* and confirmed the search logs work now.

I have attached two files:

* *connect_disconnect.log* - the one you asked for (though I forgot to disable 
the Result Entry logging before disconnecting; my apologies)
* *enable_base_dn_server.log* - this contains the log that occurs when I check 
(enable) the "Get base DNs from Root DSE" option for the connection profile in 
question. Hopefully it will also prove useful.

Each has been scrubbed and replaced with corresponding values from the example 
scenario in this issue's description for consistency.

Below you will find the LDIF for *dc=baz,dc=quux*'s 
(_ldap://baz.domain.tld:389_) proxied auth (back-ldap) configuration if you 
wish to have a reproducible case. It uses OpenLDAP's OLC ("dynamic runtime 
configuration"), again scrubbed and replaced with values matching the example 
scenario (including the Base64'd _olcDbIDAssertBind_ attribute).

{noformat}
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcReadOnly: TRUE
olcSuffix: dc=foo,dc=bar
olcDbIDAssertBind:: YmluZG1ldGhvZD1zaW1wbGUKYmluZGRuPSJjbj1iYXosb3U9U2VydmVy
 cyxkYz1mb28sZGM9YmFyIgpjcmVkZW50aWFscz1bUkVEQUNURUQgUEFTU1dPUkRdCnN0YXJ0dGx
 zPWNyaXRpY2FsCnRsc19wcm90b2NvbF9taW49MS4yCg==
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://foo.domain.tld
{noformat}

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in 

[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-13 Thread brent s. (Jira)


[ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398458#comment-17398458
 ] 

brent s. commented on DIRSTUDIO-1285:
-

[~seelmann] Thanks! That was indeed the cause of the missing log. Updated to 
*2.0.0.v20210717-M17* and confirmed the search logs work now.

I have attached two files:

* *connect_disconnect.log* - the one you asked for (though I forgot to disable 
the Result Entry logging before disconnecting; my apologies)
* *enable_base_dn_server.log* - this contains the log that occurs when I check 
(enable) the "Get base DNs from Root DSE" option for the connection profile in 
question. Hopefully it will also prove useful.

Each has been scrubbed and replaced with corresponding values from the example 
scenario in this issue's description for consistency.

Below you will find the LDIF for *dc=baz,dc=quux*'s 
(_ldap://baz.domain.tld:389_) proxied auth (back-ldap) configuration if you 
wish to have a reproducible case. It uses OpenLDAP's OLC ("dynamic runtime 
configuration"), again scrubbed and replaced with values matching the example 
scenario (including the Base64'd _olcDbIDAssertBind_ attribute).

{noformat}
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcReadOnly: TRUE
olcSuffix: dc=foo,dc=bar
olcDbIDAssertBind:: YmluZG1ldGhvZD1zaW1wbGUKYmluZGRuPSJjbj1iYXosb3U9U2VydmVy
 cyxkYz1mb28sZGM9YmFyIgpjcmVkZW50aWFscz1bUkVEQUNURUQgUEFTU1dPUkRdCnN0YXJ0dGx
 zPWNyaXRpY2FsCnRsc19wcm90b2NvbF9taW49MS4yCg==
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://foo.domain.tld
{noformat}

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Updated] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-12 Thread brent s. (Jira)


 [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

brent s. updated DIRSTUDIO-1285:

Attachment: enable_base_dn_server.log

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log, enable_base_dn_server.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Updated] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-12 Thread brent s. (Jira)


 [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

brent s. updated DIRSTUDIO-1285:

Attachment: connect_disconnect.log

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
> Attachments: connect_disconnect.log
>
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Comment Edited] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-12 Thread brent s. (Jira)


[ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398267#comment-17398267
 ] 

brent s. edited comment on DIRSTUDIO-1285 at 8/12/21, 8:08 PM:
---

Full version string is *2.0.0.v20210213-M16* according to Help > About Apache 
Directory Studio, though this has been an issue for every version of the 
software I've used (I've been using it for about a year and a half now and keep 
it relatively up to date). I tried selecting the version from the dropdown list 
when creating the issue but wasn't able to find it.

 

That is correct, namingContexts includes both.

I've followed the procedure above but both the log window and the exported log 
file is completely empty, even with _Search Result Entry Logs_ enabled, before, 
during, and after the connection and disconnect.

 


was (Author: bsaner):
Full version string is *2.0.0.v20210213-M16* according to Help > About Apache 
Directory Studio, though this has been an issue for every version of the 
software I've used (I've been using it for about a year and a half now and keep 
it relatively up to date). I tried selecting it from the list but wasn't able 
to find it.

 

That is correct, namingContexts includes both.

I've followed the procedure above but both the log window and the exported log 
file is completely empty, even with _Search Result Entry Logs_ enabled, before, 
during, and after the connection and disconnect.

 

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Commented] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-12 Thread brent s. (Jira)


[ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17398267#comment-17398267
 ] 

brent s. commented on DIRSTUDIO-1285:
-

Full version string is *2.0.0.v20210213-M16* according to Help > About Apache 
Directory Studio, though this has been an issue for every version of the 
software I've used (I've been using it for about a year and a half now and keep 
it relatively up to date). I tried selecting it from the list but wasn't able 
to find it.

 

That is correct, namingContexts includes both.

I've followed the procedure above but both the log window and the exported log 
file is completely empty, even with _Search Result Entry Logs_ enabled, before, 
during, and after the connection and disconnect.

 

> Proxied auth leads to wrong DIT/rootDSE being used
> --
>
> Key: DIRSTUDIO-1285
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
> Project: Directory Studio
>  Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: brent s.
>Priority: Major
>
> If using Apache Directory Studio as a client to OpenLDAP using [remote 
> bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
> Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
> seemingly never detected.
> For example, the following scenario:
> 
> BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
>  Server (as configured in the connection profile): _ldap://baz.domain.tld:389_
> _ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.
> *dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
> dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
> _ldap://foo.domain.tld:389_ using identity assertion.
> _ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.
> 
>  
> When the above bindDN and Server is used, binding successfully takes place. 
> However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
> *dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
> This is, obviously, incorrect.
> This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).
>  
> Ensuring "Get base DNs from Root DSE" is checked in the connection profile 
> does not change this behavior. _Ensuring that is disabled and specifying 
> e.g._ *dc=baz,dc=quux* _manually as the base DN does not change this 
> behavior!_ Using the "Fetch Base DNs" button does not change this behavior; 
> it only detects *dc=foo,dc=bar*.
>  
> I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org



[jira] [Created] (DIRSTUDIO-1285) Proxied auth leads to wrong DIT/rootDSE being used

2021-08-12 Thread brent s. (Jira)
brent s. created DIRSTUDIO-1285:
---

 Summary: Proxied auth leads to wrong DIT/rootDSE being used
 Key: DIRSTUDIO-1285
 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1285
 Project: Directory Studio
  Issue Type: Bug
Affects Versions: 2.0.0
Reporter: brent s.


If using Apache Directory Studio as a client to OpenLDAP using [remote 
bind|https://www.openldap.org/faq/data/cache/532.html] (see *Identity 
Assertion*), the incorrect DIT/rootDSE is used and the proper DIT/rootDSE is 
seemingly never detected.

For example, the following scenario:

BindDN (as configured in the connection profile): _cn=joe,dc=foo,dc=bar_
 Server (as configured in the connection profile): _ldap://baz.domain.tld:389_

_ldap://baz.domain.tld:389_ contains *dc=baz,dc=quux*.

*dc=baz,dc=quux* is configured to proxy all bind requests for *anything under 
dc=foo,dc=bar* to proxy (back-ldap) the bind request to 
_ldap://foo.domain.tld:389_ using identity assertion.

_ldap://foo.domain.tld:389_ obviously contains *dc=foo,dc=bar*.

 

When the above bindDN and Server is used, binding successfully takes place. 
However, the only DIT/rootDSE visible is *dc=foo,dc=bar* and _*not*_ 
*dc=baz,dc=quux*! In other words, the DIT that exists on the actual server. 
This is, obviously, incorrect.

This is handled correctly in the openLDAP clients (e.g. _ldapsearch_).

 

Ensuring "Get base DNs from Root DSE" is checked in the connection profile does 
not change this behavior. _Ensuring that is disabled and specifying e.g._ 
*dc=baz,dc=quux* _manually as the base DN does not change this behavior!_ Using 
the "Fetch Base DNs" button does not change this behavior; it only detects 
*dc=foo,dc=bar*.

 

I can see both DIT DNs in the root DSE's _namingContexts_ attributes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org