[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Proxy Authz interoperability of Sun's JNDI LDAP boost pack and OpenLDAP
- To: openldap-software@OpenLDAP.org
- Subject: Proxy Authz interoperability of Sun's JNDI LDAP boost pack and OpenLDAP
- From: Michael Ströder <michael@stroeder.com>
- Date: Wed, 20 Jun 2007 17:43:19 +0200
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070509 SeaMonkey/1.1.2
HI!
I'm currently testing proxy authorization with the control
implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in
Sun's LDAP boost pack for JNDI.
slapd seems to be configured correctly since this command-line works:
ldapsearch -x -H "ldap://localhost:1390"; -D
"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w
testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e
\!authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
"(objectClass=*)"
Now I'm trying to do the same via JNDI (see attached Test2.java). But
this results in:
Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId
mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'
If starting slapd with debugging (-d args,trace,packets) I get the log
I've also attached. Note the extra char before "dn:" in line starting
with "parseProxyAuthz". I extracted the control from Wireshark and even
dumpasn1.c did not manage to decode it properly. So I suspect
something's wrong with the encoding. Can anybody please confirm this?
Any hint how to reach Sun's JNDI developers?
Ciao, Michael.
--
Michael Ströder
michael@stroeder.com
http://www.stroeder.com
[..]
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 81 a8 02 01 02 63 3c 0.....c<
ldap_read: want=163, got=163
0000: 04 1c 6f 75 3d 54 65 73 74 69 6e 67 2c 64 63 3d ..ou=Testing,dc=
0010: 73 74 72 6f 65 64 65 72 2c 64 63 3d 64 65 0a 01 stroeder,dc=de..
0020: 01 0a 01 03 02 01 00 02 01 00 01 01 00 87 0b 6f ...............o
0030: 62 6a 65 63 74 63 6c 61 73 73 30 00 a0 65 30 63 bjectclass0..e0c
0040: 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e 31 31 33 ..2.16.840.1.113
0050: 37 33 30 2e 33 2e 34 2e 31 38 01 01 ff 04 44 04 730.3.4.18....D.
0060: 42 64 6e 3a 75 69 64 3d 70 72 6f 78 69 65 64 75 Bdn:uid=proxiedu
0070: 73 65 72 2c 6f 75 3d 70 72 6f 78 79 61 75 74 68 ser,ou=proxyauth
0080: 7a 74 65 73 74 73 2c 6f 75 3d 54 65 73 74 69 6e ztests,ou=Testin
0090: 67 2c 64 63 3d 73 74 72 6f 65 64 65 72 2c 64 63 g,dc=stroeder,dc
00a0: 3d 64 65 =de
ber_get_next: tag 0x30 len 168 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=Testing,dc=stroeder,dc=de>
=> ldap_bv2dn(ou=Testing,dc=stroeder,dc=de,0)
<= ldap_bv2dn(ou=Testing,dc=stroeder,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=Testing,dc=stroeder,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=testing,dc=stroeder,dc=de)=0
<<< dnPrettyNormal: <ou=Testing,dc=stroeder,dc=de>, <ou=testing,dc=stroeder,dc=de>
SRCH "ou=Testing,dc=stroeder,dc=de" 1 3 0 0 0
ber_scanf fmt (m) ber:
filter: (objectClass=*)
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
ber_scanf fmt (m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 0 authzid="Bdn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
slap_sasl_getdn: conn 0 id=Bdn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de [len=68]
<= get_ctrls: n=1 rc=47 err="authzId mapping failed"
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=47 matched="" text="authzId mapping failed"
send_ldap_response: msgid=2 tag=101 err=47
ber_flush: 36 bytes to sd 16
0000: 30 22 02 01 02 65 1d 0a 01 2f 04 00 04 16 61 75 0"...e.../....au
0010: 74 68 7a 49 64 20 6d 61 70 70 69 6e 67 20 66 61 thzId mapping fa
0020: 69 6c 65 64 iled
ldap_write: want=36, written=36
0000: 30 22 02 01 02 65 1d 0a 01 2f 04 00 04 16 61 75 0"...e.../....au
0010: 74 68 7a 49 64 20 6d 61 70 70 69 6e 67 20 66 61 thzId mapping fa
0020: 69 6c 65 64 iled
do_search: get_ctrls failed
connection_get(16)
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 16 failed errno=0 (Success)
connection_closing: readying conn=0 sd=16 for close
connection_close: conn=0 sd=16
import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl;
import java.util.Hashtable;
//import javax.naming.directory.SearchResult;
class Test2
{
public static void main(String args[])
{
String url = "ldap://127.0.0.1:1390";;
LdapContext ctx = null;
Hashtable env = null;
NamingEnumeration enumResults = null;
try
{
env = new Hashtable();
// Use LDAP service provider from Sun
env.put(DirContext.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(DirContext.REFERRAL, "throw");
env.put(DirContext.PROVIDER_URL, url);
env.put(DirContext.SECURITY_PRINCIPAL,"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
env.put(DirContext.SECURITY_CREDENTIALS,"testproxy");
ctx = new InitialLdapContext(env,null);
// use Proxy Authorization Control
ProxiedAuthorizationControl p = new ProxiedAuthorizationControl("dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
ctx.setRequestControls(new Control[]{p});
enumResults = ctx.search("ou=Testing,dc=stroeder,dc=de", "(objectclass=*)", null);
}
catch (Exception e)
{
System.out.println("Exception: " + e.toString());
}
System.out.println("Programmende");
}
}