Re: Proxy Authz interoperability of Sun's JNDI LDAP boost pack and OpenLDAP

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Wednesday, June 20, 2007 5:43 PM +0200 Michael StrÃder 
<michael@stroeder.com> wrote:

> HI!
>
> I'm currently testing proxy authorization with the control
> implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in
> Sun's LDAP boost pack for JNDI.
>
> slapd seems to be configured correctly since this command-line works:
>
> ldapsearch -x -H "ldap://localhost:1390"; -D
> "uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w
> testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e
> \!authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,d
> c=de" "(objectClass=*)"
>
> Now I'm trying to do the same via JNDI (see attached Test2.java). But
> this results in:
>
> Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId
> mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'
>
> If starting slapd with debugging (-d args,trace,packets) I get the log
> I've also attached. Note the extra char before "dn:" in line starting
> with "parseProxyAuthz". I extracted the control from Wireshark and even
> dumpasn1.c did not manage to decode it properly. So I suspect
> something's wrong with the encoding. Can anybody please confirm this?
>
> Any hint how to reach Sun's JNDI developers?

Have you tried using JLDAP instead?  When I was at Stanford, we started 
having to use JLDAP over JNDI as JLDAP had better support for control 
implementations.

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration