[Date Prev][Date Next] [Chronological] [Thread] [Top]

Proxy Authz interoperability of Sun's JNDI LDAP boost pack and OpenLDAP



HI!

I'm currently testing proxy authorization with the control
implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in
Sun's LDAP boost pack for JNDI.

slapd seems to be configured correctly since this command-line works:

ldapsearch -x -H "ldap://localhost:1390"; -D
"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w
testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e
\!authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
"(objectClass=*)"

Now I'm trying to do the same via JNDI (see attached Test2.java). But
this results in:

Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId
mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'

If starting slapd with debugging (-d args,trace,packets) I get the log
I've also attached. Note the extra char before "dn:" in line starting
with "parseProxyAuthz". I extracted the control from Wireshark and even
dumpasn1.c did not manage to decode it properly. So I suspect
something's wrong with the encoding. Can anybody please confirm this?

Any hint how to reach Sun's JNDI developers?

Ciao, Michael.

-- 
Michael Ströder
michael@stroeder.com
http://www.stroeder.com
[..]
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
  0000:  30 81 a8 02 01 02 63 3c                            0.....c<          
ldap_read: want=163, got=163
  0000:  04 1c 6f 75 3d 54 65 73  74 69 6e 67 2c 64 63 3d   ..ou=Testing,dc=  
  0010:  73 74 72 6f 65 64 65 72  2c 64 63 3d 64 65 0a 01   stroeder,dc=de..  
  0020:  01 0a 01 03 02 01 00 02  01 00 01 01 00 87 0b 6f   ...............o  
  0030:  62 6a 65 63 74 63 6c 61  73 73 30 00 a0 65 30 63   bjectclass0..e0c  
  0040:  04 18 32 2e 31 36 2e 38  34 30 2e 31 2e 31 31 33   ..2.16.840.1.113  
  0050:  37 33 30 2e 33 2e 34 2e  31 38 01 01 ff 04 44 04   730.3.4.18....D.  
  0060:  42 64 6e 3a 75 69 64 3d  70 72 6f 78 69 65 64 75   Bdn:uid=proxiedu  
  0070:  73 65 72 2c 6f 75 3d 70  72 6f 78 79 61 75 74 68   ser,ou=proxyauth  
  0080:  7a 74 65 73 74 73 2c 6f  75 3d 54 65 73 74 69 6e   ztests,ou=Testin  
  0090:  67 2c 64 63 3d 73 74 72  6f 65 64 65 72 2c 64 63   g,dc=stroeder,dc  
  00a0:  3d 64 65                                           =de               
ber_get_next: tag 0x30 len 168 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=Testing,dc=stroeder,dc=de>
=> ldap_bv2dn(ou=Testing,dc=stroeder,dc=de,0)
<= ldap_bv2dn(ou=Testing,dc=stroeder,dc=de)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=Testing,dc=stroeder,dc=de)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=testing,dc=stroeder,dc=de)=0 
<<< dnPrettyNormal: <ou=Testing,dc=stroeder,dc=de>, <ou=testing,dc=stroeder,dc=de>
SRCH "ou=Testing,dc=stroeder,dc=de" 1 3    0 0 0
ber_scanf fmt (m) ber:
    filter: (objectClass=*)
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
ber_scanf fmt (m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 0 authzid="Bdn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
slap_sasl_getdn: conn 0 id=Bdn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de [len=68]
<= get_ctrls: n=1 rc=47 err="authzId mapping failed"
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=47 matched="" text="authzId mapping failed"
send_ldap_response: msgid=2 tag=101 err=47
ber_flush: 36 bytes to sd 16
  0000:  30 22 02 01 02 65 1d 0a  01 2f 04 00 04 16 61 75   0"...e.../....au  
  0010:  74 68 7a 49 64 20 6d 61  70 70 69 6e 67 20 66 61   thzId mapping fa  
  0020:  69 6c 65 64                                        iled              
ldap_write: want=36, written=36
  0000:  30 22 02 01 02 65 1d 0a  01 2f 04 00 04 16 61 75   0"...e.../....au  
  0010:  74 68 7a 49 64 20 6d 61  70 70 69 6e 67 20 66 61   thzId mapping fa  
  0020:  69 6c 65 64                                        iled              
do_search: get_ctrls failed
connection_get(16)
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 16 failed errno=0 (Success)
connection_closing: readying conn=0 sd=16 for close
connection_close: conn=0 sd=16

import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl;
import java.util.Hashtable;
//import javax.naming.directory.SearchResult;

class Test2
{
   public static void main(String args[])
   {
       String           url	= "ldap://127.0.0.1:1390";;
       LdapContext      ctx    = null;
       Hashtable        env    = null;
       NamingEnumeration enumResults = null;

       try
       {
	   env = new Hashtable();

	   // Use LDAP service provider from Sun
	   env.put(DirContext.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
           env.put(DirContext.REFERRAL, "throw");
	   env.put(DirContext.PROVIDER_URL, url);
	   env.put(DirContext.SECURITY_PRINCIPAL,"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
	   env.put(DirContext.SECURITY_CREDENTIALS,"testproxy");
	   ctx = new InitialLdapContext(env,null);

	   // use Proxy Authorization Control
	   ProxiedAuthorizationControl p = new ProxiedAuthorizationControl("dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
	   ctx.setRequestControls(new Control[]{p});

	   enumResults = ctx.search("ou=Testing,dc=stroeder,dc=de", "(objectclass=*)", null);

       }
       catch (Exception e)
       {
	       System.out.println("Exception: " + e.toString());
       }
       System.out.println("Programmende");
   }

}