HI!
I'm currently testing proxy authorization with the control implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in Sun's LDAP boost pack for JNDI.
slapd seems to be configured correctly since this command-line works:
ldapsearch -x -H "ldap://localhost:1390" -D "uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e !authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" "(objectClass=*)"
Now I'm trying to do the same via JNDI (see attached Test2.java). But this results in:
Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'
If starting slapd with debugging (-d args,trace,packets) I get the log I've also attached. Note the extra char before "dn:" in line starting with "parseProxyAuthz". I extracted the control from Wireshark and even dumpasn1.c did not manage to decode it properly. So I suspect something's wrong with the encoding. Can anybody please confirm this?
Any hint how to reach Sun's JNDI developers?
Ciao, Michael.
--On Wednesday, June 20, 2007 5:43 PM +0200 Michael Ströder michael@stroeder.com wrote:
HI!
I'm currently testing proxy authorization with the control implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in Sun's LDAP boost pack for JNDI.
slapd seems to be configured correctly since this command-line works:
ldapsearch -x -H "ldap://localhost:1390" -D "uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e !authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,d c=de" "(objectClass=*)"
Now I'm trying to do the same via JNDI (see attached Test2.java). But this results in:
Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'
If starting slapd with debugging (-d args,trace,packets) I get the log I've also attached. Note the extra char before "dn:" in line starting with "parseProxyAuthz". I extracted the control from Wireshark and even dumpasn1.c did not manage to decode it properly. So I suspect something's wrong with the encoding. Can anybody please confirm this?
Any hint how to reach Sun's JNDI developers?
Have you tried using JLDAP instead? When I was at Stanford, we started having to use JLDAP over JNDI as JLDAP had better support for control implementations.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2007 5:43 PM +0200 Michael Ströder michael@stroeder.com wrote:
I'm currently testing proxy authorization with the control implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in Sun's LDAP boost pack for JNDI.
Have you tried using JLDAP instead?
This would be *my* next step. Unfortunately I'm not responsible for choosing the Java LDAP libs.
as JLDAP had better support for control implementations.
Noted.
Ciao, Michael.
AFAIK, Sun encodes the proxyAuthz requests a'la Mozilla, which is inconsistent with RFC 4370. In OpenLDAP's code there are limited provisions to handle those cases. For example, back-ldap/meta can use that encoding by the "obsolete-encoding-workaround" flag; it can also use the original specification of proxyAuthz by the "obsolete-proxy-authz" flag (I think they're both undocumented, though).
OpenLDAP clients can only request the use of the obsolete encoding.
These hacks are necessary when using SunONE, I don't know if they are with other LDAP-enabled software from Sun. We developed a custom module that allows slapd to understand both the obsolete control (no issue, since it uses a different OID) as well as the obsolete encoding (issue: it uses the RFC 4370 OID, so it is incompatible with the correct implementation).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
This is a known bug in JNDI. It hasn't been updated to implemented the control per RFC 4370 (Standards Track), and instead follows an early draft specification. Complain to the JNDI folk.
-- Kurt
openldap-software@openldap.org
-
Kurt Zeilenga -
Michael Ströder -
Pierangelo Masarati -
Quanah Gibson-Mount