Hi,
i have been stryggling with a unique contraint that i being constrantly bypassed by a java script.
I setup the ldap server and unique layer and I virified that the uniquened on a field is correctly enforce using ldapmodify, ldapvi, python and one more widget tool.
There is a java program I have not written (I don't know java) that constantly bypasses the constraint and I can't really understand how it can. It seems to perform the same operation I do: given an existing item, change mail field.
What can it be that is different from one and the other situation? All programs connect with simple authentication + tls.
Thanks for any possible hints
sandro *:-)
PS: I thought to bypass this problem switching to back-sql + PostgreSQL so that I openned up to other problems, subject of a separate email...
--On Thursday, September 24, 2015 2:08 AM +0200 Alessandro Dentella sandro@e-den.it wrote:
Hi,
i have been stryggling with a unique contraint that i being constrantly bypassed by a java script.
I setup the ldap server and unique layer and I virified that the uniquened on a field is correctly enforce using ldapmodify, ldapvi, python and one more widget tool.
There is a java program I have not written (I don't know java) that constantly bypasses the constraint and I can't really understand how it can. It seems to perform the same operation I do: given an existing item, change mail field.
What can it be that is different from one and the other situation? All programs connect with simple authentication + tls.
Thanks for any possible hints
sandro *:-)
PS: I thought to bypass this problem switching to back-sql + PostgreSQL so that I openned up to other problems, subject of a separate email...
Why would you use an unsupported backend that's entirely experimental, and why would you expect that to solve your issue?
I'd guess that java is using the manageDSAit control to bypass slapo-unique, and your other programs aren't.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 9/24/15 7:34 PM, Quanah Gibson-Mount wrote:
I'd guess that java is using the manageDSAit control to bypass slapo-unique, and your other programs aren't.
JNDI Referral handling (currently?) defaults to "ignore", which sends the control. See
https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
-Phil
--On Thursday, September 24, 2015 8:49 PM -0400 Phil Pishioneri pgp@psu.edu wrote:
On 9/24/15 7:34 PM, Quanah Gibson-Mount wrote:
I'd guess that java is using the manageDSAit control to bypass slapo-unique, and your other programs aren't.
JNDI Referral handling (currently?) defaults to "ignore", which sends the control. See
https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
Using JNDI is a major mistake as well... Use UnboundID SDK or Apache directory server SDK for java programs accessing ldap.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Thu, Sep 24, 2015 at 04:34:13PM -0700, Quanah Gibson-Mount wrote:
--On Thursday, September 24, 2015 2:08 AM +0200 Alessandro Dentella sandro@e-den.it wrote:
Hi,
i have been stryggling with a unique contraint that i being constrantly bypassed by a java script.
I setup the ldap server and unique layer and I virified that the uniquened on a field is correctly enforce using ldapmodify, ldapvi, python and one more widget tool.
There is a java program I have not written (I don't know java) that constantly bypasses the constraint and I can't really understand how it can. It seems to perform the same operation I do: given an existing item, change mail field.
What can it be that is different from one and the other situation? All programs connect with simple authentication + tls.
Thanks for any possible hints
sandro *:-)
PS: I thought to bypass this problem switching to back-sql + PostgreSQL so that I openned up to other problems, subject of a separate email...
experimental, and why would you expect that to solve your issue?
becouse I know that PostgreSQL would never let a duplicate field on a unique index!
To me if slapo-index let a program to bypass that constraint is at least buggy and experimental eather.
The java program was written by people ot of my company, and I'm not really in the position to tell them to change they're code becouse I'm not able to make a correct index on a field. I'm not really used to think at unicity is a constraint that can be bypassed...
That said, the author of the java code is collaborative and there is room for a change if that demonstrates to be the correct solution.
Why would you use an unsupported backend that's entirely experimental
It has been in the openldap repository for years so I thought that was at least working. In the internet the documentation is verry scarce but there are people that declare it's working for them
I'd guess that java is using the manageDSAit control to bypass slapo-unique, and your other programs aren't.
Honestly I didn't even know about this possibility. Can I see that from the logs? They're not currently aware of using it unless is a default. What check can I ask them to perform?
Is there a way to inhibit this kind of access?
sandro Thanks in advance
Alessandro Dentella wrote:
To me if slapo-index let a program to bypass that constraint is at least buggy and experimental eather.
slapo-unique bypasses the constraint of the client application sends the Manage DSA IT control which JNDI always sends by default.
The java program was written by people ot of my company, and I'm not really in the position to tell them to change they're code becouse I'm not able to make a correct index on a field. I'm not really used to think at unicity is a constraint that can be bypassed...
JNDI has a strange sort of internal referral handling.
That said, the author of the java code is collaborative and there is room for a change if that demonstrates to be the correct solution.
IIRC the JNDI property to set was already mentioned in this thread by Quanah.
Ciao, Michael.
On Fri, Sep 25, 2015 at 09:51:59 +0200, Alessandro Dentella wrote:
On Thu, Sep 24, 2015 at 04:34:13PM -0700, Quanah Gibson-Mount wrote:
I'd guess that java is using the manageDSAit control to bypass slapo-unique, and your other programs aren't.
Honestly I didn't even know about this possibility. Can I see that from the logs? They're not currently aware of using it unless is a default. What check can I ask them to perform?
Is there a way to inhibit this kind of access?
It should not be allowed if your client has only "write" access but no "manage" access. Are you using the rootdn?
Geert
openldap-technical@openldap.org
-
Alessandro Dentella -
Geert Hendrickx -
Michael Ströder -
Phil Pishioneri -
Quanah Gibson-Mount