Proxy Authz interoperability of Sun's JNDI LDAP boost pack and OpenLDAP

HI!

It seems my first e-mail did not come through to the list.

I'm currently testing proxy authorization with the control
implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in
Sun's LDAP boost pack 1.0 for JNDI with OpenLDAP 2.3.36.

slapd seems to be configured correctly since this command-line works:

ldapsearch -x -H "ldap://localhost:1390" -D
"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w
testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e
\!authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
"(objectClass=*)"

Now I'm trying to do the same via JNDI (see source attached below). But
this results in:

Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId
mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'

If starting slapd with debugging (-d args,trace,packets) I can see in
the logs extra chars before "dn:" in line starting with
"parseProxyAuthz". I extracted the control from data sniffed with
Wireshark and even dumpasn1.c did not manage to decode it properly. So I
suspect something's wrong with the encoding. Can anybody please confirm
this?

The OpenLDAP developers say this is because JNDI implements an old
version of the control based on an early draft specification of the
control instead of RFC 4370 (Standards Track), but unfortunately with
the same OID.

How difficult would it be to implement the control myself?

Ciao, Michael.

--
Michael Ströder
michael@...
http://www.stroeder.com


------------------------------ snip ------------------------------
import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl;
import java.util.Hashtable;
//import javax.naming.directory.SearchResult;

class Test2
{
   public static void main(String args[])
   {
       String           url     = "ldap://127.0.0.1:1390";
       LdapContext      ctx    = null;
       Hashtable        env    = null;
       NamingEnumeration enumResults = null;

       try
       {
           env = new Hashtable();

           // Use LDAP service provider from Sun
       
env.put(DirContext.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
           env.put(DirContext.REFERRAL, "throw");
           env.put(DirContext.PROVIDER_URL, url);
       
env.put(DirContext.SECURITY_PRINCIPAL,"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
           env.put(DirContext.SECURITY_CREDENTIALS,"testproxy");
           ctx = new InitialLdapContext(env,null);

           // use Proxy Authorization Control
           ProxiedAuthorizationControl p = new
ProxiedAuthorizationControl("dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
           ctx.setRequestControls(new Control[]{p});

           enumResults = ctx.search("ou=Testing,dc=stroeder,dc=de",
"(objectclass=*)", null);

       }
       catch (Exception e)
       {
               System.out.println("Exception: " + e.toString());
       }
       System.out.println("Programmende");
   }

}

===========================================================================
To unsubscribe, send email to listserv@... and include in the body
of the message "signoff JNDI-INTEREST".  For general help, send email to
listserv@... and include in the body of the message "help".