Re: [ldapext] Fwd: Call for interop proposals

Michael,

I thought I was on the JNDI interest list but I didn't see your message
about JNDI and RFC 4370.  I've been looking at using proxy authz
using JNDI, how does it fall short?  I haven't tried it yet but I'd love
to know what you've experienced.

Thanks,
Tom
 
>>> Michael Ströder <michael@...> 01/15/08 11:20 AM >>>
Jaimon Jose wrote:
> We do have  test suites defined by opengroup which most of the directory
> vendors follow.  Would that be sufficient? or should we define new test
> suites as part of this exercise?

Would be interesting to test some things which have rather draft status
like draft- zeilenga- ldap- relax- 02.txt (together with a user interface)
or non- OpenLDAP syncrepl implementations (RFC 4533) if they exist.

Do the test suites of opengroup also cover proxy authorization? E.g.
JNDI falls short following RFC 4370 and there hasn't any response to my
inquiry on the JNDI- INTEREST mailing list. Ah, well...

How about testing over Internet? Less social fun but also less traveling.

Ciao, Michael.



_______________________________________________
Ldapext mailing list
Ldapext@...
https://www1.ietf.org/mailman/listinfo/ldapext

===========================================================================
To unsubscribe, send email to listserv@... and include in the body
of the message "signoff JNDI-INTEREST".  For general help, send email to
listserv@... and include in the body of the message "help".

I attached Michael's original

>>> Tom Doman <tdoman@...> 01/15/08 4:47 PM >>>
Michael,

I thought I was on the JNDI interest list but I didn't see your message
about JNDI and RFC 4370.  I've been looking at using proxy authz
using JNDI, how does it fall short?  I haven't tried it yet but I'd love
to know what you've experienced.

Thanks,
Tom

>>> Michael Ströder <michael@...> 01/15/08 11:20 AM >>>
Jaimon Jose wrote:
> We do have  test suites defined by opengroup which most of the directory
> vendors follow.  Would that be sufficient? or should we define new test
> suites as part of this exercise?

Would be interesting to test some things which have rather draft status
like draft- zeilenga- ldap- relax- 02.txt (together with a user interface)
or non- OpenLDAP syncrepl implementations (RFC 4533) if they exist.

Do the test suites of opengroup also cover proxy authorization? E.g.
JNDI falls short following RFC 4370 and there hasn't any response to my
inquiry on the JNDI- INTEREST mailing list. Ah, well...

How about testing over Internet? Less social fun but also less traveling.

Ciao, Michael.



_______________________________________________
Ldapext mailing list
Ldapext@...
https://www1.ietf.org/mailman/listinfo/ldapext

===========================================================================
To unsubscribe, send email to listserv@... and include in the body
of the message "signoff JNDI-INTEREST".  For general help, send email to
listserv@... and include in the body of the message "help".

=========================================================================== To unsubscribe, send email to listserv@... and include in the body of the message "signoff JNDI-INTEREST". For general help, send email to listserv@... and include in the body of the message "help".
HI!

It seems my first e-mail did not come through to the list.

I'm currently testing proxy authorization with the control
implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in
Sun's LDAP boost pack 1.0 for JNDI with OpenLDAP 2.3.36.

slapd seems to be configured correctly since this command-line works:

ldapsearch -x -H "ldap://localhost:1390" -D
"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w
testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e
\!authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
"(objectClass=*)"

Now I'm trying to do the same via JNDI (see source attached below). But
this results in:

Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId
mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'

If starting slapd with debugging (-d args,trace,packets) I can see in
the logs extra chars before "dn:" in line starting with
"parseProxyAuthz". I extracted the control from data sniffed with
Wireshark and even dumpasn1.c did not manage to decode it properly. So I
suspect something's wrong with the encoding. Can anybody please confirm
this?

The OpenLDAP developers say this is because JNDI implements an old
version of the control based on an early draft specification of the
control instead of RFC 4370 (Standards Track), but unfortunately with
the same OID.

How difficult would it be to implement the control myself?

Ciao, Michael.

--
Michael Ströder
michael@...
http://www.stroeder.com


------------------------------ snip ------------------------------
import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl;
import java.util.Hashtable;
//import javax.naming.directory.SearchResult;

class Test2
{
   public static void main(String args[])
   {
       String           url     = "ldap://127.0.0.1:1390";
       LdapContext      ctx    = null;
       Hashtable        env    = null;
       NamingEnumeration enumResults = null;

       try
       {
           env = new Hashtable();

           // Use LDAP service provider from Sun
       
env.put(DirContext.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
           env.put(DirContext.REFERRAL, "throw");
           env.put(DirContext.PROVIDER_URL, url);
       
env.put(DirContext.SECURITY_PRINCIPAL,"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
           env.put(DirContext.SECURITY_CREDENTIALS,"testproxy");
           ctx = new InitialLdapContext(env,null);

           // use Proxy Authorization Control
           ProxiedAuthorizationControl p = new
ProxiedAuthorizationControl("dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
           ctx.setRequestControls(new Control[]{p});

           enumResults = ctx.search("ou=Testing,dc=stroeder,dc=de",
"(objectclass=*)", null);

       }
       catch (Exception e)
       {
               System.out.println("Exception: " + e.toString());
       }
       System.out.println("Programmende");
   }

}

===========================================================================
To unsubscribe, send email to listserv@... and include in the body
of the message "signoff JNDI-INTEREST".  For general help, send email to
listserv@... and include in the body of the message "help".


===========================================================================
To unsubscribe, send email to listserv@... and include in the body
of the message "signoff JNDI-INTEREST".  For general help, send email to
listserv@... and include in the body of the message "help".

Tom Doman wrote:
>
> I thought I was on the JNDI interest list but I didn't see your message
> about JNDI and RFC 4370.

My message to JNDI-INTEREST is archived - no response there. :-(
http://article.gmane.org/gmane.comp.java.sun.jndi/268

My first attempt to clarify things with OpenLDAP developers:
http://www.openldap.org/lists/openldap-software/200706/msg00213.html

Kurt's short answer:
http://www.openldap.org/lists/openldap-software/200706/msg00220.html

Pierangelo's verbose answer:
http://www.openldap.org/lists/openldap-software/200706/msg00221.html

So if using the control OID from RFC 4370 it must get fixed (probably
leading to interop problems with other wrong implementations).

Ciao, Michael.

===========================================================================
To unsubscribe, send email to listserv@... and include in the body
of the message "signoff JNDI-INTEREST".  For general help, send email to
listserv@... and include in the body of the message "help".