Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-2036

Use of ProxyAuth Control (-proxyAs) should not hide password policy errors for the authzID

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.8.0, 2.6.3, 2.6.2, 2.6.1
    • Fix Version/s: 4.0.0, 3.5.0
    • Component/s: core server
    • Labels:
      None
    • Support Ticket IDs:
    • Sprint:
      DJ Sustaining Sprint 16, DJ Sustaining Sprint 18, DJ Sustaining Sprint 19

      Description

      Use of ProxyAuth Control (-proxyAs) should not hide password policy errors for the authzID.

      Customer Use Case:

      The customer in this case received error "Result Code: 123 (Authorization Denied)" when the authzID (uid=appserver) entry actually had an Expired Password.

      gds@myserver$ /opt/gds/opendj/bin/ldapsearch -Y 'dn:uid=appserver,ou=people,dc=example,dc=com' -D 'uid=user.1,ou=people,dc=example,dc=com' -w password -b dc=example,dc=com uid=user.1 uid
      SEARCH operation failed
      Result Code: 123 (Authorization Denied)
      Additional Information: Use of the proxied authorization V2 control for user uid=appserver,ou=people,dc=example,dc=com is not allowed by the password policy configuration

      There should be no reason to conceal this information from the proxying user.

        Attachments

          Activity

            People

            • Assignee:
              cjr Chris Ridd
              Reporter:
              lee.trujillo Lee Trujillo
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: