Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-3877

Proxy authentication configuration not working in rest2ldap servlet

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: rest
    • Environment:
      Rest2ldap servlet 3.0, OpenDJ 3.0
    • Support Ticket IDs:

      Description

      Steps to reproduce:

      1. Configure rest2ldap servlet for proxy authentication (full config attached):

      "authorizationPolicy" : "proxy",
      "reuseAuthenticatedConnection" : false,

      2. Perform a search, i.e.
      curl http://user.0:password@opendj1.example.com:8080/rest/users/user.1

      3. Result:

      {"code":403,"reason":"Forbidden","message":"The request could not be authorized because the required security principal 'dn' could not be determined"}

      OpenDJ access log:

      [16/Mar/2017:13:57:20 +0000] CONNECT conn=30 from=127.0.0.1:35793 to=127.0.0.1:1389 protocol=LDAP
      [16/Mar/2017:13:57:20 +0000] BIND REQ conn=30 op=0 msgID=1 version=3 type=SIMPLE dn="cn=directory manager"
      [16/Mar/2017:13:57:20 +0000] BIND RES conn=30 op=0 msgID=1 result=0 authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1
      [16/Mar/2017:13:57:20 +0000] SEARCH REQ conn=30 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=user.0)(objectClass=inetOrgPerson))" attrs="1.1"
      [16/Mar/2017:13:57:20 +0000] SEARCH RES conn=30 op=1 msgID=2 result=0 nentries=1 etime=1
      [16/Mar/2017:13:57:20 +0000] CONNECT conn=31 from=127.0.0.1:35794 to=127.0.0.1:1389 protocol=LDAP
      [16/Mar/2017:13:57:20 +0000] SEARCH REQ conn=31 op=0 msgID=1 base="" scope=base filter="(objectClass=*)" attrs="1.1"
      [16/Mar/2017:13:57:20 +0000] SEARCH RES conn=31 op=0 msgID=1 result=0 nentries=1 etime=1
      [16/Mar/2017:13:57:20 +0000] BIND REQ conn=31 op=1 msgID=2 version=3 type=SIMPLE dn="uid=user.0,ou=People,dc=example,dc=com"
      [16/Mar/2017:13:57:20 +0000] BIND RES conn=31 op=1 msgID=2 result=0 authDN="uid=user.0,ou=People,dc=example,dc=com" etime=0
      

      Observations:
      Same search works with other configurations, see results.txt attachment.
      Same configuration used to work in 2.6.x servlet.
      Proxy authentication has been removed from 3.5.x servlet.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              john.noble John Noble
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: