Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5603

JDK11: search on proxy fails with Insufficient Access Rights when connection-minimum-ssf is set

    Details

      Description

      Found using OpenDJ 6.5.0-SNAPSHOT (rev ae2bb50644f).

      Scenario
      1. install a proxy server (connected to one directory server)
      2. create global access control policy in the proxy

      $ /tmp/PROXY1/opendj/bin/dsconfig -h dj-linux.internal.forgerock.com -p 4462 -D "cn=myself" -w password -X create-global-access-control-policy --policy-name "MyAccessPolicy" -n
      

      3. set the connection-minimum-ssf to 128

      $ /tmp/PROXY1/opendj/bin/dsconfig -h dj-linux.internal.forgerock.com -p 4462 -D "cn=myself" -w password -X set-global-access-control-policy-prop --policy-name "MyAccessPolicy" --add allowed-attribute:* --set connection-minimum-ssf:128 --set permission:read -n
      

      4. do a search on the proxy on LDAPS port

      $ /tmp/PROXY1/opendj/bin/ldapsearch -h dj-linux.internal.forgerock.com -p 1653 -D "uid=user.0,ou=people,dc=example,dc=com" -w password -b "dc=example,dc=com" --useSSL --trustAll "(uid=user.0)"
      ERROR:
      -- rc --
      returned 50, expected [0]
      -- stdout --
      # The LDAP search request failed: 50 (Insufficient Access Rights)
      
      -- stderr --
      

      ==> search fails with "Insufficient Access Rights" but we expect the command to succeed

      How to reproduce the issue:

      $ ./run-pybot.py -s proxy_group.aci -t Connection_Minimum_Ssf DJ
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cyril.quinton Cyril Quinton
                Reporter:
                csovant Christophe Sovant
                QA Assignee:
                Ondrej Fuchsik
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: