Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6839

Supported authenticated REST access on a proxy server

    Details

    • Type: Improvement
    • Status: Dev backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0, 7.0.0
    • Fix Version/s: None
    • Component/s: proxy, rest
    • Labels:
      None
    • Support Ticket IDs:

      Description

      A proxy server can be used for REST access, however HTTP Basic authorization does not work because the identity mappers will only search for users on local backends. A proxy server will not usually have the users on a local backend.

      If you switch the connection handler to use HTTP Anonymous, REST access works correctly. However this may not be a useful configuration for customers.

      Attempting to configure an exact match identity mapper on a proxy server results in dsconfig failing:

      The Exact Match Identity Mapper could not be modified because of the following
      reason:
      
          *  Unwilling to Perform: Entry cn=Exact Match,cn=Identity Mappers,cn=config
             cannot be modified because one of the configuration change listeners
             registered for that entry rejected the change: An error occurred while
             trying to initialize an instance of class
             org.opends.server.extensions.ExactMatchIdentityMapper as an identity
             mapper as defined in configuration entry cn=Exact Match,cn=Identity
             Mappers,cn=config: InitializationException: The configuration for the
             identity mapper defined in configuration entry cn=Exact
             Match,cn=Identity Mappers,cn=config was not acceptable: The baseDN
             'dc=example,dc=com' specified as match base DN in the exact match
             identity mapper defined in configuration entry 'cn=Exact
             Match,cn=Identity Mappers,cn=config', does not belong to a local backend
             (IdentityMapperConfigManager.java:274
             IdentityMapperConfigManager.java:184 IdentityMapperConfigManager.java:49
             ServerManagedObjectChangeListenerAdaptor.java:66
             ConfigChangeListenerAdaptor.java:319
             ConfigChangeListenerAdaptor.java:280 ConfigurationHandler.java:585
             ConfigurationBackend.java:347 ModifyOperation.java:553
             ModifyOperation.java:379 ModifyOperation.java:297
             SynchronousStrategy.java:37 LdapClientConnection.java:441
             LdapClientConnection.java:114 LdapClientConnection.java:725
             LdapClientConnection.java:692 LdapClientConnection.java:548
             ModifyRequestImpl.java:54 LdapClientConnection.java:548
             LdapClientConnection.java:528 LdapClientConnection.java:491 ...)
      

      So it looks like we may need to enhance the identity mappers to work correctly on a proxy.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                cjr Chris Ridd
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: