Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7291

Provide a debugging tool for connecting a proxy to backend servers

    Details

    • Type: New Feature
    • Status: Dev backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: ease of use, proxy
    • Labels:
      None

      Description

      Not really sure what to ask for. Here's what it was this time.

      When I end up with something like this:

      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 40560
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1636
        },
        "request": {
          "protocol": "LDAPS",
          "operation": "BIND",
          "connId": 0,
          "msgId": 1,
          "version": "3",
          "dn": "uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens",
          "authType": "SIMPLE"
        },
        "transactionId": "39a69afe-1405-4d2a-9243-7c2bd4248e2d-2",
        "response": {
          "status": "FAILED",
          "statusCode": "49",
          "elapsedTime": 11,
          "elapsedTimeUnits": "MILLISECONDS",
          "failureReason": "Unable to bind to the Directory Server because no such user exists in the server"
        },
        "userId": "uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens",
        "timestamp": "2020-06-17T10:06:28.053Z",
        "_id": "39a69afe-1405-4d2a-9243-7c2bd4248e2d-4"
      }

      The "failureReason" never seems to be any help at all.

      It's especially disappointing when you find that you can proxy with the proxy server's account on backend DSs, no problem:

      $ /path/to/proxy/bin/ldapsearch \
      >  --hostname localhost \
      >  --port 5636 \
      >  --useSSL \
      >  --saslOption mech="EXTERNAL" \
      >  --certNickName ssl-key-pair \
      >  --keyStorePath /path/to/proxy/config/keystore \
      >  --keyStorePasswordFile /path/to/proxy/config/keystore.pin \
      >  --trustStorePath /path/to/proxy/config/keystore \
      >  --trustStorePasswordFile /path/to/proxy/config/keystore.pin \
      >  --baseDn ou=tokens \
      >  --searchScope base \
      >  --proxyAs "dn:uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens" \
      >  "(&)"
      dn: ou=tokens
      objectClass: top
      objectClass: untypedObject
      ou: tokens 

      It's hard enough getting that far.

      What next? Try to find the proxy's failed request in the (non-human-readable) logs.

      $ grep -Ri fail ds-rs-*/logs/*
      $ 

      The trouble is, the only indication of the problem is the error on the proxy, and the log message is not helpful. My next guess is access control, but one can spend hours in blind alleys... and that's just to get a demo set up.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                Mark Mark Craig
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: