Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7291

Provide a debugging tool for connecting a proxy to backend servers

    XMLWordPrintable

Details

    • New Feature
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.0.0
    • None
    • ease of use, proxy
    • None

    Description

      Not really sure what to ask for. Here's what it was this time.

      When I end up with something like this:

      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 40560
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1636
        },
        "request": {
          "protocol": "LDAPS",
          "operation": "BIND",
          "connId": 0,
          "msgId": 1,
          "version": "3",
          "dn": "uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens",
          "authType": "SIMPLE"
        },
        "transactionId": "39a69afe-1405-4d2a-9243-7c2bd4248e2d-2",
        "response": {
          "status": "FAILED",
          "statusCode": "49",
          "elapsedTime": 11,
          "elapsedTimeUnits": "MILLISECONDS",
          "failureReason": "Unable to bind to the Directory Server because no such user exists in the server"
        },
        "userId": "uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens",
        "timestamp": "2020-06-17T10:06:28.053Z",
        "_id": "39a69afe-1405-4d2a-9243-7c2bd4248e2d-4"
      }

      The "failureReason" never seems to be any help at all.

      It's especially disappointing when you find that you can proxy with the proxy server's account on backend DSs, no problem:

      $ /path/to/proxy/bin/ldapsearch \
      >  --hostname localhost \
      >  --port 5636 \
      >  --useSSL \
      >  --saslOption mech="EXTERNAL" \
      >  --certNickName ssl-key-pair \
      >  --keyStorePath /path/to/proxy/config/keystore \
      >  --keyStorePasswordFile /path/to/proxy/config/keystore.pin \
      >  --trustStorePath /path/to/proxy/config/keystore \
      >  --trustStorePasswordFile /path/to/proxy/config/keystore.pin \
      >  --baseDn ou=tokens \
      >  --searchScope base \
      >  --proxyAs "dn:uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens" \
      >  "(&)"
      dn: ou=tokens
      objectClass: top
      objectClass: untypedObject
      ou: tokens 

      It's hard enough getting that far.

      What next? Try to find the proxy's failed request in the (non-human-readable) logs.

      $ grep -Ri fail ds-rs-*/logs/*
      $ 

      The trouble is, the only indication of the problem is the error on the proxy, and the log message is not helpful. My next guess is access control, but one can spend hours in blind alleys... and that's just to get a demo set up.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              Mark Mark Craig
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: