[OPENDJ-5894] Proxy in production mode: pre-read/post-read actions do not print out the expected output Created: 03/Jan/19  Updated: 08/Nov/19  Resolved: 04/Jan/19

Status: Done
Project: OpenDJ
Component/s: proxy
Affects Version/s: 6.5.0, 6.0.0, 7.0.0
Fix Version/s: 6.5.0

Type: Bug Priority: Major
Reporter: carole forel Assignee: Joseph de-Menditte
Resolution: Not a defect Votes: 0
Labels: None

Epic Link: Bugs 7.0
Story Points: 0.5
QA Assignee: carole forel

 Description   

Found with 6.5.0

In our tests for proxy/dj in production mode, we check that we can use pre-read action when a user is authenticated.

With a simple DJ in production mode:

./DJ_PROD1/opendj/bin/ldapmodify -h ig-linux.internal.forgerock.com -p 1411 -D "cn=myself" -w password --preReadAttributes description --useStartTLS -X 	
dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: binary form of 73 is 1001001 which is the age of user.0 	

# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
# Target entry before the operation:
dn: uid=user.0,ou=People,dc=example,dc=com
description: This is the description for Aaccf Amar.

With a Proxy in production mode in front of a DJ in production mode:

/PROXY1/opendj/bin/ldapmodify -h nameserver.example.com -p 1391 -D "uid=data admin,dc=example,dc=com" -w '$up3r$tr0ng' --preReadAttributes description --useStartTLS -X
dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: binary form of 73 is 1001001 which is the age of user.0

# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
# 

Is there something missing in ACIs?

See test:

./run-pybot.py -n -v -s proxy_group.ProductionMode -t Authenticated_User_Can_Request_Pre_Read opendj


 Comments   
Comment by Joseph de-Menditte [ 03/Jan/19 ]

There are 2 ACIs set on dc=example,dc=com that allow cn=data admin to add/delete/modify, but don't allow any read :

(targetattr="*")(version 3.0; acl "allow add and write to all"; allow (add,write) userdn="ldap:///uid=data admin,dc=example,dc=com";)
(targetattr="*")(version 3.0; acl "allow add and write to data admin user"; allow (add,write,delete) userdn="ldap:///uid=data admin,dc=example,dc=com";)

Btw, looks like the first ACI above is a mistake. With the following ACI

(targetattr="*")(version 3.0; acl "allow all to data admin user"; allow (all) userdn="ldap:///uid=data admin,dc=example,dc=com";)

the pre-read works as expected:

ldapmodify -h localhost -p 1390 -D "cn=proxy,dc=example,dc=com" -w '$up3r$tr0ng' -Y "dn:uid=data admin,dc=example,dc=com" --preReadAttributes description --useStartTLS -X
dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: binary5

# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
# Target entry before the operation:
dn: uid=user.0,ou=People,dc=example,dc=com
description: binary4
Comment by carole forel [ 04/Jan/19 ]

Thank you Joseph de-Menditte
Indeed, it was something wrongly configured in the test.
Closing this issue as not a bug.

Generated at Tue Dec 01 18:41:14 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.