[jira] [Commented] (FC-33) AuditMgr.getUserAuthZ cannot pull back faileOnly

Wed, 22 Apr 2015 18:28:57 -0700 

    [ 
https://issues.apache.org/jira/browse/FC-33?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14508272#comment-14508272
 ] 

Shawn McKinney commented on FC-33:
----------------------------------

Explanation for how the fortress authorization audit works in openldap.  First 
there is a read of the permission record (this is same regardless of whether 
audit record is to be added).  Next, if openldap audit enabled, the authz 
method invokes an ldapcompare operation on the permission node.  If authZ was 
successful, the compare operation should be successful, which triggers a audit 
compare record to be added for that perm/user with success code.  If authZ 
failed, the compare fails (result code = 5), which is how it is supposed to 
work.  This will add a record to audit database for perm/user with failure 
code.  

Next when the authorization record search occurs, as in this use case, it can 
differentiate between success and failure in the logs.  

The problem here is the ldapcompare is returning no such object (32) regardless 
of whether authZ succeeded or not.

When I execute ldapcompare from the command line, the ldapcompare operation 
succeeds - with exact same parameter values:
ldapcompare -x -D "cn=Manager,dc=openldap,dc=org" -w secret -h 172.17.42.1 -p 
32770 "ftOpNm=TOP3_1,ftObjNm=TOB3_1,ou=Permissions,ou=RBAC,dc=openldap,dc=org" 
ftopnm: TOP3_1

so to sum it up: the ldapcompare always returns no such object (regardless of 
attribute value) in code.  But I can get the ldapcompare to work correctly from 
command line.

> AuditMgr.getUserAuthZ cannot pull back faileOnly
> ------------------------------------------------
>
>                 Key: FC-33
>                 URL: https://issues.apache.org/jira/browse/FC-33
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0
>
>
> This search filter:
> filter += "(" + REQASSERTION + "=" + GlobalIds.AUTH_Z_FAILED_VALUE + ")";
> in AuditDAO.getAllAuthZs does not work.  It appears the reqAssertion 
> attribute cannot be searched on within the auditCompare object class.  Have 
> tested with ldapbrowser and does not pull back entries.  Will need to come up 
> with a work around.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to