[
https://issues.apache.org/jira/browse/DIRSERVER-2421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035081#comment-18035081
]
Emmanuel Lécharny commented on DIRSERVER-2421:
----------------------------------------------
Hi,
referrals are handled in some specific ways in the server. For performance
reasons, we load all of them in memory at server startup, and keep track of
any change in both the underlying database and in this cache.
It may be that when you migrated, you keep the database as is, and the referral
manager wasn't able to load in memory the existing referrals.
I would suggest to export the data from the previous version, then reimport
them.
It may be useless, but I'd like to know if it works better after that change.
Otherwise, I would need some way to reproduce the issue.
> Referral objects are returned, although they were not requested
> ---------------------------------------------------------------
>
> Key: DIRSERVER-2421
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2421
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap, referral
> Affects Versions: 2.0.0.AM26
> Reporter: Martin Choma
> Priority: Major
>
> I have upgraded our EAP testsuite to version ApacheDS 2.0.0.AM26 from
> 2.0.0.AM25 and some referral tests stopped working. This is descritption of
> test:
> {code}
> /**
> * @tpTestDetails <br/>
> * Given: Original LDAP includes user 'originalUserBothRole' <br/>
> * and role 'OriginalRole' located in original LDAP is mapped to them
> <br/>
> * and role 'ReferralRole' located in referral LDAP is mapped to them
> <br/>
> * and ldap-realm uses filter with (objectclass=referral) for filtering
> users <br/>
> * and ldap-realm uses filter without (objectclass=referral) for
> filtering roles. <br/>
> * When user 'originalUserBothRole' with correct password tries to
> authenticate, <br/>
> * then authentication should succeed and just role 'OriginalRole' should
> be assigned to user.
> */
> @Test
> @OperateOnDeployment(DEPLOYMENT + USER_REFERRAL_SUFFIX)
> public void filterUserReferral_originalUserBothRole(@ArquillianResource
> URL webAppURL) {
> {code}
>
> Problem is EAP is returning now also ReferralRole in this scenario which is
> unexpected
> {code}
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "HTTP/1.1
> 200 OK[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "Expires:
> 0[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 <<
> "Connection: keep-alive[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 <<
> "Cache-Control: no-cache, no-store, must-revalidate[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "Pragma:
> no-cache[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 <<
> "Content-Type: text/plain;charset=utf-8[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 <<
> "Content-Length: 27[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "Date:
> Mon, 03 Nov 2025 07:43:58 GMT[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 << "[\r][\n]"
> 08:43:58,518 DEBUG [org.apache.http.wire] (main) http-outgoing-1 <<
> ",OriginalRole,ReferralRole,"
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> HTTP/1.1 200 OK
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> Expires: 0
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> Connection: keep-alive
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> Cache-Control: no-cache, no-store, must-revalidate
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> Pragma: no-cache
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> Content-Type: text/plain;charset=utf-8
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 <<
> Content-Length: 27
> 08:43:58,518 DEBUG [org.apache.http.headers] (main) http-outgoing-1 << Date:
> Mon, 03 Nov 2025 07:43:58 GMT
> {code}
> This is how test setup ldap in EAP
> {code}
> 08:03:29,273 DEBUG
> [org.wildfly.extras.creaper.core.online.OnlineManagementClient] (main)
> Executing operation
> /subsystem=elytron/ldap-realm=elytron-ldap-realm-user-referrals:add(dir-context=elytron-ldap-dir-context,
> direct-verification=true, identity-mapping={rdn-identifier => uid,
> search-base-dn =>
> o=FollowReferralObjectQueryLdapCommonReferralsTestCase310e9a7e,o=primary,dc=jboss,dc=org,
> use-recursive-search => true, filter-name =>
> (|(objectclass=referral)(uid={0})), attribute-mapping => [{from => cn, to =>
> groups, filter => (member={1}), filter-base-dn =>
> o=FollowReferralObjectQueryLdapCommonReferralsTestCase310e9a7e,o=primary,dc=jboss,dc=org}]})
> {code}
> When I compare changes between 2.0.0.AM25 and 2.0.0.AM26 I see this code
> changed
> https://github.com/apache/directory-server/compare/2.0.0.AM25...2.0.0.AM26#diff-23c0681a741c6c2e0728ee94ec03ca395b88ec5c118b042e7c736f6962221505L157,
> which may be changing that part of logic. Although I do not see how that
> could change behaviour in this way. Any idea?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
