Re: Fortress Constraints

Tue, 09 Feb 2016 12:10:19 -0800 

Looks like I had some settings wrong in my slapd.conf, mainly I didn't have the 
maxsize set on the dbs. Down to 2 tests not passing. The 
"DelegatedMgrImplTest.testAddAdminUser" only fails on the first test run.


Tests run: 113, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 209.148 sec 
<<< FAILURE! - in org.apache.directory.fortress.core.impl.FortressJUnitTest
testAddAdminUser(org.apache.directory.fortress.core.impl.DelegatedMgrImplTest)  
Time elapsed: 0.216 sec  <<< FAILURE!
junit.framework.AssertionFailedError: 
org.apache.directory.fortress.core.impl.DelegatedMgrImplTestassignAdminUsers 
list size check
        at junit.framework.Assert.fail(Assert.java:57)
        at junit.framework.Assert.assertTrue(Assert.java:22)
        at junit.framework.TestCase.assertTrue(TestCase.java:192)
        at 
org.apache.directory.fortress.core.impl.DelegatedMgrImplTest.assignAdminUsers(DelegatedMgrImplTest.java:306)
        at 
org.apache.directory.fortress.core.impl.DelegatedMgrImplTest.testAddAdminUser(DelegatedMgrImplTest.java:174)

testSearchAuthZs(org.apache.directory.fortress.core.impl.AuditMgrImplTest)  
Time elapsed: 2.706 sec  <<< FAILURE!
junit.framework.AssertionFailedError: 
org.apache.directory.fortress.core.impl.AuditMgrImplTestsearchAuthZs 
failedOnly=true, search authorizations user [jtsUser1], objName [TOB3_1], 
opName [TOP3_1], objId []
        at junit.framework.Assert.fail(Assert.java:57)
        at junit.framework.Assert.assertTrue(Assert.java:22)
        at junit.framework.TestCase.assertTrue(TestCase.java:192)
        at 
org.apache.directory.fortress.core.impl.AuditMgrImplTest.searchAuthZs(AuditMgrImplTest.java:288)
        at 
org.apache.directory.fortress.core.impl.AuditMgrImplTest.testSearchAuthZs(AuditMgrImplTest.java:253)


Results :

Failed tests: 
  AuditMgrImplTest.testSearchAuthZs:253->searchAuthZs:288 
org.apache.directory.fortress.core.impl.AuditMgrImplTestsearchAuthZs 
failedOnly=true, search authorizations user [jtsUser1], objName [TOB3_1], 
opName [TOP3_1], objId []
  DelegatedMgrImplTest.testAddAdminUser:174->assignAdminUsers:306 
org.apache.directory.fortress.core.impl.DelegatedMgrImplTestassignAdminUsers 
list size check

Tests run: 113, Failures: 2, Errors: 0, Skipped: 0






----- Original Message -----
From: "Shawn McKinney" <[email protected]>
To: [email protected]
Sent: Tuesday, February 9, 2016 12:23:45 PM
Subject: Re: Fortress Constraints

> On Feb 9, 2016, at 9:52 AM, Chris Pike <[email protected]> wrote:
> 
> 
> Looks like I'm running Symas OpenLDAP 2.4.42. There are lots of audit logs 
> being populated in openldap, so probably not a configuration issue. I'm 
> trying to step through one of the tests to see why it is failing...
> 
> AuditManagerImplTest.testSearchBinds first searches for binds for "jtsUser1" 
> and doesn't find any. Can you point me to where this bind audit entry should 
> be getting populated?

Betting it’s a config issue.  Look at your fortress.properties.  Here are ones 
that must be set:

# Options are openldap or apacheds (default):
ldap.server.type=openldap

# Audit only works if ldap.server.type == openldap:
disable.audit=false

> On Feb 9, 2016, at 9:52 AM, Chris Pike <[email protected]> wrote:
> 
> 
> Also, where in the fortress API are the audit logs populated?

These audits  are generated by OpenLDAP’s access log overlay.  You can view 
that config inside the slapd.conf file:
logops bind writes compare

That directive instructs the overlay to store all ldap bind, updates and 
compares ops into the access log automatically.  In order to get the audit for 
checkAccess to go we must make an extra call to server in the authZ flow to 
ldap compare.  The first ldap call reads the permission record, the 2nd pushes 
the result of authZ into access log (compare).  

But we only want to make the 2nd call to compare if the server is OpenLDAP, and 
it’s not otherwise disabled.  (Doing call to another directory, e.g. apachds, 
would be wasteful)

You can view how the code works inside the permdao checkpermission method where 
there’s a call to addAuthZAudit method:

    private void addAuthZAudit( LdapConnection ld, String permDn, String 
userDn, String attributeValue )
        throws FinderException
    {
        // Audit can be turned off here with fortress config param: 
'disable.audit=true'
        if ( GlobalIds.IS_OPENLDAP && ! GlobalIds.IS_AUDIT_DISABLED )
        {
            try
            {
                // The compare method uses OpenLDAP's Proxy Authorization 
Control to assert identity of end user onto connection:
                // LDAP Operation #2: Compare:
                compareNode( ld, permDn, userDn, new DefaultAttribute( 
GlobalIds.POP_NAME, attributeValue ) );
            }
            catch ( UnsupportedEncodingException ee )
            {
                String error = "addAuthZAudit caught 
UnsupportedEncodingException=" + ee.getMessage();
                throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, 
error, ee );
            }
            catch ( LdapException e )
            {
                if ( !( e instanceof LdapNoSuchObjectException ) )
                {
                    String error = "addAuthZAudit caught LdapException=" + 
e.getMessage();
                    throw new FinderException( 
GlobalErrIds.PERM_COMPARE_OP_FAILED, error, e );
                }
            }
        }
    }


The check above, verifies that audit is enabled, before doing the ldapcompare. 

Shawn

Reply via email to