Proxy Authz interoperability of Sun's JNDI LDAP boost pack and OpenLDAP

[Michael Ströder]

HI!

I'm currently testing proxy authorization with the control
implementation com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl in
Sun's LDAP boost pack for JNDI.

slapd seems to be configured correctly since this command-line works:

ldapsearch -x -H "ldap://localhost:1390"; -D
"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de" -w
testproxy -b "ou=Testing,dc=stroeder,dc=de" -s sub -e
\!authzid="dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
"(objectClass=*)"

Now I'm trying to do the same via JNDI (see attached Test2.java). But
this results in:

Exception: javax.naming.NamingException: [LDAP: error code 47 - authzId
mapping failed]; remaining name 'ou=Testing,dc=stroeder,dc=de'

If starting slapd with debugging (-d args,trace,packets) I get the log
I've also attached. Note the extra char before "dn:" in line starting
with "parseProxyAuthz". I extracted the control from Wireshark and even
dumpasn1.c did not manage to decode it properly. So I suspect
something's wrong with the encoding. Can anybody please confirm this?

Any hint how to reach Sun's JNDI developers?

Ciao, Michael.

-- 
Michael Ströder
[EMAIL PROTECTED]
http://www.stroeder.com

[..]
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
  0000:  30 81 a8 02 01 02 63 3c                            0.....c<          
ldap_read: want=163, got=163
  0000:  04 1c 6f 75 3d 54 65 73  74 69 6e 67 2c 64 63 3d   ..ou=Testing,dc=  
  0010:  73 74 72 6f 65 64 65 72  2c 64 63 3d 64 65 0a 01   stroeder,dc=de..  
  0020:  01 0a 01 03 02 01 00 02  01 00 01 01 00 87 0b 6f   ...............o  
  0030:  62 6a 65 63 74 63 6c 61  73 73 30 00 a0 65 30 63   bjectclass0..e0c  
  0040:  04 18 32 2e 31 36 2e 38  34 30 2e 31 2e 31 31 33   ..2.16.840.1.113  
  0050:  37 33 30 2e 33 2e 34 2e  31 38 01 01 ff 04 44 04   730.3.4.18....D.  
  0060:  42 64 6e 3a 75 69 64 3d  70 72 6f 78 69 65 64 75   Bdn:uid=proxiedu  
  0070:  73 65 72 2c 6f 75 3d 70  72 6f 78 79 61 75 74 68   ser,ou=proxyauth  
  0080:  7a 74 65 73 74 73 2c 6f  75 3d 54 65 73 74 69 6e   ztests,ou=Testin  
  0090:  67 2c 64 63 3d 73 74 72  6f 65 64 65 72 2c 64 63   g,dc=stroeder,dc  
  00a0:  3d 64 65                                           =de               
ber_get_next: tag 0x30 len 168 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=Testing,dc=stroeder,dc=de>
=> ldap_bv2dn(ou=Testing,dc=stroeder,dc=de,0)
<= ldap_bv2dn(ou=Testing,dc=stroeder,dc=de)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=Testing,dc=stroeder,dc=de)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=testing,dc=stroeder,dc=de)=0 
<<< dnPrettyNormal: <ou=Testing,dc=stroeder,dc=de>, <ou=testing,dc=stroeder,dc=de>
SRCH "ou=Testing,dc=stroeder,dc=de" 1 3    0 0 0
ber_scanf fmt (m) ber:
    filter: (objectClass=*)
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
ber_scanf fmt (m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 0 authzid="Bdn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de"
slap_sasl_getdn: conn 0 id=Bdn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de [len=68]
<= get_ctrls: n=1 rc=47 err="authzId mapping failed"
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=47 matched="" text="authzId mapping failed"
send_ldap_response: msgid=2 tag=101 err=47
ber_flush: 36 bytes to sd 16
  0000:  30 22 02 01 02 65 1d 0a  01 2f 04 00 04 16 61 75   0"...e.../....au  
  0010:  74 68 7a 49 64 20 6d 61  70 70 69 6e 67 20 66 61   thzId mapping fa  
  0020:  69 6c 65 64                                        iled              
ldap_write: want=36, written=36
  0000:  30 22 02 01 02 65 1d 0a  01 2f 04 00 04 16 61 75   0"...e.../....au  
  0010:  74 68 7a 49 64 20 6d 61  70 70 69 6e 67 20 66 61   thzId mapping fa  
  0020:  69 6c 65 64                                        iled              
do_search: get_ctrls failed
connection_get(16)
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 16 failed errno=0 (Success)
connection_closing: readying conn=0 sd=16 for close
connection_close: conn=0 sd=16


import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl;
import java.util.Hashtable;
//import javax.naming.directory.SearchResult;

class Test2
{
   public static void main(String args[])
   {
       String           url	= "ldap://127.0.0.1:1390";;
       LdapContext      ctx    = null;
       Hashtable        env    = null;
       NamingEnumeration enumResults = null;

       try
       {
	   env = new Hashtable();

	   // Use LDAP service provider from Sun
	   env.put(DirContext.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
           env.put(DirContext.REFERRAL, "throw");
	   env.put(DirContext.PROVIDER_URL, url);
	   env.put(DirContext.SECURITY_PRINCIPAL,"uid=proxyuser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
	   env.put(DirContext.SECURITY_CREDENTIALS,"testproxy");
	   ctx = new InitialLdapContext(env,null);

	   // use Proxy Authorization Control
	   ProxiedAuthorizationControl p = new ProxiedAuthorizationControl("dn:uid=proxieduser,ou=proxyauthztests,ou=Testing,dc=stroeder,dc=de");
	   ctx.setRequestControls(new Control[]{p});

	   enumResults = ctx.search("ou=Testing,dc=stroeder,dc=de", "(objectclass=*)", null);

       }
       catch (Exception e)
       {
	       System.out.println("Exception: " + e.toString());
       }
       System.out.println("Programmende");
   }

}