>-----Original Message-----
>From: Graham Barr [mailto:[EMAIL PROTECTED]
>Sent: Saturday, April 09, 2005 3:20 PM
>To: Peter Marschall
>Cc: [email protected]; Faltermier, David (HP Directory)
>Subject: Re: Documentation Bug (related to: Outdated OID in
>Net::LDAP::Control::ProxyAuth?)Hi,
>
>On Apr 6, 2005, at 5:24 AM, Peter Marschall wrote:
>> Here's a first patch to the OID problem in
>> Net::LDAP::Control::ProxyAuth.
>> ...David, would you be so kind to also give it a try ?
Hi Peter,
Thanks for patching Net::LDAP::Control::ProxyAuth.pm. It was on my list
of things to do, but... <head hanging low>.
TEST RESULTS
------------
I applied and tested your patch against OpenLDAP 2.2.23 and SunOne 5.2.
SunOne, using the old OID, worked fine performing a search with:
my $dn = '[EMAIL PROTECTED],ou=People,o=hp.com';
my $control = Net::LDAP::Control::ProxyAuth->new(proxyDN => $dn);
# Connect and bind...
my $mesg = $ldap->search(
base => ...
scope => ...
filter => ...
control => $control,
);
However, I ran into a problem testing against OpenLDAP:
my $dn = '[EMAIL PROTECTED],ou=People,o=hp.com';
my $authzID = Net::LDAP::Control::ProxyAuth->new(
authzID => "dn:$dn",
);
# Connect and bind...
my $mesg = $ldap->search(
base => ...
scope => ...
filter => ...
control => $control,
);
The search failed with LDAP error 47. My debugging log shows the
following entries:
=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 1
authzid="03^D1dn:[EMAIL PROTECTED],ou=People,o=hp.com"
slap_sasl_getdn:
id=03^D1dn:[EMAIL PROTECTED],ou=People,o=hp.com [len=53]
<= get_ctrls: n=1 rc=47 err="authzId mapping failed"
The authzID mapping failed. The problem seems to be that the ProxyAuth
control value is ASN'ified. Instead of the expected value:
id=dn:[EMAIL PROTECTED],ou=People,o=hp.com
The value is transmitted as:
id=03^D1dn:[EMAIL PROTECTED],ou=People,o=hp.com
SPECS FOR OID 2.16.840.1.113730.3.4.12 (proxyDN)
------------------------------------------------
>From what I could find, the specs for the older proxyAuth control are:
proxyAuthControl ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.12,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxyAuthValue
}
The controlValue contains the BER encoding of a DN used for
evaluating the requested rights:
proxyAuthValue::= SEQUENCE {
proxyDN LDAPDN
}
SPECS FOR OID 2.16.840.1.113730.3.4.18 (authzID)
------------------------------------------------
The specs for the newer proxyAuth control are:
The authorization identity is a string in the UTF-8 character set,
corresponding to the following ABNF [7]:
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId = "dn:" dn
dn = utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded.
uAuthzId = "u:" userid
userid = utf8string ; syntax unspecified
Perhaps I'm mistaken, but it appears that the new OID specifies that the
control value is not ASN'ified. A fuller clipping of the spec details
are attached below from my previous post.
Can you check me on this, Peter?
Thanks again for your work on the patch.
-David
>-----Original Message-----
>From: Faltermier, David (HP Directory)
>Sent: Thursday, March 03, 2005 10:18 AM
>To: [email protected]
>Cc: Subbarao, Kartik;
>Subject: RE: Outdated OID in Net::LDAP::Control::ProxyAuth?
Graham, et. al.,
I have done a little more digging around in this area. I think more work
may be necessary than just adding a version parameter. Let me show you
what I found by including some snippets from the weltman drafts that
describe the changes to the proxyAuth control value between [draft]
versions -05 and -12.
ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-05)
http://www.watersprings.org/pub/id/draft-weltman-ldapv3-proxy-05.txt
-----------------------------------------------------------------------
I've included sections 3 and 12.2 below which best summarize the control
value.
3. Proxied Authorization Control
proxyAuthControl ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.12,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxyAuthValue
}
The controlValue contains the BER encoding of a DN used for
evaluating the requested rights:
proxyAuthValue::= SEQUENCE {
proxyDN LDAPDN
}
It is represented as a Sequence in order to allow future
extensions.
12.2 Control envelope
Rather than containing an LDAPDN as the Control value, the
Control
contains a Sequence (which contains an LDAPDN). This is to
provide
for future extensions.
ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-12)
http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-12.txt
-----------------------------------------------------------------------
I've included section 3 below which best summarizes the control value.
3. Proxy Authorization Control
The controlType of the proxy authorization control is
"2.16.840.1.113730.3.4.18".
The controlValue SHALL be present and contain either an authzId
[AUTH] representing the authorization identity for the request or
empty if an anonymous association is to be used.
RFC 2829
http://www.ietf.org/rfc/rfc2829.txt
-----------------------------------
The [AUTH] reference above refers to RFC 2829, section 9. Here's the
relevant parts:
9. Authorization Identity
(...clipped for brevity...)
The authorization identity is a string in the UTF-8 character
set,
corresponding to the following ABNF [7]:
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId = "dn:" dn
dn = utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded.
uAuthzId = "u:" userid
userid = utf8string ; syntax unspecified
All servers which support the storage of authentication
credentials,
such as passwords or certificates, in the directory MUST support
the
dnAuthzId choice.
So, there does appear to be a major change in the packaging of the
proxyAuth control value between the two Weltman drafts (-05 and -12);
thus explaining the OID version change.
Changes to PERL-LDAP?
---------------------
I am assuming that your suggestion to add a version parameter to
Net::LDAP::Control::ProxyAuth::new() would look something like:
my $auth = Net::LDAP::Control::ProxyAuth->new(
proxyDN => 'cn=me,ou=people,o=myorg.com',
version => 2, # OID 2.16.840.1.113730.3.4.18
);
However, it appears more than this will be needed. The new proxyAuth
control requires an authzId value as specified by RFC 2829. This will
mean a couple things:
1. AuthzId's other than a DN may be specified.
Currently, two are defined by RFC2829: (1) dnAuthzId, and (2)
uAuthzId.
Therefore, the 'proxyDN' named parameter is probably a misnomer
and
may need to be replaced with something less "DN" specific.
Perhaps
'proxyID'?
2. The authzId chosen by the user must include the correct "dn:"
or "u:" prefix, something not currently required.
Adding just a version parameter will not account for the necessary
proxyDN parameter changes. Perhaps a new [backward compatible] interface
might look something like this:
# New interface for Version 2.
# (The new interface assumes version 2 to be the default.)
my $auth = Net::LDAP::Control::ProxyAuth->new(
proxyID => 'dn:cn=me,ou=people,o=myorg.com', # dnAuthzId or
uAuthzId
version => 2, # Optional. Default. OID 2.16.840.1.113730.3.4.18
);
# New interface for Version 1.
my $auth = Net::LDAP::Control::ProxyAuth->new(
proxyID => 'cn=me,ou=people,o=myorg.com', # DN
version => 1, # OID 2.16.840.1.113730.3.4.12
);
# For backward compatibility with version 1.
# Note: Use of named parameter 'proxyDN' assumes version 1
# (OID 2.16.840.1.113730.3.4.12).
my $auth = Net::LDAP::Control::ProxyAuth->new(
proxyDN => 'cn=me,ou=people,o=myorg.com',
);
The interface changes suggested above should not break anyone's current
usage of Net::LDAP::Control::ProxyAuth. Of course, there are other
interface options.
-David
