This discussion is archived
1 Reply Latest reply: Jul 20, 2012 5:06 AM by stefanwo RSS

ODSEE 11gR1 DPS not blocking LDAP control requests

807817 Newbie
Currently Being Moderated
1)
I want my DPS to block paged results (OID 1.2.840.113556.1.4.319) requests, so
I've set the following parameter in DPS to block any LDAP control requests:

[root@mysystem logs]# dpconf get-server-prop allowed-ldap-controls
Saisir le mot de passe "cn=Proxy Manager" :
allowed-ldap-controls : -

In spite of this, DPS doesn't block the LDAP control request:

[root@mysystem logs]# ldapsearch -h mydpshost -J 1.2.840.113556.1.4.319 -b ou=...,dc=.... "(uid=d*)" uid uidNumber gidNumber |grep -c ^dn:
2456
[root@mysystem logs]# grep "conn=2463" access
[14/Feb/2012:18:27:08 +0100] - PROFILE - INFO - conn=2463 assigned to connection handler cn=default connection handler, cn=connection handlers, cn=config
[14/Feb/2012:18:27:08 +0100] - CONNECT - INFO - conn=2463 client=127.0.0.1:56748 server=.......:389 protocol=LDAP
[14/Feb/2012:18:27:08 +0100] - OPERATION - INFO - conn=2463 op=0 msgid=1 SEARCH base="ou=...,dc=..." scope=2 controls="1.2.840.113556.1.4.319" filter="(uid=d*)" attrs="uid uidNumber gidNumber "
[14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=-1 BIND dn="" method="SIMPLE" version=3 s_msgid=309 s_conn=my_host:10
[14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=-1 BIND RESPONSE err=0 msg="" s_msgid=309 s_conn=my_host:10 etime=0
[14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=0 SEARCH base="ou=...,dc=..." scope=2 filter="(uid=d*)" attrs="uid uidNumber gidNumber " s_msgid=310 s_conn=my_host:10
[14/Feb/2012:18:27:12 +0100] - SERVER_OP - INFO - conn=2463 op=0 SEARCH RESPONSE err=0 msg="" nentries=2456 s_msgid=310 s_conn=my_host:10 etime=153
[14/Feb/2012:18:27:12 +0100] - OPERATION - INFO - conn=2463 op=0 SEARCH RESPONSE err=0 msg="" nentries=2456 etime=4398
[14/Feb/2012:18:27:12 +0100] - OPERATION - INFO - conn=2463 op=1 UNBIND
[14/Feb/2012:18:27:12 +0100] - DISCONNECT - INFO - conn=2463 reason="unbind"


I use the following version of DPS on RHEL 5.7:

[root@mysystem logs]# /logiciels/odsee/dsee7/bin/dpconf --version
[dpconf]
dpconf : 11.1.1.5.0 B2011.0517.2145

Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.

[root@mysystem logs]# java -version
java version "1.6.0_20"
OpenJDK Runtime Environment (IcedTea6 1.9.10) (rhel-1.23.1.9.10.el5_7-x86_64)
OpenJDK 64-Bit Server VM (build 19.0-b09, mixed mode)
[root@mysystem logs]# grep java errors
[14/Feb/2012:16:58:19 +0100] - STARTUP - INFO - Java Version: 1.6.0_20 (Java Home: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre)


My LDAP backend servers are ODSEE 11gR1 servers too, so they don't support the paged result control, that's why I want DPS to block these
requests (they originate from FreeBSD unix hosts set as LDAP clients, when one runs the top command)


2)
I don't understand why there's such a time gap between the etimes of the LDAP backend (153 ms) and the etime of my DPS server, (4398 ms) ?

3)
I was previously using DPS 6.3.x and I had a different behaviour when using such LDAP control requests: the DPS was blocking those requests:

[31/Jan/2012:23:46:07 +0100] - OPERATION - INFO - conn=1452338 op=1 SEARCH RESPONSE err=12 msg="The server is not configured to pass through control 1.2.840.113556.1.4.319" nentries=0 etime=234

I've checked the configuration differences between both DPS versions, and it looks the same. Also, I tried to restore the default configuration
with regards to LDAP controls, with the ODSEE 11gR1 instance (see below), but it still the same problem, the request is not blocked :

[root@mysystem logs]# dpconf get-server-prop allowed-ldap-controls
Saisir le mot de passe "cn=Proxy Manager" :
allowed-ldap-controls : auth-request
allowed-ldap-controls : chaining-loop-detection
allowed-ldap-controls : get-effective-rights
allowed-ldap-controls : manage-dsa
allowed-ldap-controls : persistent-search
allowed-ldap-controls : proxy-auth-v1
allowed-ldap-controls : proxy-auth-v2
allowed-ldap-controls : real-attributes-only
allowed-ldap-controls : server-side-sorting
allowed-ldap-controls : vlv-request
[root@mysystem logs]# ldapsearch -h mydpshost -J 1.2.840.113556.1.4.319 -b ou=uLy2,dc=agalan,dc=org "(uid=d*)" uid uidNumber gidNumber |grep -c ^dn:
2456

It looks like a bug and a regression in comparison with DSEE 6.x. Can anyone confirm ?
  • 1. Re: ODSEE 11gR1 DPS not blocking LDAP control requests
    stefanwo Newbie
    Currently Being Moderated
    The 11.1.1.5 behaviour is correct (and 6.3* was wrong) as specified by rfc 2696: If the server does not support this control, the server MUST return an error of unsupportedCriticalExtension if the client requested it as critical, otherwise the server SHOULD ignore the control. If you would makr the control critical (OID:true) it should return with errno 12 (Unavailable critical extension).

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points