4 Replies Latest reply: Mar 14, 2013 8:15 AM by jeffm_20120715 RSS

    DPS 6.3.1.1.1 modify base-dn with data-view

    jeffm_20120715
      I'm having a problem with an off the shelf application we are trying to integrate with our environment. This application binds and attempts to search for a user account with an invalid search base. The root of the DIT for example is o=company,c=us. This application sets the base for its ldapsearch to c=us which does not exist. The application expects an error 32 response in this case and then it will set the base to o=company,c=us and search again. The app is parsing the full dn of the user (uid=user,ou=people,ou=branch,o=company,c=us) by comma and that is how it arrives at the invalid base-dn.

      In our environment the application binds to DPS and instead of an error 32 response DPS sends back an error code 50. I've tried getting around this by creating a dataview with base-dn "c=us" and adding it to the connection handler. This works for searches with scope of 2 but this application is setting the scope to 'base' which still results in the error code 50.

      Is there a way to use the dataview to convert "c=us" to the actual root "o=company,c=us"?
        • 1. Re: DPS 6.3.1.1.1 modify base-dn with data-view
          Sylvain Duloutre-Oracle
          Hello,

          DPS does not generate LDAP error code 50 for searches.
          Could you please provide DPS access log sniplet associated with the client ldap search ?
          • 2. Re: DPS 6.3.1.1.1 modify base-dn with data-view
            jeffm_20120715
            Sylvain-

            Here is a log snippet from a failing request.

            [15/Feb/2013:11:36:57 -0500] - CONNECT - INFO - conn=3096886 client=10.x.x.x:52260 server=xxxxxxx-primary:389 protocol=LDAP
            [15/Feb/2013:11:36:58 -0500] - OPERATION - INFO - conn=3096886 op=0 BIND dn="uid=devboeuser,ou=people,ou=special accounts and groups,o=ny,c=us" method="SIMPLE" version=3
            [15/Feb/2013:11:36:58 -0500] - SERVER_OP - INFO - conn=3096886 op=0 BIND dn="uid=devboeuser, ou=people, ou=special accounts and groups, o=ny, c=us" method="SIMPLE" version=3 s_msgid=7122 s_conn=xxxxxxx:295446
            [15/Feb/2013:11:36:58 -0500] - SERVER_OP - INFO - conn=3096886 op=0 BIND RESPONSE err=0 msg="" s_conn=xxxxxxx:295446
            [15/Feb/2013:11:36:58 -0500] - PROFILE - INFO - conn=3096886 assigned to connection handler cn=devboe,cn=connection handlers,cn=config
            [15/Feb/2013:11:36:58 -0500] - OPERATION - INFO - conn=3096886 op=0 BIND RESPONSE err=0 msg="" etime=0
            [15/Feb/2013:11:36:59 -0500] - OPERATION - INFO - conn=3096886 op=2 msgid=3 SEARCH base="c=us" scope=0 filter="(objectclass=*)" attrs="dn "
            [15/Feb/2013:11:36:59 -0500] - OPERATION - INFO - conn=3096886 op=2 SEARCH RESPONSE err=50 msg="Search operation not permitted " nentries=0 etime=0

            Thank You,

            Jeff
            • 3. Re: DPS 6.3.1.1.1 modify base-dn with data-view
              Sylvain Duloutre-Oracle
              Hi Jeff,

              The error 50 is generated when request filtering is enabled. It looks like request filtering is configured for some searches in the connection handler. This should probably be removed.
              See http://docs.oracle.com/cd/E20295_01/html/821-1220/gbtwj.html#gbvto for more details

              -Sylvain
              • 4. Re: DPS 6.3.1.1.1 modify base-dn with data-view
                jeffm_20120715
                Thanks that solved the problem.

                -Jeff