3 Replies Latest reply: Aug 11, 2011 2:59 AM by Sylvain Duloutre-Oracle RSS

    DS 6.3.1 and chained suffix

    816523
      Problem description:
      Trying to search content of chained suffix and requesting 'dn' only, results in no entries in response. Changing search request to return attributes 'dn' and 'uid', for example, returns data as expected.

      Details about configuration:
      internal.ds.server - Directory Server 6.3.1 on Solaris 10 x86
      extternal.ds.server - Directory Server 6.3.1 on Solaris 10 x86

      Chained suffix o=external was created from ldif on internal.ds.server. Access to o=external on external.ds.server uses identity of dedicated user with proxy right granted.
      Local ACI checking is set on internal.ds.server. This configuration was set to make possible use Access Manager in internal environment to authenticate against users in both, internal and external environments.
      User used for search is uid=siebelviewer,ou=people,dc=ds,dc=server and has full set of rights (allows (all) in ACI ) on dc=ds,dc=server data tree on internal.ds.server.

      Debugging results (till now):
      When local ACI check is set, processing of search request is recorded in log file of both LDAP servers. On external.ds.server is recorded number of returned entries (>0). On internal.ds.server 0 returned entries is recorded.
      Turning on debugging ACI processing and reporting into error log on internal.ds.server shows failed attempt to access due to insufficient access right:
      # ldapsearch -h internal.ds.server -p 389 -D "uid=siebelviewer,ou=people,dc=ds,dc=server" -b "o=external,dc=ds,dc=server" uid=*sadm* dn
      # less errors
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Operation extension 16e4a38 deallocated
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Operation extension 16e4a38 allocated
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - acl_init_userGroup: found in cache for dn:uid=siebelviewer,ou=people,dc=ds,dc=server
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:o=external,dc=ds,dc=server: container:-1
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:dc=ds,dc=server: container:2
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:dc=server: container:-1
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:: container:0
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Index: 0 2
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Index: 1 0
      *[03/Aug/2011:17:01:38 +0200] - DEBUG - conn=-1 op=-1 msgId=-1 - acl: access to entry not allowed*
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Copying the Context CURR ENTRY context cache
      [03/Aug/2011:17:01:38 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Copying the Context (from ACLPB to ACLCB)
      If another attrinute (uid) is expected in result, it works:
      # ldapsearch -h internal.dc=ds,dc=server -p 389 -D "uid=siebelviewer,ou=people,dc=ds,dc=server" -b "o=external,dc=ds,dc=server" uid=*sadm* dn uid
      Enter bind password:
      version: 1
      dn: uid=SADMIN,ou=People,o=external,dc=ds,dc=server
      uid: SADMIN
      # less errors
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Operation extension 16e4a38 deallocated
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Operation extension 16e4a38 allocated
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - acl_init_userGroup: found in cache for dn:uid=siebelviewer,ou=people,dc=ds,dc=server
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:o=external,dc=ds,dc=server: container:-1
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:dc=ds,dc=server: container:2
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:dc=server: container:-1
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for:: container:0
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Index: 0 2
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Index: 1 0
      *[03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ####################ACCESS_ALLOWED START #######*
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for update:uid=sadmin,ou=people,o=external,dc=ds,dc=server: container:-1
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Searching AVL tree for update:ou=people,o=external,dc=ds,dc=server: container:-1
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Index AFTER PREPARE: 0 2
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Index AFTER PREPARE: 1 0
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ************ RESOURCE INFO STARTS *********
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Client DN: uid=siebelviewer,ou=people,dc=ds,dc=server
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - resource type:256(read target_DN )
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Slapi_Entry DN: uid=sadmin,ou=people,o=external,dc=ds,dc=server
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ATTR: uid
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - rights:read
      [03/Aug/2011:17:09:05 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ************ RESOURCE INFO ENDS *********
      Removing local ACI checking (nschecklocalaci: off) on internal.ds.server makes possible to search with request to return only 'dn' attribute. But local ACI checking is solution for another issue. :-(


      Note: This is not about discussion "why chained suffix and not directory proxy server?"
      Note2: The fact about obsoleted chained suffix in DS 6.3.1 is known as well, but ...
        • 1. Re: DS 6.3.1 and chained suffix
          Sylvain Duloutre-Oracle
          Unfortunatelly it looks like a bug. The aci engine expects non-empty entry.
          Feel free to contact Oracle support to get a relief.

          -Sylvain
          • 2. Re: DS 6.3.1 and chained suffix
            816523
            Sylvain,

            thank you for your replay. It has encouraged me to submit service call. This has started my own story with Oracle support for Sun software. :-)
            I guess you are/were in sort of relation to Directory Server, aren't you? Why do you see that problem as bug, not configuration issue?
            I am looking for some arguments to help to move issue solution forward.
            • 3. Re: DS 6.3.1 and chained suffix
              Sylvain Duloutre-Oracle
              Hello,

              Yes I've very close relationship with Directory;-)

              Regarding the justification, your full entire use case seems complex, so getting back to basis might help. The examples you posted show the issue: A search with attribute list {dn,uid} returns both attributes. In the same context, a search with {dn} only does not return anything. This behaviour is incorrect from a LDAP point of view.

              Hope this helps

              -Sylvain