1 Reply Latest reply: Jul 20, 2012 7:06 AM by stefanwo RSS

    ODSEE 11gR1 DPS not blocking LDAP control requests

      I want my DPS to block paged results (OID 1.2.840.113556.1.4.319) requests, so
      I've set the following parameter in DPS to block any LDAP control requests:

      [root@mysystem logs]# dpconf get-server-prop allowed-ldap-controls
      Saisir le mot de passe "cn=Proxy Manager" :
      allowed-ldap-controls : -

      In spite of this, DPS doesn't block the LDAP control request:

      [root@mysystem logs]# ldapsearch -h mydpshost -J 1.2.840.113556.1.4.319 -b ou=...,dc=.... "(uid=d*)" uid uidNumber gidNumber |grep -c ^dn:
      [root@mysystem logs]# grep "conn=2463" access
      [14/Feb/2012:18:27:08 +0100] - PROFILE - INFO - conn=2463 assigned to connection handler cn=default connection handler, cn=connection handlers, cn=config
      [14/Feb/2012:18:27:08 +0100] - CONNECT - INFO - conn=2463 client= server=.......:389 protocol=LDAP
      [14/Feb/2012:18:27:08 +0100] - OPERATION - INFO - conn=2463 op=0 msgid=1 SEARCH base="ou=...,dc=..." scope=2 controls="1.2.840.113556.1.4.319" filter="(uid=d*)" attrs="uid uidNumber gidNumber "
      [14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=-1 BIND dn="" method="SIMPLE" version=3 s_msgid=309 s_conn=my_host:10
      [14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=-1 BIND RESPONSE err=0 msg="" s_msgid=309 s_conn=my_host:10 etime=0
      [14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=0 SEARCH base="ou=...,dc=..." scope=2 filter="(uid=d*)" attrs="uid uidNumber gidNumber " s_msgid=310 s_conn=my_host:10
      [14/Feb/2012:18:27:12 +0100] - SERVER_OP - INFO - conn=2463 op=0 SEARCH RESPONSE err=0 msg="" nentries=2456 s_msgid=310 s_conn=my_host:10 etime=153
      [14/Feb/2012:18:27:12 +0100] - OPERATION - INFO - conn=2463 op=0 SEARCH RESPONSE err=0 msg="" nentries=2456 etime=4398
      [14/Feb/2012:18:27:12 +0100] - OPERATION - INFO - conn=2463 op=1 UNBIND
      [14/Feb/2012:18:27:12 +0100] - DISCONNECT - INFO - conn=2463 reason="unbind"

      I use the following version of DPS on RHEL 5.7:

      [root@mysystem logs]# /logiciels/odsee/dsee7/bin/dpconf --version
      dpconf : B2011.0517.2145

      Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.

      [root@mysystem logs]# java -version
      java version "1.6.0_20"
      OpenJDK Runtime Environment (IcedTea6 1.9.10) (rhel-
      OpenJDK 64-Bit Server VM (build 19.0-b09, mixed mode)
      [root@mysystem logs]# grep java errors
      [14/Feb/2012:16:58:19 +0100] - STARTUP - INFO - Java Version: 1.6.0_20 (Java Home: /usr/lib/jvm/java-1.6.0-openjdk-

      My LDAP backend servers are ODSEE 11gR1 servers too, so they don't support the paged result control, that's why I want DPS to block these
      requests (they originate from FreeBSD unix hosts set as LDAP clients, when one runs the top command)

      I don't understand why there's such a time gap between the etimes of the LDAP backend (153 ms) and the etime of my DPS server, (4398 ms) ?

      I was previously using DPS 6.3.x and I had a different behaviour when using such LDAP control requests: the DPS was blocking those requests:

      [31/Jan/2012:23:46:07 +0100] - OPERATION - INFO - conn=1452338 op=1 SEARCH RESPONSE err=12 msg="The server is not configured to pass through control 1.2.840.113556.1.4.319" nentries=0 etime=234

      I've checked the configuration differences between both DPS versions, and it looks the same. Also, I tried to restore the default configuration
      with regards to LDAP controls, with the ODSEE 11gR1 instance (see below), but it still the same problem, the request is not blocked :

      [root@mysystem logs]# dpconf get-server-prop allowed-ldap-controls
      Saisir le mot de passe "cn=Proxy Manager" :
      allowed-ldap-controls : auth-request
      allowed-ldap-controls : chaining-loop-detection
      allowed-ldap-controls : get-effective-rights
      allowed-ldap-controls : manage-dsa
      allowed-ldap-controls : persistent-search
      allowed-ldap-controls : proxy-auth-v1
      allowed-ldap-controls : proxy-auth-v2
      allowed-ldap-controls : real-attributes-only
      allowed-ldap-controls : server-side-sorting
      allowed-ldap-controls : vlv-request
      [root@mysystem logs]# ldapsearch -h mydpshost -J 1.2.840.113556.1.4.319 -b ou=uLy2,dc=agalan,dc=org "(uid=d*)" uid uidNumber gidNumber |grep -c ^dn:

      It looks like a bug and a regression in comparison with DSEE 6.x. Can anyone confirm ?
        • 1. Re: ODSEE 11gR1 DPS not blocking LDAP control requests
          The behaviour is correct (and 6.3* was wrong) as specified by rfc 2696: If the server does not support this control, the server MUST return an error of unsupportedCriticalExtension if the client requested it as critical, otherwise the server SHOULD ignore the control. If you would makr the control critical (OID:true) it should return with errno 12 (Unavailable critical extension).