Re: Issue 40 in direct-certificate-discovery-tool: LDAP search not working - Base DN not being searched
3 views
Skip to first unread message
direct-certifica...@googlecode.com
Nov 19, 2012, 3:33:48 PM11/19/12
to modular-sp...@googlegroups.com
Comment #2 on issue 40 by david.de...@nitorgroup.com: LDAP search not
working - Base DN not being searched
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
We are able to return namingContexts from our onctest.org server and then
search under each namingContext returned using the subtree scope for the
appropriate mail and userCertificate attributes.
However, the only way that we are able to return the certificate for
steve...@myhealthisp.com is by hard coding the directory name
(dc=myhealthisp,dc=com) into the base directory search filter using JNDI
(see this for what we are basing our code off of:
http://directory.apache.org/apacheds/manuals/basic-user-guide-1.5.8-SNAPSHOT/html/ch03s03.html#LDAP
Operations Searching)
When our tool searches the onctest.org LDAP using for dts...@onctest.org,
we are given each of the namingContexts back.
When our tool searches the myhealthisp.com server for
steve...@myhealthisp.com, we are just given the response:
No Results for: myhealthisp.com.
Problem: [LDAP: error code 32 - No Such Object] null
Here's the output to the Eclipse console for both the onctest.org server
and the myhealthisp.com server:
https://www.evernote.com/shard/s123/sh/02a27b64-2bb4-49bd-ba64-7f0625ef512d/4d422f1471383d3a1e34eb3dd64685da
We think that the following is causing the problem:
- JDNI cannot do a base search for OpenLDAProotDSE objectClass directories.
We are still investigating this issue.
direct-certifica...@googlecode.com
Nov 20, 2012, 2:40:24 PM11/20/12
to modular-sp...@googlegroups.com
Comment #3 on issue 40 by david.de...@nitorgroup.com: LDAP search not
working - Base DN not being searched
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
RFC 4512 Section 5.1 says the following about root DSEs:
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
"An LDAP server SHALL provide information about itself and other
information that is specific to each server. This is represented as
a group of attributes located in the root DSE, which is named with
the DN with zero RDNs (whose [RFC4514] representation is as the
zero-length string).
These attributes are retrievable, subject to access control and other
restrictions, if a client performs a Search operation [RFC4511] with
an empty baseObject, scope of baseObject, the filter "(objectClass=*)"
[RFC4515], and the attributes field listing the names of the desired
attributes. It is noted that root DSE
attributes are operational and, like other operational attributes,
are not returned in search requests unless requested by name."
What we've found is that some implementations (including JNDI) cannot
retrieve the attributes such as namingContexts from the root DSE unless
they are requested by name.
direct-certifica...@googlecode.com
Nov 27, 2012, 1:53:20 PM11/27/12
to modular-sp...@googlegroups.com
Updates:
Owner: Sandeep....@nitorgroup.com
Comment #4 on issue 40 by edward.o...@nitorgroup.com: LDAP search not
Owner: Sandeep....@nitorgroup.com
Comment #4 on issue 40 by edward.o...@nitorgroup.com: LDAP search not
working - Base DN not being searched
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
(No comment was entered for this change.)
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
direct-certifica...@googlecode.com
Dec 23, 2012, 4:25:54 PM12/23/12
to modular-sp...@googlegroups.com
Updates:
Status: Accepted
Comment #6 on issue 40 by michal.k...@esacinc.com: LDAP search not working
I am currently in the midst of transitioning to a new demo instance, so
changes will likely not be available on the old demo instance at
testteam.us.
My new demo instance is at http://direct-test.com/dcdt. I've pushed the
changes to this instance and tested with steve...@myhealthisp.com (in
addition to my regular test cases) and everything looks good. Feel free to
test against this instance yourself, but please be aware that it is being
actively deployed to, so availability is not guaranteed.
I will keep this issue as Accepted until the official demo instance has the
changes.
Status: Accepted
Comment #6 on issue 40 by michal.k...@esacinc.com: LDAP search not working
- Base DN not being searched
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
I have addressed this issue in revision 440 and revision 442.
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
I am currently in the midst of transitioning to a new demo instance, so
changes will likely not be available on the old demo instance at
testteam.us.
My new demo instance is at http://direct-test.com/dcdt. I've pushed the
changes to this instance and tested with steve...@myhealthisp.com (in
addition to my regular test cases) and everything looks good. Feel free to
test against this instance yourself, but please be aware that it is being
actively deployed to, so availability is not guaranteed.
I will keep this issue as Accepted until the official demo instance has the
changes.
direct-certifica...@googlecode.com
Dec 24, 2012, 1:29:45 AM12/24/12
to modular-sp...@googlegroups.com
Comment #7 on issue 40 by gan...@glenwoodsystems.com: LDAP search not
working - Base DN not being searched
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
I have the same issue.
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=40
ldapsearch -h direct.myhealthhisp.com -p 389 -x -s subtree
-b "dc=direct,dc=myhealthhisp,dc=com" "(mail=s...@direct.myhealthhisp.com)"
Is working fine. But the test tool is not discovering the record.
Without using the base domain your tool cannot discover the record.
Is there a fix available now?
Reply all
Reply to author
Forward
0 new messages