Jump to content
Plastic SCM forums are now in Unity. Click here to open the new forum ×

Slightly strange LDAP behaviour

EugeneAStrizhov

By EugeneAStrizhov
in General

Recommended Posts

EugeneAStrizhov Newbie

EugeneAStrizhov

Posted
Posted

Hi!

  I'm trying to move my users under LDAP and there are some issues appears.

 

  The first one is LDAP access binding. My server.conf looks like:

  <WorkingMode>LDAPWorkingMode</WorkingMode>
  <SecurityConfig>LDAP:localhost:389:ldapuser:secured:dc=host,dc=tld</SecurityConfig>

 

and i expect the bindings to my LDAP server under `ldapuser' bind with passphrase `secured', but my LDAP log shows attempts of anonymous acess:

 

 
[21/Jan/2013:17:15:58 +0400] conn=16 op=0 BIND dn="" method=128 version=3
[21/Jan/2013:17:15:58 +0400] conn=16 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
 
As my LDAP forbade anonymous access then any Plastic requests  was refused by LDAP server till I allow  anon access  and then I get list of my users. Ok.
 
The second issue is about case sensitive group names.  My LDAP tree contains  nine different groups with `objectClass: groupOfUniqueNames'. WIth LDAP log I see what it honestly return nine entries amount to Plastic request (cm lu localhost:8087 -g):
 
[21/Jan/2013:18:17:41 +0400] conn=19 op=49 SRCH base="dc=domain,dc=tld" scope=2 filter="(|(objectClass=groupofuniquenames)(objectClass=posixGroup)(objectClass=group))" attrs=ALL
[21/Jan/2013:18:17:41 +0400] conn=19 op=49 RESULT err=0 tag=101 nentries=9 etime=0
 
but console print me only one of them. I've compared this entry with other and looked one difference up: it had got definition 'objectClass: groupofuniquenames' i.e. was entered with lower case letters and other were as `groupOfUniqueNames'. I've changed several objectClass's decls to lower case and they was listed successfully. 
 
  I suppose the behaviour in first issue is not correct 'cause it drills some size hole in security. 
  The second issue is more interesting: what does it mean? from one hand LDAP is not case sensitive for class names (as I remember),  so it is looks like bug.  But from other hand it is a feature which useful for useless groups filtering, but I don't know whether I relay it on.
 
  Dear developers, please give me some light about. My Plastic server version is 4.1.10.388.
 
  Thank advance, 
     Eugene.
 
 
P.S. 
 Sorry, this topic seem to be more appropriate for 'Installation and configuration'. 
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...