directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu (JIRA)" <>
Subject [jira] Resolved: (DIREVE-284) Simple bind fails for entries with certain partition suffix names
Date Tue, 25 Oct 2005 02:16:55 GMT
     [ ]
Alex Karasulu resolved DIREVE-284:

    Resolution: Fixed

Committed fix changes on revision 328236 here:

Looks like lookups were being made against a bare nexus without normalizing the principals
name.  I started using the present operation's proxy object with bypasses where normalization
was still allowed.  

Added test case in MiscTest for Stefan's Kate Bush user.

> Simple bind fails for entries with certain partition suffix names
> -----------------------------------------------------------------
>          Key: DIREVE-284
>          URL:
>      Project: Directory Server
>         Type: Bug
>     Reporter: Stefan Zoerner
>     Assignee: Alex Karasulu
>      Fix For: 0.9.3

> Some users (i.e. person entries with userPassword attribute) can't authenticate to the
server via simple bind. The problem does not exist with entries located in ou=system or dc=apache,dc=org.
To give an example:
> I used the default server.xml from
> to start the server and added the following entry:
> dn: cn=Kate Bush,dc=apache,dc=org
> cn: Kate Bush
> objectclass: top
> objectclass: person
> sn: Bush
> userPassword: Aerial
> After that, the following works as expected:
> $ ldapsearch -h magritte -p 10389 -D "cn=Kate Bush,dc=apache,dc=org" -w Aerial -b "dc=apache,dc=org"
"(sn=Bush)" cn
> cn=Kate Bush,dc=apache,dc=org
> cn=Kate Bush
> $
> and providing a wrong password leads to an "invalid credentials". 
> But if I use "dc=aPache,dc=org" as suffix within the partition configuration, i.e.
> <property name="suffix"><value>dc=aPache,dc=org</value></property>
> adjust other occurrences of dc=apache as well and import the person entry above with
DN "cn=Kate Bush,dc=aPache,dc=org", the following happens:
> $ ldapsearch -h magritte -p 10389 -D "cn=Kate Bush,dc=aPache,dc=org" -w Aerial -b "dc=aPache,dc=org"
"(sn=Bush)" cn
> ldap_simple_bind: Invalid credentials
> $
> But this still works:
> $ ldapsearch -h magritte -p 10389 -D "uid=admin,ou=system" -w secret -b "dc=aPache,dc=org"
> cn=Kate Bush,dc=aPache,dc=org
> sn=Bush
> cn=Kate Bush
> objectclass=person
> objectclass=top
> userPassword=Aerial
> $
> I have the same problem with suffix "o=sevenSeas" (actually it was the first occurrence
I found), and the defect disappears with "o=sevenseas". 
> I therefore assume that the authenticator used for simple binds has problems with the
mixed characters in the suffices.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message