directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FC-33) AuditMgr.getUserAuthZ cannot pull back faileOnly
Date Thu, 23 Apr 2015 01:28:38 GMT

    [ https://issues.apache.org/jira/browse/FC-33?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14508272#comment-14508272
] 

Shawn McKinney commented on FC-33:
----------------------------------

Explanation for how the fortress authorization audit works in openldap.  First there is a
read of the permission record (this is same regardless of whether audit record is to be added).
 Next, if openldap audit enabled, the authz method invokes an ldapcompare operation on the
permission node.  If authZ was successful, the compare operation should be successful, which
triggers a audit compare record to be added for that perm/user with success code.  If authZ
failed, the compare fails (result code = 5), which is how it is supposed to work.  This will
add a record to audit database for perm/user with failure code.  

Next when the authorization record search occurs, as in this use case, it can differentiate
between success and failure in the logs.  

The problem here is the ldapcompare is returning no such object (32) regardless of whether
authZ succeeded or not.

When I execute ldapcompare from the command line, the ldapcompare operation succeeds - with
exact same parameter values:
ldapcompare -x -D "cn=Manager,dc=openldap,dc=org" -w secret -h 172.17.42.1 -p 32770 "ftOpNm=TOP3_1,ftObjNm=TOB3_1,ou=Permissions,ou=RBAC,dc=openldap,dc=org"
ftopnm: TOP3_1

so to sum it up: the ldapcompare always returns no such object (regardless of attribute value)
in code.  But I can get the ldapcompare to work correctly from command line.

> AuditMgr.getUserAuthZ cannot pull back faileOnly
> ------------------------------------------------
>
>                 Key: FC-33
>                 URL: https://issues.apache.org/jira/browse/FC-33
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0
>
>
> This search filter:
> filter += "(" + REQASSERTION + "=" + GlobalIds.AUTH_Z_FAILED_VALUE + ")";
> in AuditDAO.getAllAuthZs does not work.  It appears the reqAssertion attribute cannot
be searched on within the auditCompare object class.  Have tested with ldapbrowser and does
not pull back entries.  Will need to come up with a work around.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message