OpenIdentityPlatform / OpenDJ

OpenDJ is an LDAPv3 compliant directory service, which has been developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage.
https://www.openidentityplatform.org/opendj
Other
369 stars 103 forks source link

Incorrect LDAP result code for DIT Structure Rule violation #401

Closed JesseCoretta closed 1 month ago

JesseCoretta commented 1 month ago

Describe the bug

Additional research underway

Consider that when attempting to write a new entry to a DIT that is presently governed by DIT structure rules, and the new entry violates one of those rules by rite of name form attribute violation, the following result should ensue:

ldap_add: Naming violation (64)
    additional info: ....

Unfortunately, OpenDJ returns:

ldap_add: Object class violation (65)
    additional info: ....

... which is not accurate for this scenario.

I recommend this be changed in the distant future, but as some users may be scanning for this result code in static fashion via custom clients, it may inadvertently become a breaking change.

I am currently writing a rough draft for a new subsection to Section 16. In this new subsection is a practical overview of name forms and structure rules. Perhaps what I will do is put a disclaimer in the new draft section, e.g.:

OpenDJ is currently using the result code of "Object class violation (65)" for DIT structure rule errors where it should be using "Naming violation (64)".

This issue will be resolved in a future release of the package to avoid introducing breaking changes. Users are advised to update any external code or scripts which may match the incorrect result code and take steps to allow recognition of the correct code in parallel for maximum compatibility".

Let me know what you think 😃

Jesse

JesseCoretta commented 1 month ago

Just to offer some additional clarity ...

adding new entry "mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com"
ldap_add: Object class violation (65)
        additional info: Entry mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com
violates the Directory Server schema configuration because its RDN does not contain attribute uid that
is required by name form accountForm

This is actually a naming violation (64) because it makes direct reference to an attribute required by a Name Form that is missing.

On the other hand, if someone tries to add an entry bearing an unauthorized STRUCTURAL class (e.g: organizationalRole) where only organizationalUnit (for instance) is allowed, that is still a naming violation because the Name Form is the element that mandates the organizationalUnit.

However, through the years I've seen vendors bounce between Object Class Violation and Naming Violation in this case specifically (seems to be a gray area).

So ... dealers choice 😄

vharseko commented 1 month ago

please check artifact from https://github.com/OpenIdentityPlatform/OpenDJ/actions/runs/10990761899

JesseCoretta commented 1 month ago

@vharseko

Seems to work!!

adding new entry "mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com" ldap_add: Naming violation (64) additional info: Entry mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com violates the Directory Server schema configuration because its RDN does not contain attribute uid that is required by name form accountForm

Thank you 😃