search

TremoloSecurity / MyVirtualDirectory

Open Source LDAP Virtual Directory
Apache License 2.0
45 stars 18 forks source link

Create virtual memberof insert #15

Closed mlbiam closed 7 years ago

mlbiam commented 7 years ago

Insert should support:

  1. creation of virtual attribute based on a reference to all instances of the current object
  2. add a search base and filter
  3. append to existing values
  4. support being filtered on, is if (memberof=cn=some,ou=groups) and the user is a member of cn=some,groups the entry should be returned
Patrock commented 7 years ago

Hello mlbiam, sorry for the late response, had some other deadlines to meet,.. My next steps with myvd will be during christmas holidays ;)

i think all requirements are met ! It is important to say that there could be multiple memberof-Attributes. Is this meant by appending to existing values ?

mlbiam commented 7 years ago

@Patrock correct. So if you have a user that already has a memberof attribute, this insert will have a flag to either add to it or replace it. I can think of use cases where you are integrating with a directory that you don't want applications to know about the groups in.

Patrock commented 7 years ago

@mlbiam this attribute cloaking sounds good in general ;) Does the replace only replaces the real memberof-attribute ? If i have multiple virtual memberof's (multiple groups) the replace should only act on the real ones and not on other virtual attributes, or do i miss st here ?

mlbiam commented 7 years ago

@Patrock sorry for the delay. thought i'd be able to knock this out during the holidays. My thought is that the config will look something like:

ns.memberof.className=com.tremolosecurity.myvd.inserts.VirtualMemberOf
ns.memberof.config.searchBase=dc=domain,dc=com
ns.memberof.config.applyToObjectClass=inetOrgPerson
ns.memberof.config.searchFilter=(&(objectClass=groupOfUniqueNames)(uniqueMember=#DN#))
ns.memberof.config.replace=false
ns.memberof.config.attributeName=memberof

So if a user is a member of 3 groups from your dir but has memberships in 2 groups in AD your memberof attribute would have 5 values. If replace is true it would only have 3. If you want to pull from multiple locations you can layer these inserts

Patrock commented 7 years ago

@Marc this seems a good solution, i think.

What about nested group membership ? In openLDAP and AD, groups can be members of other groups (i think it is what your insert EmbeddedGroups does ?). When a group is a member of another group, it also have a memberof-Attribute.

Can i apply this insert to multiple Classes ?

Would the combination of EmbeddedGroups and VirtualMemberOf work ?

I'm eager to test it...

Am 04.01.2017 um 16:12 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock sorry for the delay. thought i'd be able to knock this out during the holidays. My thought is that the config will look something like:

|ns.memberof.className=com.tremolosecurity.myvd.inserts.VirtualMemberOf ns.memberof.config.searchBase=dc=domain,dc=com ns.memberof.config.applyToObjectClass=inetOrgPerson ns.memberof.config.searchFilter=(&(objectClass=groupOfUniqueNames)(uniqueMember=#DN#)) ns.memberof.config.replace=false ns.memberof.config.attributeName=memberof |

So if a user is a member of 3 groups from your dir but has memberships in 2 groups in AD your memberof attribute would have 5 values. If |replace| is true it would only have 3. If you want to pull from multiple locations you can layer these inserts

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-270393791, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsoxVGZy9BF7j56YNVGf83sPZ0YF5ks5rO7bJgaJpZM4K_MtJ.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

mlbiam commented 7 years ago

@Patrock it should. inserts are layered so if you configured virtualmemberof in front of embedded groups it should all work. If you're OK with building from source I might have this working later this afternoon.

mlbiam commented 7 years ago

@Patrock this insert's ready to go. Take a look at the test/TestServer/testVirtualMemberOf.props for an example config. I'll keep this feature open if I need to make fixes

Patrock commented 7 years ago

@mlbiam okay, wonderful. I already made some tests yesterday (not the last version) and got it partially working but had some problems. Current tests doesn't resolve it completely.

I have the following structure:

The insert ist working fine local in my internal & external directories. When i put it on globalChain i get schema problems and cant't connect to the directory. On RootObject it won't work, too (nothing happens at all ?). How can i only put one vmemberof in my structure to be applied on all entries ?

When i put it on internal directory, i can search memberOf (for internal groups) in both diretories but won't get the attriibutes on externalAD entries ?

Do you have some advice ?

My vmember-Config (same for both directories)

server.internal.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.internal.vmemberof.config.searchBase=dc=abc server.internal.vmemberof.config.applyToObjectClass=inetOrgPerson server.internal.vmemberof.config.attributeName=memberOf server.internal.vmemberof.config.searchObjectClass=groupOfNames server.internal.vmemberof.config.searchAttribute=member server.internal.vmemberof.config.replace=true

I am using ApacheDirectoryStudio for checking my ldap. When i search for user and request memberOf attribute the memberOf is there. But when i reload an entry (not requesting memberOf explicitles), there is no memberOf. Can it be a schema problem (memberOf not in schema) ?

Can i modify the schemas, i've seen a openldap_schema.ldif in the conf-directory. But if i change something there, it isn't reflected in the directory ?

Am 08.01.2017 um 05:00 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock this insert's ready to go. Take a look at the test/TestServer/testVirtualMemberOf.props for an example config. I'll keep this feature open if I need to make fixes

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271128174, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsj2niDJCELaOJTJFTt2ilOvsX__tks5rQF9KgaJpZM4K_MtJ.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

mlbiam commented 7 years ago

@Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).

Can you attach to the issue:

  1. your config (sanitized)
  2. your logs
  3. specific searches you are running
Patrock commented 7 years ago

@mlbiam

i now see that the searches from ApacheDirectoryStudio were not configured well (-s base as standard option)... then i didn't get any memberof-attributes. With manual searches and no -s option in get all entries right ;) sorry for that...

My last problem is to move the vmemberof-insert in front of both directories. How this can be achieved ? Should the globalchain work ?

errorfor VirtualMemberOf in global chain: [2017-01-08 13:23:41,166][main] DEBUG CoreKeyStoreSpi - Constructor called. [2017-01-08 13:23:41,167][main] DEBUG CoreKeyStoreSpi - engineLoad(null, null) called. [2017-01-08 13:23:41,169][main] DEBUG CoreKeyStoreSpi - engineAliases() called. [2017-01-08 13:23:41,170][main] DEBUG CoreKeyStoreSpi - engineIsKeyEntry(apacheds) called. [2017-01-08 13:23:41,172][main] DEBUG CoreKeyStoreSpi - engineGetKey(apacheds, null) called. [2017-01-08 13:23:41,172][main] DEBUG DefaultDnFactory - Dn uid=admin,ou=system found in the cache [2017-01-08 13:23:41,172][main] DEBUG OPERATION_LOG - >> LookupOperation : FilteringOperationContext for Dn 'uid=admin,ou=system', [2017-01-08 13:23:41,188][main] DEBUG InterceptorChain - Chain Position : 0 [2017-01-08 13:23:41,188][main] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.mapping.VirtualMemberOf@29c5ee1d [2017-01-08 13:23:41,189][main] DEBUG InterceptorChain - Chain Position : 1 [2017-01-08 13:23:41,189][main] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.DumpTransaction@15cea7b0 [2017-01-08 13:23:41,189][main] DEBUG DumpTransaction - [Global] Begin Seach - Filter=(objectClass=);Base=uid=admin,ou=system;Scope=0;Attributes= [2017-01-08 13:23:41,189][main] DEBUG InterceptorChain - Chain Completed [2017-01-08 13:23:41,189][main] DEBUG Router - Entering router search [2017-01-08 13:23:41,189][main] DEBUG Router - Determining local levels [2017-01-08 13:23:41,189][main] DEBUG Router - Is set namespace? [2017-01-08 13:23:41,189][main] DEBUG Router - namespace set by router [2017-01-08 13:23:41,190][main] DEBUG Router - namespace levels determined [2017-01-08 13:23:41,190][main] DEBUG Router - no levels found [2017-01-08 13:23:41,196][main] DEBUG DumpTransaction - [Global] Error Running Search com.novell.ldap.LDAPException: No Such Object at net.sourceforge.myvd.router.Router.getLocalLevels(Router.java:209) ~[myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.router.Router.search(Router.java:326) ~[myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) ~[myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) [myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) [myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) [myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) [myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.server.apacheds.MyVDInterceptor.lookup(MyVDInterceptor.java:469) [myvd-server-1.0.1.jar:?] at org.apache.directory.server.core.DefaultOperationManager.lookup(DefaultOperationManager.java:773) [myvd-server-1.0.1.jar:2.0.0-M20] at org.apache.directory.server.core.shared.DefaultCoreSession.lookup(DefaultCoreSession.java:571) [myvd-server-1.0.1.jar:2.0.0-M20] at org.apache.directory.server.core.security.CoreKeyStoreSpi.getTlsEntry(CoreKeyStoreSpi.java:79) [apacheds-service-2.0.0-M20.jar:2.0.0-M20] at org.apache.directory.server.core.security.CoreKeyStoreSpi.engineGetKey(CoreKeyStoreSpi.java:225) [apacheds-service-2.0.0-M20.jar:2.0.0-M20] at java.security.KeyStore.getKey(KeyStore.java:1023) [?:1.8.0_111] at sun.security.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:133) [?:1.8.0_111] at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) [?:1.8.0_111] at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) [?:1.8.0_111] at org.apache.directory.server.ldap.LdapServer.loadKeyStore(LdapServer.java:420) [myvd-server-1.0.1.jar:?] at org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:494) [myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.server.Server.startServer(Server.java:412) [myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.server.Server.main(Server.java:534) [myvd-server-1.0.1.jar:?]

my config:

server.listener.port=10389

Configure global chains

server.globalChain=LogAllTransactions server.globalChain.LogAllTransactions.className=net.sourceforge.myvd.inserts.DumpTransaction server.globalChain.LogAllTransactions.config.logLevel=debug server.globalChain.LogAllTransactions.config.label=Global

server.nameSpaces=root,dcroot,INTERNAL,CIT

Define RootDSE

server.root.chain=RootDSE server.root.nameSpace= server.root.weight=0 server.root.RootDSE.className=net.sourceforge.myvd.inserts.RootDSE server.root.RootDSE.config.namingContexts=dc=hsd server.root.RootDSE.config.supportedControls=2.16.840.1.113730.3.4.18,2.16.840.1.113730.3.4.2,1.3.6.1.4.1.4203.1.10.1,1.2.840.113556.1.4.319,1.2.826.0.1.334810.2.3,1.2.826.0.1.3344810.2.3,1.3.6.1.1.13.2,1.3.6.1.1.13.1,1.3.6.1.1.12 server.root.RootDSE.config.supportedSaslMechanisms=NONE

server.dcroot.chain=root server.dcroot.nameSpace=dc=xyz server.dcroot.weight=0 server.dcroot.root.className=net.sourceforge.myvd.inserts.RootObject

server.INTERNAL.chain=vmemberof,embeddedgroups,dnmapper,LDAP_INTERNAL server.INTERNAL.nameSpace=dc=abc,dc=xyz server.INTERNAL.weight=0

server.INTERNAL.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.INTERNAL.vmemberof.config.searchBase=dc=xyz server.INTERNAL.vmemberof.config.applyToObjectClass=inetOrgPerson server.INTERNAL.vmemberof.config.attributeName=memberOf server.INTERNAL.vmemberof.config.searchObjectClass=groupOfNames server.INTERNAL.vmemberof.config.searchAttribute=member server.INTERNAL.vmemberof.config.replace=true

server.INTERNAL.embeddedgroups.className=net.sourceforge.myvd.inserts.ldap.EmbeddedGroups server.INTERNAL.embeddedgroups.config.staticAttribute=member server.INTERNAL.embeddedgroups.config.groupSearchBase=dc=abc,dc=xyz server.INTERNAL.embeddedgroups.config.staticObjectClass=groupOfNames server.INTERNAL.embeddedgroups.config.userDN= server.INTERNAL.embeddedgroups.config.userPwd= server.INTERNAL.embeddedgroups.config.useSync=false

server.INTERNAL.dnmapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper server.INTERNAL.dnmapper.config.dnAttribs=uniqueMember,member,memberOf,distinguishedName server.INTERNAL.dnmapper.config.localBase=dc=abc,dc=xyz server.INTERNAL.dnmapper.config.urlAttribs= server.INTERNAL.dnmapper.config.remoteBase=dc=remote

server.INTERNAL.LDAP_INTERNAL.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor server.INTERNAL.LDAP_INTERNAL.config.host=ldap server.INTERNAL.LDAP_INTERNAL.config.port=389 server.INTERNAL.LDAP_INTERNAL.config.remoteBase=dc=remote server.INTERNAL.LDAP_INTERNAL.config.proxyDN= server.INTERNAL.LDAP_INTERNAL.config.proxyPass= server.INTERNAL.LDAP_INTERNAL.config.passBindOnly=true server.INTERNAL.LDAP_INTERNAL.config.ignoreRefs=true

server.CIT.chain=vmemberof,uuid2text,dnmapper,objmap,membertrans,LDAP_CIT server.CIT.nameSpace=ou=klm,dc=xyz server.CIT.weight=0

server.CIT.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.CIT.vmemberof.config.searchBase=dc=xyz server.CIT.vmemberof.config.applyToObjectClass=inetOrgPerson server.CIT.vmemberof.config.attributeName=memberOf server.CIT.vmemberof.config.searchObjectClass=groupOfNames server.CIT.vmemberof.config.searchAttribute=member server.CIT.vmemberof.config.replace=true

server.CIT.uuid2text.className=com.tremolosecurity.proxy.myvd.inserts.util.UUIDtoText server.CIT.uuid2text.config.attributeName=objectGUID

server.CIT.dnmapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper server.CIT.dnmapper.config.dnAttribs=uniqueMember,member,memberOf,distinguishedName server.CIT.dnmapper.config.localBase=ou=klm,dc=xyz server.CIT.dnmapper.config.urlAttribs= server.CIT.dnmapper.config.remoteBase=remote

server.CIT.objmap.className=net.sourceforge.myvd.inserts.mapping.AttributeValueMapper server.CIT.objmap.config.mapping=objectClass.inetOrgPerson=user,objectClass.groupOfNames=group

server.CIT.membertrans.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper server.CIT.membertrans.config.mapping=member=member,uid=samAccountName

server.CIT.LDAP_CIT.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor server.CIT.LDAP_CIT.config.host=ad-host server.CIT.LDAP_CIT.config.port=389 server.CIT.LDAP_CIT.config.remoteBase=remoteBase server.CIT.LDAP_CIT.config.proxyDN= server.CIT.LDAP_CIT.config.proxyPass= server.CIT.LDAP_CIT.config.passBindOnly=true server.CIT.LDAP_CIT.config.ignoreRefs=true

Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).

Can you attach to the issue:

  1. your config (sanitized)
  2. your logs
  3. specific searches you are running

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

Patrock commented 7 years ago

@mlbiam sorry, i posted the wrong errors for the globalchain-insert.

This is the last error i get:

[2017-01-08 13:36:26,161][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@456199b: LDAP Not Supported: org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:1) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 29 more '

Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).

Can you attach to the issue:

  1. your config (sanitized)
  2. your logs
  3. specific searches you are running

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

mlbiam commented 7 years ago

Out of curiosity what happens when you disable embedded groups?

On Sun, Jan 8, 2017, 8:42 AM Patrock notifications@github.com wrote:

@mlbiam sorry, i posted the wrong errors for the globalchain-insert.

This is the last error i get:

[2017-01-08 13:36:26,161][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@456199b: LDAP Not Supported: org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at

net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at

net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at

net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at

org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at

org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:1) at

org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at

org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at

org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at

org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at

org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at

org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at

org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at

org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at

org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at

org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 29 more '

Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).

Can you attach to the issue:

  1. your config (sanitized)
  2. your logs
  3. specific searches you are running

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ .

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271151955, or mute the thread https://github.com/notifications/unsubscribe-auth/AH3fw_9Nq_vKvLmgI469nbuiocS6cAHRks5rQOfRgaJpZM4K_MtJ .

-- Marc Boorshtein CTO Tremolo Security marc.boorshtein@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity

Patrock commented 7 years ago

@mlbiam okay, removal of embedded groups does nothing special i think...

vmemberof in globalchain does work... The only problem is when i want to connect to apachedirectorystudio and load/reload rootDSE. It won'load. When i directly seacrh or jump into RootObject (dc=xyz) everything works. Just the rootDSE cant be queried(?)...

Perhaps it is a problem of apacheDirectoryStudio ? But this is working without vmemberof in globalchain...

But the right functionality is there ;) thank you for your fast and good work ;)

Am 08.01.2017 um 15:16 schrieb Marc Boorshtein:

Out of curiosity what happens when you disable embedded groups?

On Sun, Jan 8, 2017, 8:42 AM Patrock notifications@github.com wrote:

@mlbiam sorry, i posted the wrong errors for the globalchain-insert.

This is the last error i get:

[2017-01-08 13:36:26,161][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@456199b: LDAP Not Supported:

org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at

net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at

net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) at

net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at

net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at

org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at

org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at

org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:1) at

org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at

org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at

org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at

org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at

org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at

org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at

org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at

org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at

org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at

org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at

org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 29 more '

Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).

Can you attach to the issue:

  1. your config (sanitized)
  2. your logs
  3. specific searches you are running

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <

https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333

, or mute the thread <

https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ

.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub

https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271151955, or mute the thread

https://github.com/notifications/unsubscribe-auth/AH3fw_9Nq_vKvLmgI469nbuiocS6cAHRks5rQOfRgaJpZM4K_MtJ .

-- Marc Boorshtein CTO Tremolo Security marc.boorshtein@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271153694, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsutRYUPwFNAH5Xk3UTDTvOOBJf8xks5rQO-ogaJpZM4K_MtJ.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

mlbiam commented 7 years ago

@Patrock ok let me make sure i get this correct:

  1. With both virtualmemberof and embedded groups direct searches via LDAP search work when they're configured on the global chain
  2. ApacheDS fails to load the DIT due to errors?
Patrock commented 7 years ago

@mlbiam

  1. correct, but embedded groups are on internal directory only (only needed there)

  2. yes. it seems there is no connection from RootDSE to RootObject (only when i put VirtualMemberOf in globalchain). If i use "go to DN" it is shown in my ApacheDS-Tree and i can go on to browse it...

(Error: LDAPException: Root is search only (92) LDAP Not Supported -> i )

it is not so easy for me to look through the logs and get the right info, perhaps this has something to do with the problem:

[2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG OPERATION_LOG - >> LookupOperation : FilteringOperationContext for Dn '', +, attributes : <2.5.4.0> [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.DumpTransaction@29c5ee1d [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Begin Seach - Filter=(objectClass=);Base=;Scope=0;Attributes= [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 1 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.mapping.VirtualMemberOf@15cea7b0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Completed [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Entering router search [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Determining local levels [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Is set namespace? [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - namespace set by router [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - namespace levels determined [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Determined local levels [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Iterate over levels [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Determine scope [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Base determined [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - create local chain [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Begin Local Chain [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.RootDSE@77aed2c0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - chain complete [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Seach submitted [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Begin Post Search Entry - Filter=(objectClass=);Base=;Scope=0;Attributes=[] dn : namingContexts : dc=hsd supportedControls : 2.16.840.1.113730.3.4.18 supportedControls : 2.16.840.1.113730.3.4.2 supportedControls : 1.3.6.1.4.1.4203.1.10.1 supportedControls : 1.2.840.113556.1.4.319 supportedControls : 1.2.826.0.1.334810.2.3 supportedControls : 1.2.826.0.1.3344810.2.3 supportedControls : 1.3.6.1.1.13.2 supportedControls : 1.3.6.1.1.13.1 supportedControls : 1.3.6.1.1.12 supportedSaslMechanisms : NONE supportedLDAPVersion : 2 supportedLDAPVersion : 3 subSchemaSubEntry : cn=schema myVdReturnEntry: true [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.RootDSE@77aed2c0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Post Search Entry Error java.lang.NullPointerException: null at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.postSearchEntry(VirtualMemberOf.java:302) ~[myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.chain.PostSearchEntryInterceptorChain.nextPostSearchEntry(PostSearchEntryInterceptorChain.java:65) ~[myvd-server-1.0.1.jar:?]

Am 10.01.2017 um 02:46 schrieb Marc Boorshtein:

@Patrock https://github.com/Patrock ok let me make sure i get this correct:

  1. With both virtualmemberof and embedded groups direct searches via LDAP search work when they're configured on the global chain
  2. ApacheDS fails to load the DIT due to errors?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271463157, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVslB0CDgIuOc8CqgDWLzZez2bhZFsks5rQuLtgaJpZM4K_MtJ.

--

Dipl.-Ing.(FH) Patrick Pogscheba, MSc.

Hochschule Düsseldorf University of Applied Sciences

Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)

phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de

Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany

Patrock commented 7 years ago

@mlbiam just made more tests with virtualmemberof and embeddedgroups in different configurations (global chain and directory chain) ...

with virtualmemberof and embeddedgroups in chain i can't find members in group ->Filter: (member=XXXXXX)

Can you reproduce this behaviour in your setups ? I didn't find anything conspiciously in the logs...

Patrock commented 7 years ago

@mlbiam made some tests today... got schema working with LDAPInterceptor (like vmemberof test-example).

I still get errors in RootDSE with vmemberof in global chain. I stripped down the setup to (same error with full config RootDSE->RootObject->LDAP)

server.globalChain=vmemberof

server.globalChain.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.globalChain.vmemberof.config.searchBase=dc=XXX server.globalChain.vmemberof.config.applyToObjectClass=inetOrgPerson server.globalChain.vmemberof.config.attributeName=memberOf server.globalChain.vmemberof.config.searchObjectClass=groupOfNames server.globalChain.vmemberof.config.searchAttribute=member server.globalChain.vmemberof.config.replace=true

server.nameSpaces=root

server.root.chain=RootDSE server.root.nameSpace= server.root.weight=0 server.root.RootDSE.className=net.sourceforge.myvd.inserts.RootDSE server.root.RootDSE.config.namingContexts=dc=XXX

The error (like some posts ago):

[2017-01-25 08:17:50,654][pool-4-thread-2] DEBUG IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 1 [2017-01-25 08:17:50,654][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@7116a362: LDAP Not Supported: org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:93) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 27 more '

mlbiam commented 7 years ago

@Patrock i'm not able to reproduce most of these issues but thats not to say they aren't real. i've moved continued work into #31