Closed mlbiam closed 7 years ago
Hello mlbiam, sorry for the late response, had some other deadlines to meet,.. My next steps with myvd will be during christmas holidays ;)
i think all requirements are met ! It is important to say that there could be multiple memberof-Attributes. Is this meant by appending to existing values ?
@Patrock correct. So if you have a user that already has a memberof attribute, this insert will have a flag to either add to it or replace it. I can think of use cases where you are integrating with a directory that you don't want applications to know about the groups in.
@mlbiam this attribute cloaking sounds good in general ;) Does the replace only replaces the real memberof-attribute ? If i have multiple virtual memberof's (multiple groups) the replace should only act on the real ones and not on other virtual attributes, or do i miss st here ?
@Patrock sorry for the delay. thought i'd be able to knock this out during the holidays. My thought is that the config will look something like:
ns.memberof.className=com.tremolosecurity.myvd.inserts.VirtualMemberOf
ns.memberof.config.searchBase=dc=domain,dc=com
ns.memberof.config.applyToObjectClass=inetOrgPerson
ns.memberof.config.searchFilter=(&(objectClass=groupOfUniqueNames)(uniqueMember=#DN#))
ns.memberof.config.replace=false
ns.memberof.config.attributeName=memberof
So if a user is a member of 3 groups from your dir but has memberships in 2 groups in AD your memberof attribute would have 5 values. If replace
is true it would only have 3. If you want to pull from multiple locations you can layer these inserts
@Marc this seems a good solution, i think.
What about nested group membership ? In openLDAP and AD, groups can be members of other groups (i think it is what your insert EmbeddedGroups does ?). When a group is a member of another group, it also have a memberof-Attribute.
Can i apply this insert to multiple Classes ?
Would the combination of EmbeddedGroups and VirtualMemberOf work ?
I'm eager to test it...
Am 04.01.2017 um 16:12 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock sorry for the delay. thought i'd be able to knock this out during the holidays. My thought is that the config will look something like:
|ns.memberof.className=com.tremolosecurity.myvd.inserts.VirtualMemberOf ns.memberof.config.searchBase=dc=domain,dc=com ns.memberof.config.applyToObjectClass=inetOrgPerson ns.memberof.config.searchFilter=(&(objectClass=groupOfUniqueNames)(uniqueMember=#DN#)) ns.memberof.config.replace=false ns.memberof.config.attributeName=memberof |
So if a user is a member of 3 groups from your dir but has memberships in 2 groups in AD your memberof attribute would have 5 values. If |replace| is true it would only have 3. If you want to pull from multiple locations you can layer these inserts
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-270393791, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsoxVGZy9BF7j56YNVGf83sPZ0YF5ks5rO7bJgaJpZM4K_MtJ.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
@Patrock it should. inserts are layered so if you configured virtualmemberof in front of embedded groups it should all work. If you're OK with building from source I might have this working later this afternoon.
@Patrock this insert's ready to go. Take a look at the test/TestServer/testVirtualMemberOf.props for an example config. I'll keep this feature open if I need to make fixes
@mlbiam okay, wonderful. I already made some tests yesterday (not the last version) and got it partially working but had some problems. Current tests doesn't resolve it completely.
I have the following structure:
RootDSE
RootObject (dc=abc)
internalLDAP (dc=xyz,dc=abc)
externalAD (dc=123,dc=abc)
The insert ist working fine local in my internal & external directories. When i put it on globalChain i get schema problems and cant't connect to the directory. On RootObject it won't work, too (nothing happens at all ?). How can i only put one vmemberof in my structure to be applied on all entries ?
When i put it on internal directory, i can search memberOf (for internal groups) in both diretories but won't get the attriibutes on externalAD entries ?
Do you have some advice ?
My vmember-Config (same for both directories)
server.internal.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.internal.vmemberof.config.searchBase=dc=abc server.internal.vmemberof.config.applyToObjectClass=inetOrgPerson server.internal.vmemberof.config.attributeName=memberOf server.internal.vmemberof.config.searchObjectClass=groupOfNames server.internal.vmemberof.config.searchAttribute=member server.internal.vmemberof.config.replace=true
I am using ApacheDirectoryStudio for checking my ldap. When i search for user and request memberOf attribute the memberOf is there. But when i reload an entry (not requesting memberOf explicitles), there is no memberOf. Can it be a schema problem (memberOf not in schema) ?
Can i modify the schemas, i've seen a openldap_schema.ldif in the conf-directory. But if i change something there, it isn't reflected in the directory ?
Am 08.01.2017 um 05:00 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock this insert's ready to go. Take a look at the test/TestServer/testVirtualMemberOf.props for an example config. I'll keep this feature open if I need to make fixes
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271128174, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsj2niDJCELaOJTJFTt2ilOvsX__tks5rQF9KgaJpZM4K_MtJ.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
@Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).
Can you attach to the issue:
@mlbiam
i now see that the searches from ApacheDirectoryStudio were not configured well (-s base as standard option)... then i didn't get any memberof-attributes. With manual searches and no -s option in get all entries right ;) sorry for that...
My last problem is to move the vmemberof-insert in front of both directories. How this can be achieved ? Should the globalchain work ?
errorfor VirtualMemberOf in global chain:
[2017-01-08 13:23:41,166][main] DEBUG CoreKeyStoreSpi - Constructor called.
[2017-01-08 13:23:41,167][main] DEBUG CoreKeyStoreSpi - engineLoad(null,
null) called.
[2017-01-08 13:23:41,169][main] DEBUG CoreKeyStoreSpi - engineAliases()
called.
[2017-01-08 13:23:41,170][main] DEBUG CoreKeyStoreSpi -
engineIsKeyEntry(apacheds) called.
[2017-01-08 13:23:41,172][main] DEBUG CoreKeyStoreSpi -
engineGetKey(apacheds, null) called.
[2017-01-08 13:23:41,172][main] DEBUG DefaultDnFactory - Dn
uid=admin,ou=system found in the cache
[2017-01-08 13:23:41,172][main] DEBUG OPERATION_LOG - >> LookupOperation
: FilteringOperationContext for Dn 'uid=admin,ou=system',
[2017-01-08 13:23:41,188][main] DEBUG InterceptorChain - Chain Position : 0
[2017-01-08 13:23:41,188][main] DEBUG InterceptorChain - Insert :
net.sourceforge.myvd.inserts.mapping.VirtualMemberOf@29c5ee1d
[2017-01-08 13:23:41,189][main] DEBUG InterceptorChain - Chain Position : 1
[2017-01-08 13:23:41,189][main] DEBUG InterceptorChain - Insert :
net.sourceforge.myvd.inserts.DumpTransaction@15cea7b0
[2017-01-08 13:23:41,189][main] DEBUG DumpTransaction - [Global] Begin
Seach - Filter=(objectClass=);Base=uid=admin,ou=system;Scope=0;Attributes=
[2017-01-08 13:23:41,189][main] DEBUG InterceptorChain - Chain Completed
[2017-01-08 13:23:41,189][main] DEBUG Router - Entering router search
[2017-01-08 13:23:41,189][main] DEBUG Router - Determining local levels
[2017-01-08 13:23:41,189][main] DEBUG Router - Is set namespace?
[2017-01-08 13:23:41,189][main] DEBUG Router - namespace set by router
[2017-01-08 13:23:41,190][main] DEBUG Router - namespace levels determined
[2017-01-08 13:23:41,190][main] DEBUG Router - no levels found
[2017-01-08 13:23:41,196][main] DEBUG DumpTransaction - [Global] Error
Running Search
com.novell.ldap.LDAPException: No Such Object
at
net.sourceforge.myvd.router.Router.getLocalLevels(Router.java:209)
~[myvd-server-1.0.1.jar:?]
at net.sourceforge.myvd.router.Router.search(Router.java:326)
~[myvd-server-1.0.1.jar:?]
at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60)
~[myvd-server-1.0.1.jar:?]
at
net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279)
[myvd-server-1.0.1.jar:?]
at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57)
[myvd-server-1.0.1.jar:?]
at
net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159)
[myvd-server-1.0.1.jar:?]
at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57)
[myvd-server-1.0.1.jar:?]
at
net.sourceforge.myvd.server.apacheds.MyVDInterceptor.lookup(MyVDInterceptor.java:469)
[myvd-server-1.0.1.jar:?]
at
org.apache.directory.server.core.DefaultOperationManager.lookup(DefaultOperationManager.java:773)
[myvd-server-1.0.1.jar:2.0.0-M20]
at
org.apache.directory.server.core.shared.DefaultCoreSession.lookup(DefaultCoreSession.java:571)
[myvd-server-1.0.1.jar:2.0.0-M20]
at
org.apache.directory.server.core.security.CoreKeyStoreSpi.getTlsEntry(CoreKeyStoreSpi.java:79)
[apacheds-service-2.0.0-M20.jar:2.0.0-M20]
at
org.apache.directory.server.core.security.CoreKeyStoreSpi.engineGetKey(CoreKeyStoreSpi.java:225)
[apacheds-service-2.0.0-M20.jar:2.0.0-M20]
at java.security.KeyStore.getKey(KeyStore.java:1023) [?:1.8.0_111]
at
sun.security.ssl.SunX509KeyManagerImpl.
my config:
server.listener.port=10389
server.globalChain=LogAllTransactions server.globalChain.LogAllTransactions.className=net.sourceforge.myvd.inserts.DumpTransaction server.globalChain.LogAllTransactions.config.logLevel=debug server.globalChain.LogAllTransactions.config.label=Global
server.nameSpaces=root,dcroot,INTERNAL,CIT
server.root.chain=RootDSE server.root.nameSpace= server.root.weight=0 server.root.RootDSE.className=net.sourceforge.myvd.inserts.RootDSE server.root.RootDSE.config.namingContexts=dc=hsd server.root.RootDSE.config.supportedControls=2.16.840.1.113730.3.4.18,2.16.840.1.113730.3.4.2,1.3.6.1.4.1.4203.1.10.1,1.2.840.113556.1.4.319,1.2.826.0.1.334810.2.3,1.2.826.0.1.3344810.2.3,1.3.6.1.1.13.2,1.3.6.1.1.13.1,1.3.6.1.1.12 server.root.RootDSE.config.supportedSaslMechanisms=NONE
server.dcroot.chain=root server.dcroot.nameSpace=dc=xyz server.dcroot.weight=0 server.dcroot.root.className=net.sourceforge.myvd.inserts.RootObject
server.INTERNAL.chain=vmemberof,embeddedgroups,dnmapper,LDAP_INTERNAL server.INTERNAL.nameSpace=dc=abc,dc=xyz server.INTERNAL.weight=0
server.INTERNAL.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.INTERNAL.vmemberof.config.searchBase=dc=xyz server.INTERNAL.vmemberof.config.applyToObjectClass=inetOrgPerson server.INTERNAL.vmemberof.config.attributeName=memberOf server.INTERNAL.vmemberof.config.searchObjectClass=groupOfNames server.INTERNAL.vmemberof.config.searchAttribute=member server.INTERNAL.vmemberof.config.replace=true
server.INTERNAL.embeddedgroups.className=net.sourceforge.myvd.inserts.ldap.EmbeddedGroups server.INTERNAL.embeddedgroups.config.staticAttribute=member server.INTERNAL.embeddedgroups.config.groupSearchBase=dc=abc,dc=xyz server.INTERNAL.embeddedgroups.config.staticObjectClass=groupOfNames server.INTERNAL.embeddedgroups.config.userDN= server.INTERNAL.embeddedgroups.config.userPwd= server.INTERNAL.embeddedgroups.config.useSync=false
server.INTERNAL.dnmapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper server.INTERNAL.dnmapper.config.dnAttribs=uniqueMember,member,memberOf,distinguishedName server.INTERNAL.dnmapper.config.localBase=dc=abc,dc=xyz server.INTERNAL.dnmapper.config.urlAttribs= server.INTERNAL.dnmapper.config.remoteBase=dc=remote
server.INTERNAL.LDAP_INTERNAL.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor server.INTERNAL.LDAP_INTERNAL.config.host=ldap server.INTERNAL.LDAP_INTERNAL.config.port=389 server.INTERNAL.LDAP_INTERNAL.config.remoteBase=dc=remote server.INTERNAL.LDAP_INTERNAL.config.proxyDN= server.INTERNAL.LDAP_INTERNAL.config.proxyPass= server.INTERNAL.LDAP_INTERNAL.config.passBindOnly=true server.INTERNAL.LDAP_INTERNAL.config.ignoreRefs=true
server.CIT.chain=vmemberof,uuid2text,dnmapper,objmap,membertrans,LDAP_CIT server.CIT.nameSpace=ou=klm,dc=xyz server.CIT.weight=0
server.CIT.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.CIT.vmemberof.config.searchBase=dc=xyz server.CIT.vmemberof.config.applyToObjectClass=inetOrgPerson server.CIT.vmemberof.config.attributeName=memberOf server.CIT.vmemberof.config.searchObjectClass=groupOfNames server.CIT.vmemberof.config.searchAttribute=member server.CIT.vmemberof.config.replace=true
server.CIT.uuid2text.className=com.tremolosecurity.proxy.myvd.inserts.util.UUIDtoText server.CIT.uuid2text.config.attributeName=objectGUID
server.CIT.dnmapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper server.CIT.dnmapper.config.dnAttribs=uniqueMember,member,memberOf,distinguishedName server.CIT.dnmapper.config.localBase=ou=klm,dc=xyz server.CIT.dnmapper.config.urlAttribs= server.CIT.dnmapper.config.remoteBase=remote
server.CIT.objmap.className=net.sourceforge.myvd.inserts.mapping.AttributeValueMapper server.CIT.objmap.config.mapping=objectClass.inetOrgPerson=user,objectClass.groupOfNames=group
server.CIT.membertrans.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper server.CIT.membertrans.config.mapping=member=member,uid=samAccountName
server.CIT.LDAP_CIT.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor server.CIT.LDAP_CIT.config.host=ad-host server.CIT.LDAP_CIT.config.port=389 server.CIT.LDAP_CIT.config.remoteBase=remoteBase server.CIT.LDAP_CIT.config.proxyDN= server.CIT.LDAP_CIT.config.proxyPass= server.CIT.LDAP_CIT.config.passBindOnly=true server.CIT.LDAP_CIT.config.ignoreRefs=true
Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).
Can you attach to the issue:
- your config (sanitized)
- your logs
- specific searches you are running
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
@mlbiam sorry, i posted the wrong errors for the globalchain-insert.
This is the last error i get:
[2017-01-08 13:36:26,161][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@456199b: LDAP Not Supported: org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:1) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 29 more '
Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).
Can you attach to the issue:
- your config (sanitized)
- your logs
- specific searches you are running
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
Out of curiosity what happens when you disable embedded groups?
On Sun, Jan 8, 2017, 8:42 AM Patrock notifications@github.com wrote:
@mlbiam sorry, i posted the wrong errors for the globalchain-insert.
This is the last error i get:
[2017-01-08 13:36:26,161][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@456199b: LDAP Not Supported: org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at
net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at
net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at
net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at
org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at
org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:1) at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 29 more '
Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).
Can you attach to the issue:
- your config (sanitized)
- your logs
- specific searches you are running
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AAnVsk1-PeVnePAtitJWUPdmWulF_95Nks5rQNgPgaJpZM4K_MtJ .
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271151955, or mute the thread https://github.com/notifications/unsubscribe-auth/AH3fw_9Nq_vKvLmgI469nbuiocS6cAHRks5rQOfRgaJpZM4K_MtJ .
-- Marc Boorshtein CTO Tremolo Security marc.boorshtein@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity
@mlbiam okay, removal of embedded groups does nothing special i think...
vmemberof in globalchain does work... The only problem is when i want to connect to apachedirectorystudio and load/reload rootDSE. It won'load. When i directly seacrh or jump into RootObject (dc=xyz) everything works. Just the rootDSE cant be queried(?)...
Perhaps it is a problem of apacheDirectoryStudio ? But this is working without vmemberof in globalchain...
But the right functionality is there ;) thank you for your fast and good work ;)
Am 08.01.2017 um 15:16 schrieb Marc Boorshtein:
Out of curiosity what happens when you disable embedded groups?
On Sun, Jan 8, 2017, 8:42 AM Patrock notifications@github.com wrote:
@mlbiam sorry, i posted the wrong errors for the globalchain-insert.
This is the last error i get:
[2017-01-08 13:36:26,161][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@456199b: LDAP Not Supported:
org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at
net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at
net.sourceforge.myvd.inserts.DumpTransaction.search(DumpTransaction.java:279) at
net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at
net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at
org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at
org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at
org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:1) at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 29 more '
Am 08.01.2017 um 13:35 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock the schema errors are because OOTB MyVD doesn't support schema (you can add it as another namespace). You can ignore those errors from ads (I use it as well).
Can you attach to the issue:
- your config (sanitized)
- your logs
- specific searches you are running
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <
https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271148333
, or mute the thread <
.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub
https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271151955, or mute the thread
-- Marc Boorshtein CTO Tremolo Security marc.boorshtein@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271153694, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVsutRYUPwFNAH5Xk3UTDTvOOBJf8xks5rQO-ogaJpZM4K_MtJ.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
@Patrock ok let me make sure i get this correct:
@mlbiam
correct, but embedded groups are on internal directory only (only needed there)
yes. it seems there is no connection from RootDSE to RootObject (only when i put VirtualMemberOf in globalchain). If i use "go to DN" it is shown in my ApacheDS-Tree and i can go on to browse it...
(Error: LDAPException: Root is search only (92) LDAP Not Supported -> i )
it is not so easy for me to look through the logs and get the right info, perhaps this has something to do with the problem:
[2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG OPERATION_LOG - >> LookupOperation : FilteringOperationContext for Dn '', +, attributes : <2.5.4.0> [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.DumpTransaction@29c5ee1d [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Begin Seach - Filter=(objectClass=);Base=;Scope=0;Attributes= [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 1 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.mapping.VirtualMemberOf@15cea7b0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Completed [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Entering router search [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Determining local levels [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Is set namespace? [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - namespace set by router [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - namespace levels determined [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Determined local levels [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Iterate over levels [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Determine scope [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Base determined [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - create local chain [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - Begin Local Chain [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.RootDSE@77aed2c0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG Router - chain complete [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Seach submitted [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Begin Post Search Entry - Filter=(objectClass=);Base=;Scope=0;Attributes=[] dn : namingContexts : dc=hsd supportedControls : 2.16.840.1.113730.3.4.18 supportedControls : 2.16.840.1.113730.3.4.2 supportedControls : 1.3.6.1.4.1.4203.1.10.1 supportedControls : 1.2.840.113556.1.4.319 supportedControls : 1.2.826.0.1.334810.2.3 supportedControls : 1.2.826.0.1.3344810.2.3 supportedControls : 1.3.6.1.1.13.2 supportedControls : 1.3.6.1.1.13.1 supportedControls : 1.3.6.1.1.12 supportedSaslMechanisms : NONE supportedLDAPVersion : 2 supportedLDAPVersion : 3 subSchemaSubEntry : cn=schema myVdReturnEntry: true [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Chain Position : 0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG InterceptorChain - Insert : net.sourceforge.myvd.inserts.RootDSE@77aed2c0 [2017-01-10 06:10:19,711][pool-4-thread-6] DEBUG DumpTransaction - [Global] Post Search Entry Error java.lang.NullPointerException: null at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.postSearchEntry(VirtualMemberOf.java:302) ~[myvd-server-1.0.1.jar:?] at net.sourceforge.myvd.chain.PostSearchEntryInterceptorChain.nextPostSearchEntry(PostSearchEntryInterceptorChain.java:65) ~[myvd-server-1.0.1.jar:?]
Am 10.01.2017 um 02:46 schrieb Marc Boorshtein:
@Patrock https://github.com/Patrock ok let me make sure i get this correct:
- With both virtualmemberof and embedded groups direct searches via LDAP search work when they're configured on the global chain
- ApacheDS fails to load the DIT due to errors?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/15#issuecomment-271463157, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnVslB0CDgIuOc8CqgDWLzZez2bhZFsks5rQuLtgaJpZM4K_MtJ.
--
Dipl.-Ing.(FH) Patrick Pogscheba, MSc.
Hochschule Düsseldorf University of Applied Sciences
Fachbereich Medien - Faculty of Media http://www.medien.hs-duesseldorf.de/ Mixed Reality and Visualization (MIREVI) Web Technologies, Mobile Computing & Ambient Assisted Living (AAL)
phone (office): (+49) 211 4351 3452 email: patrick.pogscheba@hs-duesseldorf.de mailto:patrick.pogscheba@hs-duesseldorf.de
Münsterstraße 156 Raum 04.2.008 40476 Düsseldorf Deutschland / Germany
@mlbiam just made more tests with virtualmemberof and embeddedgroups in different configurations (global chain and directory chain) ...
with virtualmemberof and embeddedgroups in chain i can't find members in group ->Filter: (member=XXXXXX)
Can you reproduce this behaviour in your setups ? I didn't find anything conspiciously in the logs...
@mlbiam made some tests today... got schema working with LDAPInterceptor (like vmemberof test-example).
I still get errors in RootDSE with vmemberof in global chain. I stripped down the setup to (same error with full config RootDSE->RootObject->LDAP)
server.globalChain=vmemberof
server.globalChain.vmemberof.className=net.sourceforge.myvd.inserts.mapping.VirtualMemberOf server.globalChain.vmemberof.config.searchBase=dc=XXX server.globalChain.vmemberof.config.applyToObjectClass=inetOrgPerson server.globalChain.vmemberof.config.attributeName=memberOf server.globalChain.vmemberof.config.searchObjectClass=groupOfNames server.globalChain.vmemberof.config.searchAttribute=member server.globalChain.vmemberof.config.replace=true
server.nameSpaces=root
server.root.chain=RootDSE server.root.nameSpace= server.root.weight=0 server.root.RootDSE.className=net.sourceforge.myvd.inserts.RootDSE server.root.RootDSE.config.namingContexts=dc=XXX
The error (like some posts ago):
[2017-01-25 08:17:50,654][pool-4-thread-2] DEBUG IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 1 [2017-01-25 08:17:50,654][NioProcessor-2] DEBUG LdapResponseHandler - Message Sent : MessageType : SEARCH_RESULT_DONE Message ID : 5 Search Result Done Ldap Result Result code : (OPERATIONS_ERROR) operationsError Matched Dn : 'null' Diagnostic message : 'OPERATIONS_ERROR: failed for MessageType : SEARCH_REQUEST Message ID : 5 SearchRequest baseDn : '' filter : '(objectClass=*)' scope : single level typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@7116a362: LDAP Not Supported: org.apache.directory.api.ldap.model.exception.LdapOperationErrorException: LDAP Not Supported at net.sourceforge.myvd.inserts.RootDSE.search(RootDSE.java:161) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.router.Router.search(Router.java:368) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:60) at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.search(VirtualMemberOf.java:159) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:781) at org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:93) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745) Caused by: LDAPException: Root is search only (92) LDAP Not Supported ... 27 more '
@Patrock i'm not able to reproduce most of these issues but thats not to say they aren't real. i've moved continued work into #31
Insert should support: