try LDAP server implementation for test purpose

[ikedam]

Use LDAP server in test codes.

There is following LDAP implementations in Java:

• ApacheDS
• UnboundId
• OpenDS

[ikedam]

State of ApacheDS:

• It seems the time to release ApacheDS 2.0.
• Stable version is ApacheDS 1.5.X, but many documents (including APIDOC) are lost for replaced with ApacheDS 2.0.
• ApacheDS2.0 have less documents for it has not still be released.

[ikedam]

Status of UnboundId

• Most useful for it does not need file systems.
• Most easy to launch.
• No support for SASL mechanisms other than PLAIN.
  • There is interfaces to implement other mechanisms, but I have to start studying LDAP SASL specification...
  • If I implemented it, it might results that no one knows whether testing code or tested code causes test failures...

[ikedam]

Status of OpenDS:

• There are no examples to launch OpenDS with Java code...

[ikedam]

I tries UnboundId handles SASL mechanisms other than PLAIN, that resulted as following:

• UnboundId does not provides the structure to support SASL security layer. SASL security layer is like that after Digest-MD5 negotiation, all the communications will be performed being crypted. (QOP=auth-conf)
• DigestMD5Server, that is the implementation of SaslServer using Digest-MD5, will fail to negotiate when a client sends Digest-uri whose hostname is different from that of the server. This results in negotiation failure if the server is not registered in DNS, nor written in the hosts file of the client.

[ikedam]

Status of ApacheDS(1.5.7):

• LDAP who am i is not supported \ It can be easily implemented.
• Digest-MD5 is partly supported.
• Digest-MD5 does not support its security layer.
• https://issues.apache.org/jira/browse/DIRSERVER-1670
• I have to try ApacheDS 2.0

[ikedam]

The problem that Digest-MD5 with a security layer in ApacheDS1.5.7 is broken seems as following:

• There are codes to handle a security layer: org.apache.directory.server.ldap.handlers.bind.SaslFilter, and org.apache.directory.server.ldap.handlers.bind.AbstractMechanismHandler::insertSaslFilter
• The problem occurs when ApacheDS LDAP server sends an invalid message 00 00 00 00 to the client.
• It occurs when SaslFilter::filterWrite is called for an empty message. SaslFilter encodes an empty message using SASL security layer, and it results an message 00 00 00 00.
• An empty message seems caused by org.apache.mina.filter.codec.ProtocolCodecFilter::filterWrite. It requests to send message twice: encoderOut.flushWithoutFuture and nextFilter.filterWrite. The latter call results in an empty message.
  • I have no idea why ProtocolCodecFilter sends message twice.

The way to avoid this problem is:

• Override SaslFilter::filterWrite, and bypass if the request message is empty.
• Override DigestMd5MechanismHandler::insertSaslFilter, to use overwritten SaslFilter instead of original SaslFilter.
• Use overwritten DigestMd5MechanismHandler as a DIGEST-MD5 handler.

[ikedam]

Related: http://www.mail-archive.com/users@mina.apache.org/msg03332.html -> http://mail-archives.apache.org/mod_mbox/mina-users/201009.mbox/%3C1619363085.5085691284239250748.JavaMail.root%40zimbra6-e1.priv.proxad.net%3E

[ikedam]

ApacheDS2.0.0-M9 still have the same problem.

[ikedam]

OpenDS is called OpenDJ now: http://opendj.forgerock.org/

[ikedam]

OpenDJ seems most useful for test purpose: Good points:

• Full support for SASL
• Supports "LDAP Who am i?"

Bad points:

• You need a file system to start the LDAP server.

[ikedam]

Summary:

• OpenDJ
  • Good
  • Supports full features of SASL
  • Supports "LDAP who am i?"
  • Bad
  • You need to prepare directories and files to start a LDAP server, that is, you need to bundle files to start a LDAP server.
• UnboundId
  • Good
  • It can be have run completely on memory, that means you do not need to prepare directories and files to start a LDAP server. That is, you do not need to bundle files nor manage files to start a LDAP server.
  • Bad
  • You need to implement SASL handlers except PLAIN.
  • Security layers feature of SASL does not supported.
• ApacheDS
  • Good
  • You can extract files needed to start a LDAP server with API, that is, you do not need to bundle files to start a LDAP server.
  • Bad
  • It seems not maintained.
  • Security layers feature of SASL are BROKEN. LDAP clients cannot connect to ApacheDS with SASL with security layers.

Conclusion:

• If you do not need SASL, use UnboundId.
• If you need SASL or other rich features, use OpenDJ.
• No need to use ApacheDS.