ldaptive: JAAS DN resolution fails because searchscope defaults to ONLEVEL, not SUBTREE

[GoogleCodeExporter]

Hi, this is a blocking problem for us.
We'd like to use ldaptive on our Shibboleth IdP to handle expired,
as explained in:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
("Handle User account status when using OpenLDAP Password Policy overlay").
It's not working because Openldap logs show that searches are performed
by ldaptive with scope ONLEVEL, whereas default should be SUBTREE.
Explicitely setting searchScope="SUBTREE" doesn't work either.

What steps will reproduce the problem?
1.
Added the ldaptive jar to the IdP distribution's lib folder.
2.
Added in config.login file:
ShibUserPassAuth {
org.ldaptive.jaas.LdapLoginModule sufficient
ldapUrl="ldap://myldap:12318"
baseDn="dc=unipd,dc=it"
//searchScope="SUBTREE"
authenticationControls="org.ldaptive.control.PasswordPolicyControl"
authenticationResponseHandlers="org.ldaptive.auth.ext.PasswordPolicyAuthenticati
onResponseHandler"
userFilter="(ou={user})";
};
3.
Filled in the web login page.
The password right but logi files, because:
4.
Openldap logs show that the scope is 1 (onelevel), not 2 (subtree):
Jul 23 18:48:22 db51 slapd[19445]: conn=78947 op=0 SRCH
base="dc=unipd,dc=it" scope=1 deref=0
filter="(uid=alfio.desimonis@unipd.it)"
5.
Explicitely setting searchScope="SUBTREE" in config.login gives
the same result.

What version of the product are you using? On what operating system?

ldaptive-1.0.4.jar on Shibboleth IdP 2.3.6, Tomcat 6.0.30, RHEL 5.6. following 
section "Handle User account status when using
OpenLDAP Password Policy overlay" on the shibboleth wiki:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass.
An older version (ldaptive-1.0.jar) shows the same problem.

Original issue reported on code.google.com by zanmar...@gmail.com on 24 Jul 2014 at 11:48

[GoogleCodeExporter]

By default the JAAS configuration is processed by looking for bean setters that 
match on the various authentication components.
In this case there is no property 'searchScope' on any of the components.
The SearchDnResolver doesn't expose such a property and the SearchRequest 
itself isn't exposed either.
This is mainly due to the fact that an OBJECT level search makes no sense in 
the context of DN resolution.
However the SearchDnResolver does expose a boolean property called 
subtreeSearch and as you've seen it has a default value of false.

Add subtreeSearch="true" to your JAAS configuration and see if that fixes your 
issue.

Original comment by dfis...@gmail.com on 24 Jul 2014 at 3:22

• Changed title: ldaptive: JAAS DN resolution fails because searchscope defaults to ONLEVEL, not SUBTREE
• Changed state: Accepted

[GoogleCodeExporter]

Hi,
done and it's now working.
Thank you so much!

Original comment by zanmar...@gmail.com on 25 Jul 2014 at 8:06

[GoogleCodeExporter]

Original comment by dfis...@gmail.com on 25 Jul 2014 at 1:54

• Changed state: Invalid