|
Hi Emmanuel,
Thanks for the response. My understanding of isRelative() is that it should return true unless the name in the result is from a referral and is a full URL, otherwise it should be relative to the "target context" (the context the search is performed in). There is some info on this in the Java tutorial: http://java.sun.com/products/jndi/tutorial/ldap/search/result.html Though that may not be correct :). In any case, the behaviour doesn't appear to be consistent. If I modify the test to use if(searchResult.isRelative()) { if(searchBase.length() > 0) { userDn.append(","); userDn.append(searchBase); } userDn.append(","); userDn.append(ctx.getNameInNamespace()); } The isRelative() method returns "true". In this case the name should be relative to "ou=people,dc=acegisecurity,dc=org", since I'm passing "ou=people" to the search method. However the name of the search result is "uid=bob,ou=people,dc=acegisecurity,dc=org". Luke,
you are totally right. Excerpt from the tutorial : "If you need to get the entry's full DN, then you can either do some bookkeeping to keep track of the ancestors of the SearchResult or use Context.getNameInNamespace()(in the API reference documentation)." So I bet we will have to propose a fix for this, too :( Ok, don't worry. We will try to debug this and give you a reasonnable timeframe for a working patch. Let say a few days ;) Thanks a lot Emmanuel. Let me know if I can do anything to help.
Anyone know if these points are still an issue in the latest codebase? Still waiting for Emmanuel's patch timeframe estimate ;-) .
No time frame available right now :(
We are busy on very time consuming tasks atm, and it's very difficult for us to find some spare time out of our spare time we spend on ADS:) However, I think that as soon as we have a fix for the concurrence problem we have on ADS, we will be able to spend some more extra time on a few bugs in the bug list, like your one. Another possibility is that we just get fed of working hard on hard stuff, and try to clear our mind buffers by fixing your problem, just to feel that we are usefull :) Don't be afraid to do some polling on us, that's just cool. Thanks for the update :). I'll try and have a browse through the latest source sometime and check the tests are still applicable.
Is there any way I can get a test case that is a patch which isolates this problem without all the ACEGI specifics? Any status on this issue?
I don't think there are any Acegi specifics, apart from the DIT name. There's a JUnit class which contains two test methods, demonstrating each of the two issues, and a separate class which contains the embedded server. Did you have a problem running it? I haven't checked that it still compiles against the latest apache-ds code. The report was pre-1.0, but we're currently using 1.0-RC1 as a dependency and still have problems with that.
I've attached the latest version of the LdapTestServer we are running against apache-ds-rc1, in case the API has changed.
I'll see if I can update our dependencies to the latest version and try runnng against that. Let me know if there's anything else I can do to help. Luke if you could write a unit test case which starts ApacheDS and does some operations against it to exactly isolate your problem I can get you a fix quickly. Take a look at how to write a unit test case from here as an example:
Here's one that does not startup ApacheDS networking but uses the core JNDI provider directly: http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/jndi/CreateContextITest.java?revision=428079&view=markup Here's a test case that starts up networking so you can hit the embedded apacheds through SUN JNDI: http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/server-unit/src/test/java/org/apache/directory/server/ModifyRemoveTest.java?revision=430261&view=markup If you could be so kind as to set up a test case in either of these areas depending on whether or not you use ApacheDS JNDI or SUN JNDI providers I can fix this issue of yours very quickly. Plus I can add the test case to our codebase if you attach it as a patch (JIRA attachment) using svn diff. And yes if you worked against the current 1.0-RC4-SNAPSHOT'd branch that would be best for us. I want to make sure we're up to date and kill this bug of yours. Thanks very much! Ok. Here's an updated test.
I can't build the RC4 code since I'm running into issues with tools.jar as a dependency (a maven problem with OS X, I believe), but I ran it against the RC3 jars. The password comparison now appears to work if a string is used for the attribute, but fails for a byte array. The SearchResult name still appears to be wrong. Thanks, Luke. On commit revision 437255 I made it so SearchResult.isRelative() returns the correct value. This will allow you to detect whether or not the search results returned are relative names or absolute names. The core JNDI provider will always return absolute names. Here's a link to svn for your convenience:
http://svn.apache.org/viewvc?view=rev&revision=437255 This fixes 1/2 of your issue. The second problem you're facing is the same as Binary attributes in search filters are causing issues in ApacheDS. This problem is what makes "(userPassword={0})" fail as well as "(userCertificate={0})" etc fail. Fixing the binary attribute problem in search filters will fix both
For 1.0 branch:
http://svn.apache.org/viewvc?view=rev&revision=437312 for shared LDAP http://svn.apache.org/viewvc?view=rev&revision=437314 for apacheds For 1.1 branch: http://svn.apache.org/viewvc?view=rev&revision=437313 for shared LDAP http://svn.apache.org/viewvc?view=rev&revision=437315 for apacheds Great! Thanks for the fix(es). Look forward to the next release.
"On commit revision 437255 I made it so SearchResult.isRelative() returns the correct value. This will allow you to detect whether or not the search results returned are relative names or absolute names. The core JNDI provider will always return absolute names."
This still seems potentially inconsistent with the discussion above and the quotations from the Java tutorial - that the search result should be relative to the target context the search is performed in and isRelative() should return true unless the name is a URL. Reopened to be sure we have investigated all the consequences of the fix.
Has to be clearly fixed for 1.0.1 and 1.5.0
From JNDI tutorial :
"LDAP names as they are used in the protocol are always fully qualified names that identify entries that start from the root of the LDAP namespace (as defined by the server). Following are some examples of fully qualified LDAP names. cn=John Smith, ou=Marketing, o=Some Corporation, c=gb cn=Ted Geisel, ou=People, o=JNDITutorial In the JNDI, however, names are always relative; that is, you always name an object relative to a context. For example, you can name the entry "cn=Ted Geisel" relative to the context named "ou=People, o=JNDITutorial". Or you can name the entry "cn=Ted Geisel, ou=People" relative to the context named "o=JNDITutorial". Or, you can create an initial context that points at the root of the LDAP server's namespace and name the entry "cn=Ted Geisel, ou=People, o=JNDITutorial". " I guess that if someone is using JNDI to use a Ldap Server, then it's the responsibility of the JNDI layer to strip the absolute part before returning the response. We have to check that our implementation of JNDI does respect this contract. Ok, we need to take a decision about this issue.
First, the second part of the issue (binary value used as a filter) seems to be fixed. We have a unit test for it : http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/jndi/DIRSERVER169ITest.java?view=markup&pathrev=437314 On the other issue, I do think that JNDI approach might not fit our need. With Alex patch, we can just check if the returned entry name is absolute and relative, so I guess we are ok. In my mind, returning a relative name (which is, in fact, the DN) seems a nonsense : to get back the DN, you will have to concatenate the context path to the relative returned result. Why do a user should bother about it? Anyway, this is JNDI spec ... In my mind, we should just let it be. Sorry or the spec breakage, but it's quite a reasonnable position regarding LDAP specs - we are not really writing a JNDI implementation, but a LDAP server. wdyt ? Emmanuel I agree with you on this one but I want to find a reasonable solution for
Luke that fits the expected behavior recommended by JNDI. However there are some trade off with doing this when dealing with the LDAP service that sits on top of the server-side JNDI LDAP provider. Namely for efficiency the LDAP service uses absolute names in the search results to minimize the overhead of tracking separate contexts and having to assemble the DN. The LDAP service uses the root context for all operations so DNs and not relative names can be used for search requests. Now Luke is using the embedded provider and his issue is with this behavior. What we can do is make the embedded provider follow the spec yet have the LDAP server provide an additional environment parameter to always request the absolute DN. However I don't want to try this without some good amount of testing and we don't have time for 1.0.1. What I will do is put this issue off for 1.0.2 and we can really try to find a reasonable approach that will make everyone happy. Pushing a fix for this to 1.0.2 and 1.5.1.
I don't think it's worth making this change for 1.0.x considering the possible destablization that may result. It's best that we fix this issue in the 1.5.x branch where we have the freedom to refactor for it.
Should we postpone again ?
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Closed
Major
Incorrect SearchResult name and "compare" failure using CoreContextFactory
The first point seems to be just the normal behavior of the SearchResult.getName() method. You have a method isRelative() that should tell you if the getName() returns a name relative to the current context, or not.
This is a point that should be investigated a littlmle bit more.
I did not had time to dig yur second point.