Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-4976

LDAP authentication's use of derby.propery for finding dn locally is faulty: search is always performed

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.3.2.1, 10.3.3.0, 10.4.1.3, 10.4.2.0, 10.5.1.1, 10.5.2.0, 10.5.3.0, 10.6.1.0, 10.6.2.1, 10.7.1.1
    • Fix Version/s: None
    • Component/s: Services
    • Urgency:
      Normal
    • Issue & fix info:
      Known fix
    • Bug behavior facts:
      Security

      Description

      cf DERBY-4975.

      It seems derby.authentication.ldap.searchFilter=derby.user doesn't work as advertised.

      LDAPAuthenticationSchemeImpl contains this code:

      #authenticateUser:
      :
      // Retrieve the user's DN (Distinguished Name) If we're asked to
      // look it up locally, do it first and if we don't find it, we go
      // against the LDAP server for a look-up (search)

      if (useUserPropertyAsDN)
      userDN =
      authenticationService.getProperty(
      org.apache.derby.iapi.reference.Property.USER_PROPERTY_PREFIX);

      The lookup happens against the property "derby.user.", the username is not appended first, so userDN is always set to null, and search ensues before bind. Cf. this explanation http://db.apache.org/derby/manuals/develop/develop100.html:

      > Derby typically initiates a search for a full DN before binding to the directory using the full DN for user authentication. Derby does not initiate a search in the following cases:
      >
      > * You have set derby.authentication.ldap.searchFilter to derby.user.
      > * A user DN has been cached locally for the specific user with the derby.user.UserName property.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                dagw Dag H. Wanvik
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: