| David Faltermier 2005-04-13, 9:01 pm |
| =20
>-----Original Message-----
>From: Graham Barr [mailto:gbarr@pobox.com]=20
>Sent: Saturday, April 09, 2005 3:20 PM
>To: Peter Marschall
>Cc: perl-ldap@perl.org; Faltermier, David (HP Directory)
>Subject: Re: Documentation Bug (related to: Outdated OID in=20
>Net::LDAP::Control::ProxyAuth?)Hi,
>
>On Apr 6, 2005, at 5:24 AM, Peter Marschall wrote:
Hi Peter,
Thanks for patching Net::LDAP::Control::ProxyAuth.pm. It was on my list
of things to do, but... <head hanging low>.
TEST RESULTS
------------
I applied and tested your patch against OpenLDAP 2.2.23 and SunOne 5.2.
SunOne, using the old OID, worked fine performing a search with:
my $dn =3D =
'uid=3Ddavid.faltermier@hp.com,ou=3DPeople,o=3Dhp.com';
my $control =3D Net::LDAP::Control::ProxyAuth->new(proxyDN =3D> $dn);
# Connect and bind...
my $mesg =3D $ldap->search(
base =3D> ...
scope =3D> ...
filter =3D> ...
control =3D> $control,
);
However, I ran into a problem testing against OpenLDAP:
my $dn =3D =
'uid=3Ddavid.faltermier@hp.com,ou=3DPeople,o=3Dhp.com';
my $authzID =3D Net::LDAP::Control::ProxyAuth->new(
authzID =3D> "dn:$dn",
);
# Connect and bind...
my $mesg =3D $ldap->search(
base =3D> ...
scope =3D> ...
filter =3D> ...
control =3D> $control,
);
The search failed with LDAP error 47. My debugging log shows the
following entries:
=3D> get_ctrls: oid=3D"2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 1
authzid=3D"03^D1dn:uid=3Ddavid.faltermier@hp.com,ou=3DPeople,o=3Dhp.com"
slap_sasl_getdn:
id=3D03^D1dn:uid=3Ddavid.faltermier@hp.com,ou=3DPeople,o=3Dhp.com =
[len=3D53]
<=3D get_ctrls: n=3D1 rc=3D47 err=3D"authzId mapping failed"
The authzID mapping failed. The problem seems to be that the ProxyAuth
control value is ASN'ified. Instead of the expected value:
id=3Ddn:uid=3Ddavid.faltermier@hp.com,ou=3DPeople,o=3Dhp.com
The value is transmitted as:
id=3D03^D1dn:uid=3Ddavid.faltermier@hp.com,ou=3DPeople,o=3Dhp.com
SPECS FOR OID 2.16.840.1.113730.3.4.12 (proxyDN)
------------------------------------------------
From what I could find, the specs for the older proxyAuth control are:
=20
proxyAuthControl ::=3D SEQUENCE {
controlType 2.16.840.1.113730.3.4.12,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxyAuthValue
}
The controlValue contains the BER encoding of a DN used for
evaluating the requested rights:
proxyAuthValue::=3D SEQUENCE {
proxyDN LDAPDN
}
SPECS FOR OID 2.16.840.1.113730.3.4.18 (authzID)
------------------------------------------------
The specs for the newer proxyAuth control are:
The authorization identity is a string in the UTF-8 character set,
corresponding to the following ABNF [7]:
authzId =3D dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId =3D "dn:" dn
dn =3D utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded.
uAuthzId =3D "u:" userid
userid =3D utf8string ; syntax unspecified
Perhaps I'm mistaken, but it appears that the new OID specifies that the
control value is not ASN'ified. A fuller clipping of the spec details
are attached below from my previous post.
Can you check me on this, Peter?
Thanks again for your work on the patch.
-David
[color=darkred]
>-----Original Message-----
>From: Faltermier, David (HP Directory)=20
>Sent: Thursday, March 03, 2005 10:18 AM
>To: perl-ldap@perl.org
>Cc: Subbarao, Kartik;
>Subject: RE: Outdated OID in Net::LDAP::Control::ProxyAuth?
Graham, et. al.,
I have done a little more digging around in this area. I think more work
may be necessary than just adding a version parameter. Let me show you
what I found by including some snippets from the weltman drafts that
describe the changes to the proxyAuth control value between [draft]
versions -05 and -12.=20
ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-05)
http://www.watersprings.org/pub/id/...v3-proxy-05.txt
-----------------------------------------------------------------------
I've included sections 3 and 12.2 below which best summarize the control
value.
3. Proxied Authorization Control
proxyAuthControl ::=3D SEQUENCE {
controlType 2.16.840.1.113730.3.4.12,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxyAuthValue
}
The controlValue contains the BER encoding of a DN used for
evaluating the requested rights:
proxyAuthValue::=3D SEQUENCE {
proxyDN LDAPDN
}
It is represented as a Sequence in order to allow future
extensions.
12.2 Control envelope
Rather than containing an LDAPDN as the Control value, the
Control
contains a Sequence (which contains an LDAPDN). This is to
provide
for future extensions.
ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-12)
http://www.ietf.org/internet-drafts...v3-proxy-12.txt
-----------------------------------------------------------------------
I've included section 3 below which best summarizes the control value.
3. Proxy Authorization Control=20
=20
The controlType of the proxy authorization control is=20
"2.16.840.1.113730.3.4.18".=20
=20
The controlValue SHALL be present and contain either an authzId=20
[AUTH] representing the authorization identity for the request or
empty if an anonymous association is to be used.=20
RFC 2829
http://www.ietf.org/rfc/rfc2829.txt
-----------------------------------
The [AUTH] reference above refers to RFC 2829, section 9. Here's the
relevant parts:
9. Authorization Identity
(...clipped for brevity...)
The authorization identity is a string in the UTF-8 character
set,
corresponding to the following ABNF [7]:
authzId =3D dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId =3D "dn:" dn
dn =3D utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded.
uAuthzId =3D "u:" userid
userid =3D utf8string ; syntax unspecified
All servers which support the storage of authentication
credentials,
such as passwords or certificates, in the directory MUST support
the
dnAuthzId choice.
So, there does appear to be a major change in the packaging of the
proxyAuth control value between the two Weltman drafts (-05 and -12);
thus explaining the OID version change.
Changes to PERL-LDAP?
---------------------
I am assuming that your suggestion to add a version parameter to
Net::LDAP::Control::ProxyAuth::new() would look something like:
my $auth =3D Net::LDAP::Control::ProxyAuth->new(
proxyDN =3D> 'cn=3Dme,ou=3Dpeople,o=3Dmyorg.com',
version =3D> 2, # OID 2.16.840.1.113730.3.4.18
);
However, it appears more than this will be needed. The new proxyAuth
control requires an authzId value as specified by RFC 2829. This will
mean a couple things:
=20
1. AuthzId's other than a DN may be specified.
Currently, two are defined by RFC2829: (1) dnAuthzId, and (2)
uAuthzId.
Therefore, the 'proxyDN' named parameter is probably a misnomer
and
may need to be replaced with something less "DN" specific.
Perhaps
'proxyID'? =20
2. The authzId chosen by the user must include the correct "dn:"
or "u:" prefix, something not currently required.
Adding just a version parameter will not account for the necessary
proxyDN parameter changes. Perhaps a new [backward compatible] interface
might look something like this:
# New interface for Version 2.
# (The new interface assumes version 2 to be the default.)
my $auth =3D Net::LDAP::Control::ProxyAuth->new(
proxyID =3D> 'dn:cn=3Dme,ou=3Dpeople,o=3Dmyorg.com', # dnAuthzId =
or
uAuthzId
version =3D> 2, # Optional. Default. OID =
2.16.840.1.113730.3.4.18
);
# New interface for Version 1.
my $auth =3D Net::LDAP::Control::ProxyAuth->new(
proxyID =3D> 'cn=3Dme,ou=3Dpeople,o=3Dmyorg.com', # DN
version =3D> 1, # OID 2.16.840.1.113730.3.4.12
);
# For backward compatibility with version 1.
# Note: Use of named parameter 'proxyDN' assumes version 1
# (OID 2.16.840.1.113730.3.4.12).
my $auth =3D Net::LDAP::Control::ProxyAuth->new(
proxyDN =3D> 'cn=3Dme,ou=3Dpeople,o=3Dmyorg.com',
);
The interface changes suggested above should not break anyone's current
usage of Net::LDAP::Control::ProxyAuth. Of course, there are other
interface options.
-David
|