PWM incorrectly sends manageDSAit control on search operations #610
Comments
|
This is due to the fact that ldapchai uses the poorly written JNDI interface to do LDAP connections. JNDI incorrectly always enables the manageDSAit control by default. It would be better to have ldapchai in place with the Apache LDAP Java API as it was written by people who actually comprehend LDAP. Also, although PWM has an option to enable/disable chasing of referrals, it doesn't actually pass this parameter down to JNDI so as to disable the manageDSAit control The JNDI documentation itself clearly demonstrates that the JNDI developers do not fully comprehend RFC 3296, as they incorrectly call this the manage referral control whereas the RFC explicitly states: "is defined to allow manipulation of referral and other special objects as normal objects." They seem to have missed the second part. JNDI can have this broken behavior disabled via the Context.REFERRAL environment property |
JNDI sets Manage Referral Control to ignore per default. This value prevents dynamic group usage with rundeck. Adding an option to change Manage Referral control default value allow dynamic groups usage. - ignore : ignore referrals (default value as actually) - follow : automatically follow any referrals for dynamic groups - https://docs.oracle.com/javase/tutorial/jndi/newstuff/mdsaIT.html - pwm-project/pwm#610
The PWM application incorrectly sends the manageDSAit control on search operations. This control is only supposed to be used in very specific cases, not as a general control to always be expressed. By using this control without any consideration to end effect breaks the ability of end LDAP servers to behave as expected. For example with openldap, the use of the managedsait control disables various behaviors that PWM relies on, causing the PWM to not get correct results.
The text was updated successfully, but these errors were encountered: