DPS 11.1.1.5.0 Not Blocking LDAP Control Requests. (Doc ID 1426884.1)

Last updated on SEPTEMBER 16, 2016

Applies to:

Oracle Directory Server Enterprise Edition - Version: 11.1.1.5.0 and later   [Release: 11gR1 and later ]
Information in this document applies to any platform.

Symptoms

If we want that DPS to block paged results (OID 1.2.840.113556.1.4.319)  requests we set the following parameter in DPS to block any LDAP control  requests:
 
 
  [root@mysystem logs]# dpconf get-server-prop allowed-ldap-controls
  
Enter "cn=Proxy Manager" password: 
   allowed-ldap-controls : -

  
  In spite of this, DPS doesn't block the LDAP control request:
  
 
 [root@mysystem logs]# ldapsearch -h mydpshost -J 1.2.840.113556.1.4.319 -b
  ou=...,dc=.... "(uid=d*)" uid uidNumber gidNumber |grep -c ^dn:
  2456
  [root@mysystem logs]# grep "conn=2463" access
  [14/Feb/2012:18:27:08 +0100] - PROFILE - INFO - conn=2463 assigned to
  connection handler cn=default connection handler, cn=connection handlers,
  cn=config
  [14/Feb/2012:18:27:08 +0100] - CONNECT - INFO - conn=2463
  client=127.0.0.1:56748 server=.......:389 protocol=LDAP
  [14/Feb/2012:18:27:08 +0100] - OPERATION - INFO - conn=2463 op=0 msgid=1
  SEARCH base="ou=...,dc=..." scope=2 controls="1.2.840.113556.1.4.319"
  filter="(uid=d*)" attrs="uid uidNumber gidNumber "
  [14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=-1 BIND dn=""
  method="SIMPLE" version=3 s_msgid=309 s_conn=my_host:10
  [14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=-1 BIND
  RESPONSE err=0 msg="" s_msgid=309 s_conn=my_host:10 etime=0
  [14/Feb/2012:18:27:08 +0100] - SERVER_OP - INFO - conn=2463 op=0 SEARCH
  base="ou=...,dc=..." scope=2 filter="(uid=d*)" attrs="uid uidNumber
  gidNumber " s_msgid=310 s_conn=my_host:10
  [14/Feb/2012:18:27:12 +0100] - SERVER_OP - INFO - conn=2463 op=0 SEARCH
  RESPONSE err=0 msg="" nentries=2456 s_msgid=310 s_conn=my_host:10 etime=153
  [14/Feb/2012:18:27:12 +0100] - OPERATION - INFO - conn=2463 op=0 SEARCH
  RESPONSE err=0 msg="" nentries=2456 etime=4398
  [14/Feb/2012:18:27:12 +0100] - OPERATION - INFO - conn=2463 op=1 UNBIND
  [14/Feb/2012:18:27:12 +0100] - DISCONNECT - INFO - conn=2463 reason="unbind"

  
Also it happens the same behavior using the default configuration with regards to LDAP  controls in a ODSEE 11gR1 instance:
  
 
 [root@mysystem logs]# dpconf get-server-prop allowed-ldap-controls
 
Enter "cn=Proxy Manager" password:
  allowed-ldap-controls : auth-request
  allowed-ldap-controls : chaining-loop-detection
  allowed-ldap-controls : get-effective-rights
  allowed-ldap-controls : manage-dsa
  allowed-ldap-controls : persistent-search
  allowed-ldap-controls : proxy-auth-v1
  allowed-ldap-controls : proxy-auth-v2
  allowed-ldap-controls : real-attributes-only
  allowed-ldap-controls : server-side-sorting
  allowed-ldap-controls : vlv-request
  [root@mysystem logs]# ldapsearch -h mydpshost -J 1.2.840.113556.1.4.319 -b
  ou=uLy2,dc=agalan,dc=org "(uid=d*)" uid uidNumber gidNumber |grep -c ^dn:
  2456   

 

This behaviour  was different using DPS 6.3.x where such LDAP control requests was blocked:
  

  [31/Jan/2012:23:46:07 +0100] - OPERATION - INFO - conn=1452338 op=1 SEARCH
  RESPONSE err=12 msg="The server is not configured to pass through control
  1.2.840.113556.1.4.319" nentries=0 etime=234
  

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms