My Oracle Support Banner

ODSEE - DPS - Not Applying Filtering Policies Properly in Case of startTLS Connection (Doc ID 1633619.1)

Last updated on JANUARY 31, 2019

Applies to:

Oracle Directory Server Enterprise Edition - Version 6.0 to 11.1.1.5.0 [Release 6.0 to 11gR1]
Information in this document applies to any platform.

Symptoms

For DPS - Prohibiting clear text authentication while allowing anonymous searches can be done by defining 2 connection handlers - one for LDAP and the other for LDAPS.

This works as expected in the case of LDAP and LDAPS connection.

However, in the case of startTLS on an LDAP connection, it doesn't work , like the following example -

 # /usr/bin/ldapsearch -p 22389 -h <HOSTNAME> -Z -x -LLL -D
@ "uid=<UID>,ou=People,dc=example,dc=com" -w <PASSWORD> -b dc=example,dc=com
uid=<UID> 1.1
ldap_bind: Insufficient access (50)
additional info: Bind operations not permitted
#

In the access log -

[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=default connection handler, cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - CONNECT - INFO - conn=19 client=<IP ADDR>:47949 server=host.jp.oracle.com:22389 protocol=LDAP
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=0 EXTENDED oid="1.3.6.1.4.1.1466.20037"
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=Clear Text,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=0 EXTENDED RESPONSE err=0 msg="" etime=3
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=Secure CH,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=1 msgid=2 BIND dn="uid=<UID>,ou=people,dc=example,dc=com" method="SIMPLE" version=3
controls=""
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - Connection 19 assigned to connection handler cn=Clear Text,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 DISCONNECT
[06/Feb/2014:10:52:29 +0900] - DISCONNECT - INFO - conn=19 reason="other" msg="Exception caught while polling client connection LDAPS.<IP ADDR>.47949 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=1 BIND RESPONSE err=50 msg="Bind operations not permitted" etime=4

After the startTLS extended operation is complete, the connection is assigned to "Secure CH" as expected. But when the subsequent BIND takes place, it's re-assigned to the "Clear Text" connection handler then the BIND fails based on defined policy.

However, if the allowed authentication method of the "Clear Text" connection handler is changed like the following,
(i.e. 'authenticationMethodCriteria: none' is removed.)

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.