DPS - Not Applying Filtering Policies Properly in Case of startTLS Connection (Doc ID 1633619.1)

Last updated on AUGUST 28, 2017

Applies to:

Oracle Directory Server Enterprise Edition - Version 6.0 to 11.1.1.5.0 [Release 6.0 to 11gR1]
Information in this document applies to any platform.

Symptoms

DPS - Prohibiting clear text authentication while allowing anonymous searches can be done by defining 2 connection handlers - one for LDAP and the other for LDAPS. This works as expected in the case of LDAP and LDAPS connection. But in the case of startTLS on an LDAP connection, it doesn't work , like the following example -

 # /usr/bin/ldapsearch -p 22389 -h host -Z -x -LLL -D
@ "uid=test,ou=People,dc=example,dc=com" -w password -b dc=example,dc=com
uid=test 1.1
ldap_bind: Insufficient access (50)
additional info: Bind operations not permitted
#

In the access log -

[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=default connection handler, cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - CONNECT - INFO - conn=19 client=10.188.140.203:47949 server=host.jp.oracle.com:22389 protocol=LDAP
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=0 EXTENDED oid="1.3.6.1.4.1.1466.20037"
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=Clear Text,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=0 EXTENDED RESPONSE err=0 msg="" etime=3
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=Secure CH,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=1 msgid=2 BIND dn="uid=test,ou=people,dc=example,dc=com" method="SIMPLE" version=3
controls=""
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - Connection 19 assigned to connection handler cn=Clear Text,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 DISCONNECT
[06/Feb/2014:10:52:29 +0900] - DISCONNECT - INFO - conn=19 reason="other" msg="Exception caught while polling client connection LDAPS.10.188.140.203.47949 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=1 BIND RESPONSE err=50 msg="Bind operations not permitted" etime=4

After the startTLS extended operation is complete, the connection is assigned to "Secure CH" as expected. But when the subsequent BIND takes place, it's re-assigned to the "Clear Text" connection handler then the BIND fails based on defined policy.

However, if the allowed authentication method of the "Clear Text" connection handler is changed like the following,
(i.e. 'authenticationMethodCriteria: none' is removed.)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms