ODSEE - DPS - Not Applying Filtering Policies Properly in Case of startTLS Connection
(Doc ID 1633619.1)
Last updated on NOVEMBER 18, 2022
Applies to:
Oracle Directory Server Enterprise Edition - Version 6.0 to 11.1.1.5.0 [Release 6.0 to 11gR1]Information in this document applies to any platform.
Symptoms
For DPS - Prohibiting clear text authentication while allowing anonymous searches can be done by defining 2 connection handlers - one for LDAP and the other for LDAPS.
This works as expected in the case of LDAP and LDAPS connection.
However, in the case of startTLS on an LDAP connection, it doesn't work , like the following example -
# /usr/bin/ldapsearch -p <PORT> -h <HOSTNAME> -Z -x -LLL -D
@ "uid=<UID>,ou=People,dc=<SUFFIX_DN>" -w <PASSWORD> -b dc=<SUFFIX_DN>
uid=<UID> 1.1
ldap_bind: Insufficient access (50)
additional info: Bind operations not permitted
#
In the access log -
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=default connection handler, cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - CONNECT - INFO - conn=19 client=<IP ADDR>:47949 server=FULL.HOSTNAME:<PORT> protocol=LDAP
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=0 EXTENDED oid="1.3.6.1.4.1.1466.20037"
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=Clear Text,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=0 EXTENDED RESPONSE err=0 msg="" etime=3
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - conn=19 assigned to connection handler cn=Secure CH,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=1 msgid=2 BIND dn="uid=<UID>,ou=people,dc=<SUFFIX_DN>" method="SIMPLE" version=3
controls=""
[06/Feb/2014:10:52:29 +0900] - PROFILE - INFO - Connection 19 assigned to connection handler cn=Clear Text,cn=connection handlers,cn=config
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 DISCONNECT
[06/Feb/2014:10:52:29 +0900] - DISCONNECT - INFO - conn=19 reason="other" msg="Exception caught while polling client connection LDAPS.<IP ADDR>.47949 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
[06/Feb/2014:10:52:29 +0900] - OPERATION - INFO - conn=19 op=1 BIND RESPONSE err=50 msg="Bind operations not permitted" etime=4
After the startTLS extended operation is complete, the connection is assigned to "Secure CH" as expected. But when the subsequent BIND takes place, it's re-assigned to the "Clear Text" connection handler then the BIND fails based on defined policy.
However, if the allowed authentication method of the "Clear Text" connection handler is changed like the following,
(i.e. 'authenticationMethodCriteria: none' is removed.)
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |