Recent changes to bugs

Confusing/unneccessary error handling on timeouts

Cato Olsen — Wed, 11 Apr 2007 13:18:59 -0000

If a non-anonymous search user is configured, and this user fails authentication, the timeout handler will report an error. The log will appear similar to this:

Non-anonymous search for user element DN on ...
Could not authenticate search user ... on ...
...
Interrupting search on ... after ~...ms

The timeout interruptor should not be triggered after the initial failure.

Confusing SOAP Fault response on empty SOAP

Cato Olsen — Tue, 01 Aug 2006 14:20:19 -0000

An empty "SOAP" POST will result in a Server:MORIA
INTERNAL SOAP Fault. The correct response should be
Client:ILLEGAL INPUT.

Non-consistent results on connectivity tests

Cato Olsen — Thu, 13 Jul 2006 13:39:46 -0000

During JMeter stress testing of the Status servlet,
the following situation occured (2 times out of 1000
attempts):

The status given is "20 warn moria-dm No connectivity
to <someOrg>" while <someOrg> is shown as OK in the
table below.

Double authentication in StatusServlet

Cato Olsen — Tue, 20 Jun 2006 14:10:56 -0000

Each refresh of the StatusServlet will cause two
authentication attempts for each configured "ping"
user; one for the status message, one for the user-
friendly connectivity table.

Confusing exception handling for NDS servers

Cato Olsen — Mon, 12 Jun 2006 13:47:19 -0000

These will cause a
javax.naming.OperationNotSupportedException, with a
NDS error code detailing the actual cause.

Two common causes are "log account expired" and "ds
locked" against one particular LDAP server. See
http://www.novell.com/documentation/nwec/pdfdoc/nwec/n
wec.pdf for descriptions.

Post-logout redirect not working for non-existing sessions

Cato Olsen — Mon, 30 Jan 2006 14:59:37 -0000

When a (user or) service attempts a (manual) logout
including a redirect parameter, the redirect is
ignored whenever the user's SSO session is unknown.

This should create problems for services that perform
automatic logouts without knowing whether a user is
actually logged in.

Language cookie not set on accepting default language

Cato Olsen — Thu, 12 Jan 2006 11:50:31 -0000

When the client browser contains no previous language
cookie, the logout page (and possibly others, as
well) will be shown in the wrong language.

This would suggest that the language cookie is not
set on login, only when the user actively selects a
language on the login page.

The proper behaviour would be to set the language
cookie on each login, under the assumption that no
changes in the language selection implies that the
desired language is used by default.

JNDI timeouts not working properly

Cato Olsen — Fri, 02 Dec 2005 12:17:24 -0000

The Status service will hang on a HTTP GET if one or
more test users cannot be authenticated.

This suggests that the timeout handling in the DM
doesn't work as intended, at least for direct non-
interactive authentication.

"Special" characters in username provokes a BackendException

Nils A Thommesen — Fri, 02 Dec 2005 10:50:53 -0000

Note: this should possibly be solved in the web front
end, too.

Example username to reproduce the test:£$€"#¤

What seems to happen is that the login front happily
passes this (strange) username to the directory
handling backend.
My theory: Moria guesses a RDN, which is sent to the
LDAP Server, the LDAP Server responds with an error,
which in turn ends up as a BackEndException.

Some suggestions to fixes:
* some characters would be "inappropriate" to use in
user names, at least constricted by the format for
eduPersonOrgPrincipalName, should be handled in the
front end

* the RDN-guessing should avoid illegal constructions
(to prevent this error for DirectAuthentication)

* the response from the LDAP Server should be handled
by a correct error message to the FEIDE-user, instead
of suggesting that the LDAP Server is completely
unavailable. Possible new error situation/exception:
error message received from LDAP Server?

This is a copy of the log output:
BACKEND: 11:29:23,696 DEBUG [JNDIBackend] [-]
"Anonymous search for user element
DN"
BACKEND: 11:29:24,097 DEBUG [JNDIBackend]
[gICAgAAAAAABB*sD0jzW66Z62daUef00r*mWJ
NydFJBHPH0rNwjNpWYbbgbPRdiH3eMTg3fqZ3wPFfuuCng] "No
subtree match for eduPersonP
rincipalName=ú$?"#ñ@uninett.no on
ldaps://ldap.uninett.no/ou=people,dc=uninett,d
c=no - guessing on RDN uid=ú$?"#ñ"
BACKEND: 11:29:24,137 DEBUG [JNDIBackend] [-] "Matched
eduPersonPrincipalName=ú$
?"#ñ@uninett.no to uid=ú$?"#ñ,ou=people,dc=uninett,dc=no"
MESSAGE: 11:29:24,167 WARN [MoriaController]
[gICAgAAAAAABB*sD0jzW66Z62daUef00r
*mWJNydFJBHPH0rNwjNpWYbbgbPRdiH3eMTg3fqZ3wPFfuuCng]
"BackendException caught"
no.feide.moria.directory.backend.BackendException:
Unable to access the backend
on ldaps://ldap.uninett.no/ou=people,dc=uninett,dc=no
at
no.feide.moria.directory.backend.JNDIBackend.authenticate(JNDIBackend
.java:346)

Organizations may use services that should not be accessible

Cato Olsen — Mon, 14 Nov 2005 13:17:08 -0000

In some situations, it seems that users from an
organization that is not allowed to use a given service
are allowed to log on.

After a recent bugfix (removing illegal organizations from
dropdown list) the only remaining way to do this is to
use the full login name, as opposed to choosing an
organization from the list.