Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2545

referral-mode="ignore" and filter-base-dn=rootDN cause javax.naming.PartialResultException

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.4.0.CR1
    • 1.15.16.Final
    • Realms
    • None

      Configuring ldap-realm with referral-mode="ignore" and filter-base-dn=rootDN against Active Directory, javax.naming.PartialResultException is thrown at authorization with ldap-realm.

       

      stacktrace:

      11:13:08,478 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /simple/: java.lang.RuntimeException: ELY01079: Ldap-backed realm failed to obtain attributes for entry [CN=user1,CN=Users,DC=EXAMPLE1,DC=COM]
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.extractFilteredAttributesFromSearch(LdapSecurityRealm.java:810)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.lambda$extractFilteredAttributes$6(LdapSecurityRealm.java:775)
        at java.base/java.util.stream.Collectors.lambda$toMap$68(Collectors.java:1666)                                                                                                                                                                                            
        at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)                                                                                                                                                                                          
        at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:177)                                                                                                                                                                                    
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)                                                                                                                                                                               
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)                                                                                                                                                                                        
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)                                                                                                                                                                                 
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)                                                                                                                                                                                   
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)                                                                                                                                                                                        
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)                                                                                                                                                                                       
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.extractAttributes(LdapSecurityRealm.java:830)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.extractFilteredAttributes(LdapSecurityRealm.java:756)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.getAttributes(LdapSecurityRealm.java:515)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.getAuthorizationIdentity(LdapSecurityRealm.java:496)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.doAuthorization(ServerAuthenticationContext.java:2021)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.authorize(ServerAuthenticationContext.java:2052)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:517)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:497)                                    
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:901)                                  
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)                                     
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:126)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism.authorize(UsernamePasswordAuthenticationMechanism.java:104)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.http.basic.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:163)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.http.util.SocketAddressCallbackServerMechanismFactory$1.evaluateRequest(SocketAddressCallbackServerMechanismFactory.java:82)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:326)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:301)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)
        at org.wildfly.security.elytron-web.undertow-server@1.9.3.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
        at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.3.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.3.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
        at org.wildfly.extension.undertow@7.4.10.GA-redhat-00002//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
        at org.wildfly.extension.undertow@7.4.10.GA-redhat-00002//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow@7.4.10.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at org.wildfly.extension.undertow@7.4.10.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at org.wildfly.extension.undertow@7.4.10.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at org.wildfly.extension.undertow@7.4.10.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
        at io.undertow.servlet@2.2.23.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
        at io.undertow.core@2.2.23.SP2-redhat-00001//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
        at org.jboss.xnio@3.8.7.SP1-redhat-00001//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.RuntimeException: ELY01084: Error while consuming results from search. SearchDn [DC=Example1,DC=COM], Filter [(& (objectClass=group)(member={1}))], Filter Args [[user1, CN=user1,CN=Users,DC=EXAMPLE1,DC=COM]].
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch$1.tryAdvance(LdapSecurityRealm.java:1127)
        at java.base/java.util.Spliterator.forEachRemaining(Spliterator.java:326)
        at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:658)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.extractFilteredAttributesFromSearch(LdapSecurityRealm.java:800)
        ... 67 more
Caused by: javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=Example1,DC=COM'
        at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3022)
        at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
        at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148)
        at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217)
        at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.DelegatingLdapContext$1.hasMore(DelegatingLdapContext.java:138)
        at org.wildfly.security.elytron-private@1.15.16.Final-redhat-00001//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch$1.tryAdvance(LdapSecurityRealm.java:1069)
        ... 70 more

      example:

                      <ldap-realm name="ldap-realm" dir-context="ldap-dir-context" direct-verification="true">
                    <identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="false" search-base-dn="CN=Users,DC=Example1,DC=COM">
                        <attribute-mapping>
                            <!--attribute from="cn" to="Roles" filter="(&amp; (objectClass=group)(member={1}))" filter-base-dn="CN=Users,DC=Example1,DC=COM" role-recursion="5"/-->
                            <attribute from="cn" to="Roles" filter="(&amp; (objectClass=group)(member={1}))" filter-base-dn="DC=Example1,DC=COM" role-recursion="5"/>
                        </attribute-mapping>
                    </identity-mapping>
                </ldap-realm>
...
            <dir-contexts>
                <dir-context name="ldap-dir-context" url="ldap://hostname" principal="CN=Administrator,CN=Users,DC=EXAMPLE1,DC=COM" referral-mode="ignore">
                    <credential-reference clear-text="password"/>
                </dir-context>
            </dir-contexts>

            rhn-support-hokuda Hisanobu Okuda
            rhn-support-hokuda Hisanobu Okuda
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: