Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-903

Missing some role assignment for Elytron ldap-realm when role and user are members of the same role

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 1.1.0.Beta26
    • 1.1.0.Beta21
    • Realms
    • None
    • Hide

      1) setup application server

      /subsystem=elytron/dir-context=dir-context:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential-reference={clear-text=secret})
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=dir-context,direct-verification=true,identity-mapping={rdn-identifier=uid,search-base-dn="ou=People,dc=jboss,dc=org",use-recursive-search=true,attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={1})",from=cn,to=groups,role-recursion=2}]})
/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=groups-to-roles}],default-realm=ldap-realm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=ldap-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-http-authentication-factory)

      2) start LDAP with following ldif

      dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectClass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=R1,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R1
member: uid=jduke,ou=People,dc=jboss,dc=org
description: the R1 group

dn: cn=R2,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R2
member: uid=jduke,ou=People,dc=jboss,dc=org
member: cn=R1,ou=Roles,dc=jboss,dc=org
description: the R2 group

dn: cn=R3,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R3
member: cn=R2,ou=Roles,dc=jboss,dc=org
description: the R3 group

dn: cn=R4,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R4
member: cn=R3,ou=Roles,dc=jboss,dc=org
description: the R4 group

      3) deploy application (see attachments)

      4) try do authenticate to http://127.0.0.1:8080/print-roles/protected/printRoles?role=R1&role=R2&role=R3&role=R4 as jduke/Password1 and you will see which roles are asigned (role R4 is sometimes missing)

      Show
      1) setup application server /subsystem=elytron/dir-context=dir-context:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential-reference={clear-text=secret}) /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=dir-context,direct-verification= true ,identity-mapping={rdn-identifier=uid,search-base-dn= "ou=People,dc=jboss,dc=org" ,use-recursive-search= true ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={1})" ,from=cn,to=groups,role-recursion=2}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=groups-to-roles}], default -realm=ldap-realm,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-http-authentication-factory) 2) start LDAP with following ldif dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=R1,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R1 member: uid=jduke,ou=People,dc=jboss,dc=org description: the R1 group dn: cn=R2,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R2 member: uid=jduke,ou=People,dc=jboss,dc=org member: cn=R1,ou=Roles,dc=jboss,dc=org description: the R2 group dn: cn=R3,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R3 member: cn=R2,ou=Roles,dc=jboss,dc=org description: the R3 group dn: cn=R4,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R4 member: cn=R3,ou=Roles,dc=jboss,dc=org description: the R4 group 3) deploy application (see attachments) 4) try do authenticate to http://127.0.0.1:8080/print-roles/protected/printRoles?role=R1&role=R2&role=R3&role=R4 as jduke/Password1 and you will see which roles are asigned (role R4 is sometimes missing)

    Description

      In case when role recursion is configured for ldap-realm and given LDAP includes some role which has member some user and also another role, then some roles are intermittently not assigned. See Steps to Reproduce for more details about configuration.

      Most important part of ldif for reproduction is following:

      dn: cn=R1,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R1
member: uid=jduke,ou=People,dc=jboss,dc=org
description: the R1 group

dn: cn=R2,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R2
member: uid=jduke,ou=People,dc=jboss,dc=org
member: cn=R1,ou=Roles,dc=jboss,dc=org
description: the R2 group

dn: cn=R3,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R3
member: cn=R2,ou=Roles,dc=jboss,dc=org
description: the R3 group

      User jduke is direct member of roles R1 and R2. However role R2 is also member of role R1. In case when ldap-realm.identity-mapping.attribute-mapping.role-recursion is configured to 2, then sometimes only roles R1, R2 and R3 are assigned (and role R4 is missing).

      The same behavior occurs when role mapping is configured in application server in opposite way (principal to group mapping which uses memberOf attribute).

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8612 Missing some role assignment for Elytron ldap-realm when role and user are members of the same role

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: