Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-909

Elytron ldap-realm does not handle loops in referrals

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 1.1.0.Beta26
    • 1.1.0.Beta21
    • Realms
    • None
    • Hide

      1) Setup server

      /subsystem=elytron/dir-context=dir-context-localhost:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential=secret,referral-mode=follow)
/subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification=true,identity-mapping={rdn-identifier=uid,filter-name="(|(objectclass=referral)(uid={0}))",use-recursive-search="true",search-base-dn="ou=People,dc=jboss,dc=org",attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={0})",from=cn,to=groups}]})
/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}],default-realm=ldap-realm-localhost,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory)

      2) Start LDAP servers
      Use following ldif for LDAP server 1:

      dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectClass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=RefUsers,ou=People,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefUsers
ref: ldap://localhost:11389/ou=Users,dc=jboss,dc=org

dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=Admin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admin
description: the Admin group
member: uid=jduke,ou=People,dc=jboss,dc=org

      Use following ldif for LDAP server 2:

      dn: ou=Users,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Users

dn: ou=RefPeople,ou=Users,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefPeople
ref: ldap://localhost:10389/ou=People,dc=jboss,dc=org

      3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

      Show
      1) Setup server /subsystem=elytron/dir-context=dir-context-localhost:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential=secret,referral-mode=follow) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification= true ,identity-mapping={rdn-identifier=uid,filter-name= "(|(objectclass=referral)(uid={0}))" ,use-recursive-search= " true " ,search-base-dn= "ou=People,dc=jboss,dc=org" ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}], default -realm=ldap-realm-localhost,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory) 2) Start LDAP servers Use following ldif for LDAP server 1: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=RefUsers,ou=People,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefUsers ref: ldap: //localhost:11389/ou=Users,dc=jboss,dc=org dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=Admin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: Admin description: the Admin group member: uid=jduke,ou=People,dc=jboss,dc=org Use following ldif for LDAP server 2: dn: ou=Users,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Users dn: ou=RefPeople,ou=Users,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefPeople ref: ldap: //localhost:10389/ou=People,dc=jboss,dc=org 3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

    Description

      According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

      When application server is configured to use ldap-realm with dir-context which uses referral-mode=follow or throw and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.

      [1] http://tools.ietf.org/html/rfc4511#section-4.1.10

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8467 (7.2.z) Elytron ldap-realm does not handle loops in referrals

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-7322 LDAP referrals does not work in Elytron ldap-realm

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-8030 Elytron ldap-realm does not handle loops in referrals

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: