Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3029

Referrals 'throw' does not work correctly for ldap authentication to mgmt console with MS Active Directory

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0.ER4, 7.1.0.ER3, 7.3.4.CR1
    • Fix Version/s: None
    • Component/s: Management, Security
    • Labels:
      None

      Description

      In case when crossRef object to different domain is configured on MS Active Directory for handling referrals and JBoss EAP 7 uses ldap authentication to mgmt console with configured referrals 'throw' then authentication fails for referral users. It is inconsistent with behavior of EAP with another LDAP providers (e.g. Red Hat Directory Server). In correct behavior authentication should pass.

      It seems it is caused by thrown LdapReferralException search method of org.jboss.as.domain.management.security.LdapUserSearcherFactory.LdapUserSearcherImpl before it is handled by try-catch block. Stack trace of thrown LdapReferralException:

      com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2975)
      com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
      com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
      com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
      com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
      com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
      com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
      com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
      javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:125)
      org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:66)
      org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225)
      org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:205)
      org.jboss.as.domain.management.security.SecurityRealmService$1.handle(SecurityRealmService.java:178)
      org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:162)
      org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:141)
      io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118)
      org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
      io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
      io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
      io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
      io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
      io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
      io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      java.lang.Thread.run(Thread.java:745)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              istudens Ivo Studensky
              Reporter:
              olukas Ondrej Lukas (Inactive)
              Tester:
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: