Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3030

(7.4.z) Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory

    XMLWordPrintable

Details

    Description

      Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).

      If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.

      Example:
      I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
      Part of ldif for Domain A:

      ...
dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
objectClass: groupOfNames
objectClass: top
cn: TheDuke
businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
...

      Part of ldif for Domain B:

      ...
dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
objectclass: top
objectclass: person
objectClass: inetOrgPerson
cn: jduke
sn: Duke
description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
userPassword: Password1

dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
objectClass: groupOfNames
objectClass: top
cn: Admin
businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
...

      EAP LdapExtLoginModule is configured:

                      <security-domain name="LdapExtReferrals">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
                            <module-option name="bindDN" value="BIND_DN"/>
                            <module-option name="bindCredential" value="PASSWORD"/>
                            <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="roleFilter" value="(CN={0})"/>
                            <module-option name="roleAttributeID" value="description"/>
                            <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
                            <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B -->
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="java.naming.referral" value="follow"/>
                            <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 -->
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="baseFilter" value="(CN={0})"/>
                            <module-option name="roleNameAttributeID" value="CN"/>
                        </login-module>
                    </authentication>
                </security-domain>

      Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. SECURITY-980 Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. SECURITY-979 Referrals roles assignment for referral user does not work for LdapExtLoginModule with Active Directory

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Coding In Progress
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-23626 (7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00008 to 5.0.3.Final-redhat-00009

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              olukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: