Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4266

AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.0.2.CR1, 7.0.2.GA
    • 7.0.0.CR1
    • Security
    • None
    • EAP 7.0.2

    Description

      In case when AdvancedLdapLoginModule is correctly configured for authentication and its attribute rolesCtxDN="", then authentication can fail. This happens when any role is found in LDAP by role search. It is caused by canonicalize method which returns string which ends with comma for empty rolesCtxDN which is invalid name for searching LDAP.

      In correct behavior authentication should pass and found roles should be assigned to user.

      In case when no role is found, then authentication succeed which is correct behavior.

      Thrown exception:

      javax.naming.InvalidNameException: cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,: [LDAP: error code 34 - Invalid root Dn given : cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org, (0x63 0x6E 0x3D 0x45 0x63 0x68 0x6F 0x2C 0x6F 0x75 0x3D 0x52 0x6F 0x6C 0x65 0x73 0x32 0x2C 0x6F 0x3D 0x41 0x64 0x76 0x61 0x6E 0x63 0x65 0x64 0x4C 0x64 0x61 0x70 0x4C 0x4D 0x45 0x6D 0x70 0x74 0x79 0x52 0x6F 0x6C 0x65 0x73 0x43 0x74 0x78 0x44 0x6E 0x4F 0x70 0x74 0x69 0x6F 0x6E 0x54 0x65 0x73 0x74 0x43 0x61 0x73 0x65 0x65 0x37 0x62 0x36 0x62 0x32 0x39 0x64 0x2C 0x6F 0x3D 0x70 0x72 0x69 0x6D 0x61 0x72 0x79 0x2C 0x64 0x63 0x3D 0x6A 0x62 0x6F 0x73 0x73 0x2C 0x64 0x63 0x3D 0x6F 0x72 0x67 0x2C ) is invalid]; remaining name 'cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,'
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3074)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)
    com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)
    javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
    javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:801)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:737)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403)
    org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ...

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-5352 (7.1.0) AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-4715 (7.0.z) Upgrade jboss-negotiation to 3.0.3

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              thofman Tomas Hofman
              olukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: