Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Critical
Fix Version/s: None
Affects Version/s: 7.1.0.DR10, 7.1.0.DR13
Component/s: Security
Labels:

CDW blocker:
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Text:

Hide
The issue is resolved in EAP 7.2.0.GA.
Upstream issues: ~~WFLY-8030~~ and ~~ELY-909~~

Show
The issue is resolved in EAP 7.2.0.GA. Upstream issues: WFLY-8030 and ELY-909
Target Release:

7.2.z.GA
Steps to Reproduce:
Hide

1) Setup server

/subsystem=elytron/dir-context=dir-context-localhost:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential=secret,referral-mode=follow) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification=true,identity-mapping={rdn-identifier=uid,filter-name="(|(objectclass=referral)(uid={0}))",use-recursive-search="true",search-base-dn="ou=People,dc=jboss,dc=org",attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={0})",from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}],default-realm=ldap-realm-localhost,permission-mapper=default-permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory)

2) Start LDAP servers
Use following ldif for LDAP server 1:

dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=RefUsers,ou=People,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefUsers ref: ldap://localhost:11389/ou=Users,dc=jboss,dc=org dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=Admin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: Admin description: the Admin group member: uid=jduke,ou=People,dc=jboss,dc=org

Use following ldif for LDAP server 2:

dn: ou=Users,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Users dn: ou=RefPeople,ou=Users,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefPeople ref: ldap://localhost:10389/ou=People,dc=jboss,dc=org

3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.
Show
1) Setup server /subsystem=elytron/dir-context=dir-context-localhost:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential=secret,referral-mode=follow) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification= true ,identity-mapping={rdn-identifier=uid,filter-name= "(|(objectclass=referral)(uid={0}))" ,use-recursive-search= " true " ,search-base-dn= "ou=People,dc=jboss,dc=org" ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}], default -realm=ldap-realm-localhost,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory) 2) Start LDAP servers Use following ldif for LDAP server 1: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=RefUsers,ou=People,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefUsers ref: ldap: //localhost:11389/ou=Users,dc=jboss,dc=org dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=Admin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: Admin description: the Admin group member: uid=jduke,ou=People,dc=jboss,dc=org Use following ldif for LDAP server 2: dn: ou=Users,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Users dn: ou=RefPeople,ou=Users,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefPeople ref: ldap: //localhost:10389/ou=People,dc=jboss,dc=org 3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

When application server is configured to use ldap-realm with dir-context which uses referral-mode=follow or throw and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.

This issue has been already reported for legacy security during EAP 7.0.0 testing in ~~JBEAP-2156~~.

[1] http://tools.ietf.org/html/rfc4511#section-4.1.10

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

jkpatch-ldap-referral-loop.patch
0.7 kB
2018/01/23 5:34 PM
print-roles.war
5 kB
2017/01/24 3:00 AM
referral-limit-ignore-reproducer.zip
2 kB
2017/03/07 2:33 PM

is cloned by

ELY-909 Elytron ldap-realm does not handle loops in referrals

Resolved

WFLY-8030 Elytron ldap-realm does not handle loops in referrals

Closed

is incorporated by

JBEAP-8862 Upgrade WildFly Elytron to 1.1.0.Beta26

Closed

relates to

JBEAP-9447 Document possible infinite loop in Elytron ldap-realm with referrals

Closed

is blocked by: JDK-8176553 Loading...

links to

JDK-8176553 : LdapContext follows referrals infinitely ignoring set limit

(1 links to)

Assignee:: Ilia Vassilev

Reporter:: Ondrej Lukas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2017/01/24 2:58 AM

Updated:: 2023/03/15 6:15 AM

Resolved:: 2018/10/08 8:20 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates