Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8467

(7.2.z) Elytron ldap-realm does not handle loops in referrals

XMLWordPrintable

    • Hide
      The issue is resolved in EAP 7.2.0.GA.
      Upstream issues: WFLY-8030 and ELY-909
      Show
      The issue is resolved in EAP 7.2.0.GA. Upstream issues: WFLY-8030 and ELY-909
    • Hide

      1) Setup server

      /subsystem=elytron/dir-context=dir-context-localhost:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential=secret,referral-mode=follow)
      /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification=true,identity-mapping={rdn-identifier=uid,filter-name="(|(objectclass=referral)(uid={0}))",use-recursive-search="true",search-base-dn="ou=People,dc=jboss,dc=org",attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={0})",from=cn,to=groups}]})
      /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}],default-realm=ldap-realm-localhost,permission-mapper=default-permission-mapper)
      /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
      /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory)
      

      2) Start LDAP servers
      Use following ldif for LDAP server 1:

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=jduke,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectClass: inetOrgPerson
      uid: jduke
      cn: Java Duke
      sn: Duke
      userPassword: Password1
      
      dn: ou=RefUsers,ou=People,dc=jboss,dc=org
      objectClass: extensibleObject
      objectClass: referral
      objectClass: top
      ou: RefUsers
      ref: ldap://localhost:11389/ou=Users,dc=jboss,dc=org
      
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      
      dn: cn=Admin,ou=Roles,dc=jboss,dc=org
      objectClass: top
      objectClass: groupOfNames
      cn: Admin
      description: the Admin group
      member: uid=jduke,ou=People,dc=jboss,dc=org
      

      Use following ldif for LDAP server 2:

      dn: ou=Users,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Users
      
      dn: ou=RefPeople,ou=Users,dc=jboss,dc=org
      objectClass: extensibleObject
      objectClass: referral
      objectClass: top
      ou: RefPeople
      ref: ldap://localhost:10389/ou=People,dc=jboss,dc=org
      

      3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

      Show
      1) Setup server /subsystem=elytron/dir-context=dir-context-localhost:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential=secret,referral-mode=follow) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification= true ,identity-mapping={rdn-identifier=uid,filter-name= "(|(objectclass=referral)(uid={0}))" ,use-recursive-search= " true " ,search-base-dn= "ou=People,dc=jboss,dc=org" ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}], default -realm=ldap-realm-localhost,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory) 2) Start LDAP servers Use following ldif for LDAP server 1: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=RefUsers,ou=People,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefUsers ref: ldap: //localhost:11389/ou=Users,dc=jboss,dc=org dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=Admin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: Admin description: the Admin group member: uid=jduke,ou=People,dc=jboss,dc=org Use following ldif for LDAP server 2: dn: ou=Users,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Users dn: ou=RefPeople,ou=Users,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefPeople ref: ldap: //localhost:10389/ou=People,dc=jboss,dc=org 3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

      According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

      When application server is configured to use ldap-realm with dir-context which uses referral-mode=follow or throw and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.

      This issue has been already reported for legacy security during EAP 7.0.0 testing in JBEAP-2156.

      [1] http://tools.ietf.org/html/rfc4511#section-4.1.10

        1. jkpatch-ldap-referral-loop.patch
          0.7 kB
          Jan Kalina
        2. print-roles.war
          5 kB
          Ondrej Lukas

              rhn-support-ivassile Ilia Vassilev
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: