Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8612

Missing some role assignment for Elytron ldap-realm when role and user are members of the same role

XMLWordPrintable

    • Hide

      1) setup application server

      /subsystem=elytron/dir-context=dir-context:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential-reference={clear-text=secret})
      /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=dir-context,direct-verification=true,identity-mapping={rdn-identifier=uid,search-base-dn="ou=People,dc=jboss,dc=org",use-recursive-search=true,attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={1})",from=cn,to=groups,role-recursion=2}]})
      /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=groups-to-roles}],default-realm=ldap-realm,permission-mapper=default-permission-mapper)
      /subsystem=elytron/http-authentication-factory=ldap-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
      /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-http-authentication-factory)
      

      2) start LDAP with following ldif

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=jduke,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectClass: inetOrgPerson
      uid: jduke
      cn: Java Duke
      sn: Duke
      userPassword: Password1
      
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      
      dn: cn=R1,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R1
      member: uid=jduke,ou=People,dc=jboss,dc=org
      description: the R1 group
      
      dn: cn=R2,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R2
      member: uid=jduke,ou=People,dc=jboss,dc=org
      member: cn=R1,ou=Roles,dc=jboss,dc=org
      description: the R2 group
      
      dn: cn=R3,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R3
      member: cn=R2,ou=Roles,dc=jboss,dc=org
      description: the R3 group
      
      dn: cn=R4,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R4
      member: cn=R3,ou=Roles,dc=jboss,dc=org
      description: the R4 group
      

      3) deploy application (see attachments)

      4) try do authenticate to http://127.0.0.1:8080/print-roles/protected/printRoles?role=R1&role=R2&role=R3&role=R4 as jduke/Password1 and you will see which roles are asigned (role R4 is sometimes missing)

      Show
      1) setup application server /subsystem=elytron/dir-context=dir-context:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential-reference={clear-text=secret}) /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=dir-context,direct-verification= true ,identity-mapping={rdn-identifier=uid,search-base-dn= "ou=People,dc=jboss,dc=org" ,use-recursive-search= true ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={1})" ,from=cn,to=groups,role-recursion=2}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm,role-decoder=groups-to-roles}], default -realm=ldap-realm,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-http-authentication-factory) 2) start LDAP with following ldif dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=R1,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R1 member: uid=jduke,ou=People,dc=jboss,dc=org description: the R1 group dn: cn=R2,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R2 member: uid=jduke,ou=People,dc=jboss,dc=org member: cn=R1,ou=Roles,dc=jboss,dc=org description: the R2 group dn: cn=R3,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R3 member: cn=R2,ou=Roles,dc=jboss,dc=org description: the R3 group dn: cn=R4,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R4 member: cn=R3,ou=Roles,dc=jboss,dc=org description: the R4 group 3) deploy application (see attachments) 4) try do authenticate to http://127.0.0.1:8080/print-roles/protected/printRoles?role=R1&role=R2&role=R3&role=R4 as jduke/Password1 and you will see which roles are asigned (role R4 is sometimes missing)

      In case when role recursion is configured for ldap-realm and given LDAP includes some role which has member some user and also another role, then some roles are intermittently not assigned. See Steps to Reproduce for more details about configuration.

      Most important part of ldif for reproduction is following:

      dn: cn=R1,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R1
      member: uid=jduke,ou=People,dc=jboss,dc=org
      description: the R1 group
      
      dn: cn=R2,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R2
      member: uid=jduke,ou=People,dc=jboss,dc=org
      member: cn=R1,ou=Roles,dc=jboss,dc=org
      description: the R2 group
      
      dn: cn=R3,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R3
      member: cn=R2,ou=Roles,dc=jboss,dc=org
      description: the R3 group
      

      User jduke is direct member of roles R1 and R2. However role R2 is also member of role R1. In case when ldap-realm.identity-mapping.attribute-mapping.role-recursion is configured to 2, then sometimes only roles R1, R2 and R3 are assigned (and role R4 is missing).

      The same behavior occurs when role mapping is configured in application server in opposite way (principal to group mapping which uses memberOf attribute).

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: