Uploaded image for project: 'Red Hat Decision Manager'
  1. Red Hat Decision Manager
  2. RHDM-1567

LDAP sync issues when AUTH_LDAP_BASE_FILTER contains the `|` value.

    XMLWordPrintable

Details

    • False
    • False
    • Documentation (Ref Guide, User Guide, etc.)
    • Low
    • CR1
    • +
    • Undefined
    • Hide

      No workaround.
      Attempted to escape the `|` value with `\` but it appears to be processed prior to making it to the sed command.

      Show
      No workaround. Attempted to escape the `|` value with `\` but it appears to be processed prior to making it to the sed command.
    • Hide

      Configure normally with LDAP connection and set AUTH_LDAP_BASE_FILTER to:
      (&(mail=

      {0}))(|(objectclass=dbperson)(objectclass=inetOrgPerson)))

      When AUTH_LDAP_BASE_FILTER is configure to be default '(uid={0}

      )' the issue goes away.

      This is running on an OpenShift 3.11 deployment using `rhdm-decisioncentral-rhel8:7.8.1` image.

      Show
      Configure normally with LDAP connection and set AUTH_LDAP_BASE_FILTER to: (&(mail= {0}))(|(objectclass=dbperson)(objectclass=inetOrgPerson))) When AUTH_LDAP_BASE_FILTER is configure to be default '(uid={0} )' the issue goes away. This is running on an OpenShift 3.11 deployment using `rhdm-decisioncentral-rhel8:7.8.1` image.
    • 2020 Week 52-03 (from Dec 21), 2021 Week 04-06 (from Jan 25), 2021 Week 07-09 (from Feb 15)

    Description

      LDAP sync issues when AUTH_LDAP_BASE_FILTER contains the `|` value producing the following error logs:

      INFO AUTH_LDAP_URL is set to ldaps://URL:636. Added LdapExtended login-module
 sed: -e expression #1, char 459: unknown option to `s'

      Example:

       - name: AUTH_LDAP_BASE_FILTER
   value: >-
   (&(mail=\{0}))(|(objectclass=dbperson)(objectclass=inetOrgPerson)))

      Potential 'cause of the issue is that the `|` character cannot be used within the `AUTH_LDAP_BASE_FILTER` value as it's bundled with other vars into `login_module` and used in https://github.com/jboss-container-images/jboss-kie-modules/blob/7.8.x/jboss-kie-wildfly-common/added/launch/jboss-kie-wildfly-security-login-modules.sh#L61

      This will result in `sed` interpreting the `|` as a separator which is not expected as it is valid to contain a `|` character in an LDAP filter. http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm

      Propose we change the sed-line to something like below as `;` is not a valid LDAP filter.

      sed i 's;<!- ##OTHER_LOGIN_MODULES## >;${login_module}<! ##OTHER_LOGIN_MODULES## -->;' standalone-openshift.xml

      Attachments

        Activity

          People

            tarkhand Tarun Khandelwal (Inactive)
            rhn-support-mwasher Michael Washer
            Karel Suta Karel Suta
            Karel Suta Karel Suta
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: