Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-712

Variable expansion and Vault are not supported in the module-option of the LdapRolesMappingProvider mapping-module

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: PicketBox_v4_0_9.Final
    • Fix Version/s: PicketBox_4_0_16.Final
    • Component/s: None
    • Labels:
      None

      Description

      When using LdapRolesMappingProviders mapping-module, I don't want to put the bindCredential/password in clear in the configuration file.
      So I'm trying to use vault, this way :

      <mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider" type="role">
      <module-option name="java.naming.provider.url" value="ldap://192.168.122.101:389" />
      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
      <module-option name="java.naming.security.authentication" value="simple" />
      <module-option name="bindDN" value="CN=Administrator,CN=users,DC=cloud,DC=local" />
      <module-option name="bindCredential" value="${VAULT::AD::addspass::YTgyMDI0ZjUtOWQwZi00MWZlLTkzMjMtMTM0YzRjZTY3ZWZmTElORV9CUkVBS3ZhdWx0}" />
      <module-option name="rolesCtxDN" value="CN=users,DC=cloud,DC=local" />
      <module-option name="roleFilter" value="(userPrincipalName=

      {0}

      )" />
      <module-option name="roleAttributeID" value="memberOf" />
      <module-option name="roleNameAttributeID" value="CN" />
      <module-option name="roleAttributeIsDN" value="true" />
      <module-option name="parseRoleNameFromDN" value="false" />
      <module-option name="roleRecursion" value="0" />
      <module-option name="searchScope" value="ONELEVEL_SCOPE" />
      </mapping-module>

      Unfortunatly, with this configuration, I cannot connect anymore to my Active Directory Directory Service....
      I get the following error message in the jboss log :

      14:59:35,019 ERROR [org.jboss.security.mapping.providers.role.LdapRolesMappingProvider] (http-/0.0.0.0:8080-1) Error connecting to LDAP server: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_09-icedtea]
      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_09-icedtea]
      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_09-icedtea]
      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_09-icedtea]
      at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_09-icedtea]
      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_09-icedtea]
      at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.constructInitialLdapContext(LdapRolesMappingProvider.java:256)
      at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:192)
      at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:53)
      at org.jboss.security.mapping.MappingContext.performMapping(MappingContext.java:54)
      at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:397)
      at org.jboss.security.plugins.JBossAuthorizationManager.getSubjectRoles(JBossAuthorizationManager.java:324)
      at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:230)
      at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931)
      at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]

      I do some remote debug and I beleive that the vault expression is not resolved ....
      package org.jboss.security.mapping.providers.role, class LdapRolesMappingProvider, method init(Map<String, Object> options).
      This method don't perform any Variable expansion and nor Vault expansion.

        Attachments

          Activity

            People

            Assignee:
            pskopek Peter Skopek
            Reporter:
            raoulpetitpied guillaume cornet (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: