Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-943

AdvancedLdapLoginModule authentication fails when some part of DN is part of LDAP URL

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Negotiation_3_0_2_Final
    • Fix Version/s: None
    • Component/s: Negotiation
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Set AdvancedLdapLoginModule with options like:

      ...
      <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
      <module-option name="baseCtxDN" value="ou=myOrgUnit,o=organization,dc=jboss,dc=org"/>
      ...
      

      => authentication passes

      Change these options like:

      ...
      <module-option name="java.naming.provider.url" value="ldap://localhost:10389/o=organization,dc=jboss,dc=org"/>
      <module-option name="baseCtxDN" value="ou=myOrgUnit"/>
      ...
      

      => authentication fails

      Show
      Set AdvancedLdapLoginModule with options like: ... <module-option name= "java.naming.provider.url" value= "ldap: //localhost:10389" /> <module-option name= "baseCtxDN" value= "ou=myOrgUnit,o=organization,dc=jboss,dc=org" /> ... => authentication passes Change these options like: ... <module-option name= "java.naming.provider.url" value= "ldap: //localhost:10389/o=organization,dc=jboss,dc=org" /> <module-option name= "baseCtxDN" value= "ou=myOrgUnit" /> ... => authentication fails

      Description

      In case when part of DN is placed in LDAP URL instead of baseCtxDN then authentication fails (see [1] for details about this URL) in AdvancedLdapLoginModule. Authentication is provided by binding with user DN and password, but in this case user DN does not include DN part from LDAP URL which leads to fail.

      Thrown exception:

      javax.naming.AuthenticationException: LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jduke,ou=People
          com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
          com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
          com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
          com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
          com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
          com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
          com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
          com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
          com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
          org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
          org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
          javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
          org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
          org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
          javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
          javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
          javax.naming.InitialContext.init(InitialContext.java:244)
          javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
          org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:486)
          org.jboss.security.negotiation.AdvancedLdapLoginModule.authenticate(AdvancedLdapLoginModule.java:669)
          org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:397)
          org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
          org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
          sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          ...
      

      [1] https://tools.ietf.org/html/rfc2255

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated: