Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-975

Default distinguishedNameAttribute value of LdapExtLoginModule causes not working referrals on MS Active Directory

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • PicketBox_5_0_3.Beta1
    • PicketBox_5_0_2.Final
    • PicketBox
    • None
    • Workaround Exists
    • Hide

      Set option distinguishedNameAttribute of LdapExtLoginModule to any value which not exist in MS Active Directory entry, e.g. 'distinguishedNameAttribute=whatever'.

      Show
      Set option distinguishedNameAttribute of LdapExtLoginModule to any value which not exist in MS Active Directory entry, e.g. 'distinguishedNameAttribute=whatever'.

      In case when crossRef object to different domain is configured on MS Active Directory for handling referrals and JBoss EAP 7 uses LdapExtLoginModule then default value ('distinguishedName') of distinguishedNameAttribute option causes wrong handling of referrals which leads to authentication fail for referral users.

      Referral object is returned by original LDAP server (LDAP server which includes crossRef to different domain) but user is obtained through value of distinguishedName attribute from that response. It leads to authentication attempt with referral user against original LDAP server instead of referenced LDAP server which results to failed authentication.

              jondruse@redhat.com Jiri Ondrusek
              jondruse@redhat.com Jiri Ondrusek
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: