Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-975

Default distinguishedNameAttribute value of LdapExtLoginModule causes not working referrals on MS Active Directory

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • PicketBox_5_0_3.Beta1
    • PicketBox_5_0_2.Final
    • PicketBox
    • None
    • Workaround Exists
    • Hide

      Set option distinguishedNameAttribute of LdapExtLoginModule to any value which not exist in MS Active Directory entry, e.g. 'distinguishedNameAttribute=whatever'.

      Show
      Set option distinguishedNameAttribute of LdapExtLoginModule to any value which not exist in MS Active Directory entry, e.g. 'distinguishedNameAttribute=whatever'.

    Description

      In case when crossRef object to different domain is configured on MS Active Directory for handling referrals and JBoss EAP 7 uses LdapExtLoginModule then default value ('distinguishedName') of distinguishedNameAttribute option causes wrong handling of referrals which leads to authentication fail for referral users.

      Referral object is returned by original LDAP server (LDAP server which includes crossRef to different domain) but user is obtained through value of distinguishedName attribute from that response. It leads to authentication attempt with referral user against original LDAP server instead of referenced LDAP server which results to failed authentication.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-3026 (7.4.z) SECURITY-975 - Default distinguishedNameAttribute value of LdapExtLoginModule causes not working referrals on MS Active Directory

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              jondruse@redhat.com Jiri Ondrusek
              jondruse@redhat.com Jiri Ondrusek
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: