Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5936

Ldap autentication using referrals fails on JDK 17 with ApacheDS

XMLWordPrintable

    • Hide
      1. Configure 2 ApacheDS servers:
        • Use port 10389 for primary server and 11389 for secondary (referal) server
        • Execute ldap add command for primary and secondary using attached ldif files
        • ldapmodify -h localhost -p 10389 -D "uid=admin,ou=system" -w "secret" -a -f primary.ldif
          ldapmodify -h localhost -p 11389 -D "uid=admin,ou=system" -w "secret" -a -f secondary.ldif 
      1. Launch server using JDK 17 and configure it
        /subsystem=elytron/dir-context=exampleDC:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential-reference={clear-text="secret"},referral-mode=follow)
        
        /subsystem=elytron/ldap-realm=exampleLR:add(direct-verification=false,dir-context=exampleDC,identity-mapping={filter-name="(|(objectclass=referral)(uid={0}))",search-base-dn="dc=example,dc=com",use-recursive-search=true,rdn-identifier="uid",user-password-mapper={from="userPassword"},attribute-mapping=[{filter-base-dn="dc=example,dc=com",filter="(|(objectclass=referral)(member={1}))",from="cn",to="groups"}]})
        
        /subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-decoder=groups-to-roles}],default-realm=exampleLR,permission-mapper=default-permission-mapper)
        
        /subsystem=elytron/http-authentication-factory=elytron-http-authn-factory:add(http-server-mechanism-factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="some realm"}]}])
        
        /subsystem=undertow/application-security-domain=elytron-ldap-security-domain:add(http-authentication-factory=elytron-http-authn-factory)
      1. Deploy test application (attached)
      2. Access http://127.0.0.1:8080/ldap-test/protected/printRoles?role=RefRoles&role=ReferralRole  using "referralUser" as username and "Password1" as password. U can use curl, for example:
        curl -v -i -H "Connection: Keep-Alive" -H "Host: 127.0.0.1:8080" -H "Accept-Encoding: gzip,deflate" -H "Authorization: Basic cmVmZXJyYWxVc2VyOlBhc3N3b3JkMQ==" "http://127.0.0.1:8080/ldap-test/protected/printRoles?role=RefRoles&role=ReferralRole" 
      1. Expected output is 200/ok status and ",ReferralRole," body (works on JDK11)
      2. Actual output is 500 status
      Show
      Configure 2 ApacheDS servers: Use port 10389 for primary server and 11389 for secondary (referal) server Execute ldap add command for primary and secondary using attached ldif files ldapmodify -h localhost -p 10389 -D "uid=admin,ou=system" -w "secret" -a -f primary.ldif ldapmodify -h localhost -p 11389 -D "uid=admin,ou=system" -w "secret" -a -f secondary.ldif Launch server using JDK 17 and configure it /subsystem=elytron/dir-context=exampleDC:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential-reference={clear-text= "secret" },referral-mode=follow) /subsystem=elytron/ldap-realm=exampleLR:add(direct-verification= false ,dir-context=exampleDC,identity-mapping={filter-name= "(|(objectclass=referral)(uid={0}))" ,search-base-dn= "dc=example,dc=com" ,use-recursive-search= true ,rdn-identifier= "uid" ,user-password-mapper={from= "userPassword" },attribute-mapping=[{filter-base-dn= "dc=example,dc=com" ,filter= "(|(objectclass=referral)(member={1}))" ,from= "cn" ,to= "groups" }]}) /subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-decoder=groups-to-roles}], default -realm=exampleLR,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=elytron-http-authn-factory:add(http-server-mechanism-factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "some realm" }]}]) /subsystem=undertow/application-security-domain=elytron-ldap-security-domain:add(http-authentication-factory=elytron-http-authn-factory) Deploy test application (attached) Access http://127.0.0.1:8080/ldap-test/protected/printRoles?role=RefRoles&role=ReferralRole   using "referralUser" as username and "Password1" as password. U can use curl, for example: curl -v -i -H "Connection: Keep-Alive" -H "Host: 127.0.0.1:8080" -H "Accept-Encoding: gzip,deflate" -H "Authorization: Basic cmVmZXJyYWxVc2VyOlBhc3N3b3JkMQ==" "http: //127.0.0.1:8080/ldap-test/ protected /printRoles?role=RefRoles&role=ReferralRole" Expected output is 200/ok status and ",ReferralRole," body (works on JDK11) Actual output is 500 status

      Ldap autentication using referals fails on JDK 17. It seems like server is unable to parse output of ldap request.

       

      ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /23cab910-e108-46b7-a2f2-116773881847/protected/printRoles: java.lang.RuntimeException: ELY01084: Error while consuming results from search. SearchDn [o=AuthenticationReferralWithDirectVerificationFalseTestCas6e94c027,o=primary,dc=jboss,dc=org], Filter [(|(objectclass=referral)(uid={0}))], Filter Args [[referralUser]].
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch$1.tryAdvance(LdapSecurityRealm.java:1141)
         at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
         at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
         at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
         at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
         at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
         at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
         at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.getIdentity(LdapSecurityRealm.java:705)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:616)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:2078)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:767)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1021)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:931)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1090)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:126)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:78)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.basic.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:161)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.util.SocketAddressCallbackServerMechanismFactory$1.evaluateRequest(SocketAddressCallbackServerMechanismFactory.java:82)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)
         at org.wildfly.security.elytron-web.undertow-server@1.10.1.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
         at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
         at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
         at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at io.undertow.core@2.2.17.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
         at io.undertow.core@2.2.17.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
         at io.undertow.core@2.2.17.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
         at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
         at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
         at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
         at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
         at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
         at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
         at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
         at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
         at io.undertow.core@2.2.17.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
         at io.undertow.core@2.2.17.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
         at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
         at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
         at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
         at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
         at org.jboss.xnio@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
         at java.base/java.lang.Thread.run(Thread.java:833)
      Caused by: javax.naming.NotContextException: Cannot create context for: ldap://localhost:11389/ou=Roles,o=AuthenticationReferralWithDirectVerificationFalseTestCas6e94c027,o=secondary,dc=jboss,dc=com??sub; remaining name 'o=AuthenticationReferralWithDirectVerificationFalseTestCas6e94c027,o=primary,dc=jboss,dc=org'
         at java.naming/com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:149)
         at java.naming/com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151)
         at java.naming/com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:129)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.DelegatingLdapContext.wrapReferralContextObtaining(DelegatingLdapContext.java:154)
         at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch$1.tryAdvance(LdapSecurityRealm.java:1118)
         ... 62 more 

       

       

        1. ldap-test.war
          4 kB
          Nikita Gibor
        2. primary.ldif
          0.5 kB
          Nikita Gibor
        3. secondary.ldif
          0.6 kB
          Nikita Gibor

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-ngibor Nikita Gibor (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: