Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5936

Ldap autentication using referrals fails on JDK 17 with ApacheDS

    XMLWordPrintable

Details

    • Hide
      1. Configure 2 ApacheDS servers:
        • Use port 10389 for primary server and 11389 for secondary (referal) server
        • Execute ldap add command for primary and secondary using attached ldif files
        • ldapmodify -h localhost -p 10389 -D "uid=admin,ou=system" -w "secret" -a -f primary.ldif
ldapmodify -h localhost -p 11389 -D "uid=admin,ou=system" -w "secret" -a -f secondary.ldif
      1. Launch server using JDK 17 and configure it 
        /subsystem=elytron/dir-context=exampleDC:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential-reference={clear-text="secret"},referral-mode=follow)

/subsystem=elytron/ldap-realm=exampleLR:add(direct-verification=false,dir-context=exampleDC,identity-mapping={filter-name="(|(objectclass=referral)(uid={0}))",search-base-dn="dc=example,dc=com",use-recursive-search=true,rdn-identifier="uid",user-password-mapper={from="userPassword"},attribute-mapping=[{filter-base-dn="dc=example,dc=com",filter="(|(objectclass=referral)(member={1}))",from="cn",to="groups"}]})

/subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-decoder=groups-to-roles}],default-realm=exampleLR,permission-mapper=default-permission-mapper)

/subsystem=elytron/http-authentication-factory=elytron-http-authn-factory:add(http-server-mechanism-factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="some realm"}]}])

/subsystem=undertow/application-security-domain=elytron-ldap-security-domain:add(http-authentication-factory=elytron-http-authn-factory)
      1. Deploy test application (attached)
      2. Access http://127.0.0.1:8080/ldap-test/protected/printRoles?role=RefRoles&role=ReferralRole  using "referralUser" as username and "Password1" as password. U can use curl, for example: 
        curl -v -i -H "Connection: Keep-Alive" -H "Host: 127.0.0.1:8080" -H "Accept-Encoding: gzip,deflate" -H "Authorization: Basic cmVmZXJyYWxVc2VyOlBhc3N3b3JkMQ==" "http://127.0.0.1:8080/ldap-test/protected/printRoles?role=RefRoles&role=ReferralRole"
      1. Expected output is 200/ok status and ",ReferralRole," body (works on JDK11)
      2. Actual output is 500 status
      Show
      Configure 2 ApacheDS servers: Use port 10389 for primary server and 11389 for secondary (referal) server Execute ldap add command for primary and secondary using attached ldif files ldapmodify -h localhost -p 10389 -D "uid=admin,ou=system" -w "secret" -a -f primary.ldif ldapmodify -h localhost -p 11389 -D "uid=admin,ou=system" -w "secret" -a -f secondary.ldif Launch server using JDK 17 and configure it /subsystem=elytron/dir-context=exampleDC:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential-reference={clear-text= "secret" },referral-mode=follow) /subsystem=elytron/ldap-realm=exampleLR:add(direct-verification= false ,dir-context=exampleDC,identity-mapping={filter-name= "(|(objectclass=referral)(uid={0}))" ,search-base-dn= "dc=example,dc=com" ,use-recursive-search= true ,rdn-identifier= "uid" ,user-password-mapper={from= "userPassword" },attribute-mapping=[{filter-base-dn= "dc=example,dc=com" ,filter= "(|(objectclass=referral)(member={1}))" ,from= "cn" ,to= "groups" }]}) /subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-decoder=groups-to-roles}], default -realm=exampleLR,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=elytron-http-authn-factory:add(http-server-mechanism-factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "some realm" }]}]) /subsystem=undertow/application-security-domain=elytron-ldap-security-domain:add(http-authentication-factory=elytron-http-authn-factory) Deploy test application (attached) Access http://127.0.0.1:8080/ldap-test/protected/printRoles?role=RefRoles&role=ReferralRole   using "referralUser" as username and "Password1" as password. U can use curl, for example: curl -v -i -H "Connection: Keep-Alive" -H "Host: 127.0.0.1:8080" -H "Accept-Encoding: gzip,deflate" -H "Authorization: Basic cmVmZXJyYWxVc2VyOlBhc3N3b3JkMQ==" "http: //127.0.0.1:8080/ldap-test/ protected /printRoles?role=RefRoles&role=ReferralRole" Expected output is 200/ok status and ",ReferralRole," body (works on JDK11) Actual output is 500 status

    Description

      Ldap autentication using referals fails on JDK 17. It seems like server is unable to parse output of ldap request.

       

      ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /23cab910-e108-46b7-a2f2-116773881847/protected/printRoles: java.lang.RuntimeException: ELY01084: Error while consuming results from search. SearchDn [o=AuthenticationReferralWithDirectVerificationFalseTestCas6e94c027,o=primary,dc=jboss,dc=org], Filter [(|(objectclass=referral)(uid={0}))], Filter Args [[referralUser]].
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch$1.tryAdvance(LdapSecurityRealm.java:1141)
   at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
   at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
   at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
   at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
   at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
   at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
   at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.getIdentity(LdapSecurityRealm.java:705)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:616)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:2078)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:767)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1021)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:931)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1090)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:126)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:78)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.basic.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:161)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.util.SocketAddressCallbackServerMechanismFactory$1.evaluateRequest(SocketAddressCallbackServerMechanismFactory.java:82)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)
   at org.wildfly.security.elytron-web.undertow-server@1.10.1.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
   at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
   at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
   at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.core@2.2.17.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
   at io.undertow.core@2.2.17.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
   at io.undertow.core@2.2.17.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
   at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
   at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
   at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
   at io.undertow.core@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
   at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
   at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
   at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
   at org.wildfly.extension.undertow@8.0.0.Beta-redhat-20220504//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
   at io.undertow.servlet@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
   at io.undertow.core@2.2.17.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
   at io.undertow.core@2.2.17.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
   at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
   at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
   at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
   at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
   at org.jboss.xnio@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
   at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.naming.NotContextException: Cannot create context for: ldap://localhost:11389/ou=Roles,o=AuthenticationReferralWithDirectVerificationFalseTestCas6e94c027,o=secondary,dc=jboss,dc=com??sub; remaining name 'o=AuthenticationReferralWithDirectVerificationFalseTestCas6e94c027,o=primary,dc=jboss,dc=org'
   at java.naming/com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:149)
   at java.naming/com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151)
   at java.naming/com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:129)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.DelegatingLdapContext.wrapReferralContextObtaining(DelegatingLdapContext.java:154)
   at org.wildfly.security.elytron-base@1.19.0.Final//org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch$1.tryAdvance(LdapSecurityRealm.java:1118)
   ... 62 more

       

       

      Attachments

        1. ldap-test.war
          4 kB
          Nikita Gibor
        2. primary.ldif
          0.5 kB
          Nikita Gibor
        3. secondary.ldif
          0.6 kB
          Nikita Gibor

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-23689 [QE](7.4.z) WFCORE-5936 - Ldap authentication using referrals fails on JDK 17 with ApacheDS

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. WFLY-16484 Extend LdapRealmTestCase to cover follow referral mode

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-ngibor Nikita Gibor (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: