Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-6535

LdapLoginModule authentication fails when some part of DN is part of LDAP URL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 10.0.0.Final
    • Security
    • None
    • Hide

      Set LdapLoginModule with options like:

      ...
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="principalDNSuffix" value=",ou=myOrgUnit,o=organization,dc=jboss,dc=org"/>
...

      => authentication passes

      Change these options like:

      ...
<module-option name="java.naming.provider.url" value="ldap://localhost:10389/o=organization,dc=jboss,dc=org"/>
<module-option name="principalDNSuffix" value=",ou=myOrgUnit"/>
...

      => authentication fails

      Show
      Set LdapLoginModule with options like: ... <module-option name= "java.naming.provider.url" value= "ldap: //localhost:10389" /> <module-option name= "principalDNSuffix" value= ",ou=myOrgUnit,o=organization,dc=jboss,dc=org" /> ... => authentication passes Change these options like: ... <module-option name= "java.naming.provider.url" value= "ldap: //localhost:10389/o=organization,dc=jboss,dc=org" /> <module-option name= "principalDNSuffix" value= ",ou=myOrgUnit" /> ... => authentication fails

      In case when part of DN is placed in LDAP URL instead of principalDNSuffix then authentication fails (see [1] for details about this URL) in LdapLoginModule. Authentication is provided by binding with user DN and password, but in this case user DN does not include DN part from LDAP URL which leads to fail.

      Thrown exception:

      javax.naming.AuthenticationException: LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jduke,ou=People
    com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
    com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
    com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
    org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
    javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
    org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
    javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    javax.naming.InitialContext.init(InitialContext.java:244)
    javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    org.jboss.security.auth.spi.LdapLoginModule.createLdapInitContext(LdapLoginModule.java:362)
    org.jboss.security.auth.spi.LdapLoginModule.validatePassword(LdapLoginModule.java:289)
    org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ...

      [1] https://tools.ietf.org/html/rfc2255

            darran.lofthouse@redhat.com Darran Lofthouse
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: