Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8030

Elytron ldap-realm does not handle loops in referrals

    XMLWordPrintable

Details

    • Hide

      1) Setup server

      /subsystem=elytron/dir-context=dir-context-localhost:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential=secret,referral-mode=follow)
      /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification=true,identity-mapping={rdn-identifier=uid,filter-name="(|(objectclass=referral)(uid={0}))",use-recursive-search="true",search-base-dn="ou=People,dc=jboss,dc=org",attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={0})",from=cn,to=groups}]})
      /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}],default-realm=ldap-realm-localhost,permission-mapper=default-permission-mapper)
      /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
      /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory)
      

      2) Start LDAP servers
      Use following ldif for LDAP server 1:

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=jduke,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectClass: inetOrgPerson
      uid: jduke
      cn: Java Duke
      sn: Duke
      userPassword: Password1
      
      dn: ou=RefUsers,ou=People,dc=jboss,dc=org
      objectClass: extensibleObject
      objectClass: referral
      objectClass: top
      ou: RefUsers
      ref: ldap://localhost:11389/ou=Users,dc=jboss,dc=org
      
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      
      dn: cn=Admin,ou=Roles,dc=jboss,dc=org
      objectClass: top
      objectClass: groupOfNames
      cn: Admin
      description: the Admin group
      member: uid=jduke,ou=People,dc=jboss,dc=org
      

      Use following ldif for LDAP server 2:

      dn: ou=Users,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Users
      
      dn: ou=RefPeople,ou=Users,dc=jboss,dc=org
      objectClass: extensibleObject
      objectClass: referral
      objectClass: top
      ou: RefPeople
      ref: ldap://localhost:10389/ou=People,dc=jboss,dc=org
      

      3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

      Show
      1) Setup server /subsystem=elytron/dir-context=dir-context-localhost:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential=secret,referral-mode=follow) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification= true ,identity-mapping={rdn-identifier=uid,filter-name= "(|(objectclass=referral)(uid={0}))" ,use-recursive-search= " true " ,search-base-dn= "ou=People,dc=jboss,dc=org" ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}], default -realm=ldap-realm-localhost,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory) 2) Start LDAP servers Use following ldif for LDAP server 1: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=RefUsers,ou=People,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefUsers ref: ldap: //localhost:11389/ou=Users,dc=jboss,dc=org dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=Admin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: Admin description: the Admin group member: uid=jduke,ou=People,dc=jboss,dc=org Use following ldif for LDAP server 2: dn: ou=Users,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Users dn: ou=RefPeople,ou=Users,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefPeople ref: ldap: //localhost:10389/ou=People,dc=jboss,dc=org 3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

    Description

      According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

      When application server is configured to use ldap-realm with dir-context which uses referral-mode=follow or throw and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.

      [1] http://tools.ietf.org/html/rfc4511#section-4.1.10

      Attachments

        Issue Links

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: