Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8030

Elytron ldap-realm does not handle loops in referrals

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 11.0.0.Alpha1
    • None
    • Security
    • None
    • Hide

      1) Setup server

      /subsystem=elytron/dir-context=dir-context-localhost:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential=secret,referral-mode=follow)
/subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification=true,identity-mapping={rdn-identifier=uid,filter-name="(|(objectclass=referral)(uid={0}))",use-recursive-search="true",search-base-dn="ou=People,dc=jboss,dc=org",attribute-mapping=[{filter-base-dn="ou=Roles,dc=jboss,dc=org",filter="(member={0})",from=cn,to=groups}]})
/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}],default-realm=ldap-realm-localhost,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory)

      2) Start LDAP servers
      Use following ldif for LDAP server 1:

      dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectClass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=RefUsers,ou=People,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefUsers
ref: ldap://localhost:11389/ou=Users,dc=jboss,dc=org

dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=Admin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admin
description: the Admin group
member: uid=jduke,ou=People,dc=jboss,dc=org

      Use following ldif for LDAP server 2:

      dn: ou=Users,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Users

dn: ou=RefPeople,ou=Users,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefPeople
ref: ldap://localhost:10389/ou=People,dc=jboss,dc=org

      3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

      Show
      1) Setup server /subsystem=elytron/dir-context=dir-context-localhost:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential=secret,referral-mode=follow) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification= true ,identity-mapping={rdn-identifier=uid,filter-name= "(|(objectclass=referral)(uid={0}))" ,use-recursive-search= " true " ,search-base-dn= "ou=People,dc=jboss,dc=org" ,attribute-mapping=[{filter-base-dn= "ou=Roles,dc=jboss,dc=org" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}], default -realm=ldap-realm-localhost,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-localhost-http-authentication-factory) 2) Start LDAP servers Use following ldif for LDAP server 1: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectClass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=RefUsers,ou=People,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefUsers ref: ldap: //localhost:11389/ou=Users,dc=jboss,dc=org dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=Admin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: Admin description: the Admin group member: uid=jduke,ou=People,dc=jboss,dc=org Use following ldif for LDAP server 2: dn: ou=Users,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Users dn: ou=RefPeople,ou=Users,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefPeople ref: ldap: //localhost:10389/ou=People,dc=jboss,dc=org 3) Deploy application (see attachments) and access http://127.0.0.1:8080/print-roles/protected/printRoles?role=Admin - use some username and password (correct or incorrect) and you will see loop between LDAP servers.

      According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

      When application server is configured to use ldap-realm with dir-context which uses referral-mode=follow or throw and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.

      [1] http://tools.ietf.org/html/rfc4511#section-4.1.10

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: