Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9226

Elytron dir-context referral mode THROW results to LdapReferralException for MS Active Directory

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 11.0.0.CR1
    • Security
    • Hide

      Use configuration like following where original.active.directory.url refers MS Active Directory server which has configured crossRef to server with DC=REFERRAL,DC=DOMAIN:

      <ldap-realm name="ldap-realm" dir-context="dir-context" direct-verification="true">
    <identity-mapping rdn-identifier="CN" use-recursive-search="true" search-base-dn="OU=secondary,O=eapqe,DC=REFERRAL,DC=DOMAIN">
        <attribute-mapping>
            <attribute from="CN" to="groups" filter="(member={1})" filter-base-dn="OU=secondary,O=eapqe,DC=REFERRAL,DC=DOMAIN"/>
        </attribute-mapping>
    </identity-mapping>
</ldap-realm>
...
<dir-context name="dir-context" url="{original.active.directory.url}" principal="jboss" referral-mode="THROW">
    <credential-reference clear-text="secret"/>
</dir-context>
      Show
      Use configuration like following where original.active.directory.url refers MS Active Directory server which has configured crossRef to server with DC=REFERRAL,DC=DOMAIN: <ldap-realm name= "ldap-realm" dir-context= "dir-context" direct-verification= " true " > <identity-mapping rdn-identifier= "CN" use-recursive-search= " true " search-base-dn= "OU=secondary,O=eapqe,DC=REFERRAL,DC=DOMAIN" > <attribute-mapping> <attribute from= "CN" to= "groups" filter= "(member={1})" filter-base-dn= "OU=secondary,O=eapqe,DC=REFERRAL,DC=DOMAIN" /> </attribute-mapping> </identity-mapping> </ldap-realm> ... <dir-context name= "dir-context" url= "{original.active.directory.url}" principal= "jboss" referral-mode= "THROW" > <credential-reference clear-text= "secret" /> </dir-context>
    • Workaround Exists
    • Hide

      Use referral mode FOLLOW instead of THROW.

      Show
      Use referral mode FOLLOW instead of THROW.

    Description

      When Elytron dir-context is configured to use referral mode THROW and MS Active Directory is used and ldap-realm attributes identity-mapping.search-base-dn or identity-mapping.attribute-mapping.filter-base-dn is configured to referral domain (i.e. domain which is referred through crossRef of LDAP server configured in related dir-context) then LdapReferralException is thrown and authentication is failed.

      In correct behavior ldap-realm with THROW referral mode should be able to authenticate user from referral correctly.

      Thrown Exception:

      BASIC: org.wildfly.security.http.HttpAuthenticationException: org.wildfly.security.http.HttpAuthenticationException: org.wildfly.security.auth.server.RealmUnavailableException: ELY01108: Ldap-backed realm identity search failed
	at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:176)
	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
	at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.wildfly.security.http.HttpAuthenticationException: org.wildfly.security.auth.server.RealmUnavailableException: ELY01108: Ldap-backed realm identity search failed
	at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:79)
	at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
	... 37 more
Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01108: Ldap-backed realm identity search failed
	at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch.search(LdapSecurityRealm.java:1138)
	at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.getIdentity(LdapSecurityRealm.java:689)
	at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:601)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1859)
	at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:665)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:877)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:787)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:928)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:735)
	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
	at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:73)
	... 38 more
Caused by: com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
	ref 1: 'eap-vm002.mw.lab.eng.bos.redhat.com'
\00]; remaining name 'ou=SimpleADReferralTestCasea4e11461,OU=secondary,O=eapqe,DC=JBOSS3,DC=test2'
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2975)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:297)
	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:297)
	at org.wildfly.security.auth.realm.ldap.DelegatingLdapContext.search(DelegatingLdapContext.java:330)
	at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch.searchWithPagination(LdapSecurityRealm.java:1158)
	at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapSearch.search(LdapSecurityRealm.java:1052)
	... 48 more

      Similar issue for referral mode THROW is also included in older version of application server, see JBEAP-3027 and JBEAP-3029.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11370 Elytron dir-context referral mode THROW results to LdapReferralException for MS Active Directory

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              jondruse@redhat.com Jiri Ondrusek
              jondruse@redhat.com Jiri Ondrusek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: