Bug 1017974
| Summary: | Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Chris Dolphy <cdolphy> | ||||
| Component: | Security | Assignee: | Darran Lofthouse <darran.lofthouse> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> | ||||
| Severity: | urgent | Docs Contact: | Russell Dickenson <rdickens> | ||||
| Priority: | unspecified | ||||||
| Version: | 6.1.1 | CC: | asaldhan, brian.stansberry, jawilson, jcacek, myarboro, rdickens | ||||
| Target Milestone: | ER7 | Keywords: | Regression | ||||
| Target Release: | EAP 6.2.0 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-12-15 16:17:55 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1017976, 1031005 | ||||||
| Attachments: |
|
||||||
|
Description
Chris Dolphy
2013-10-10 21:30:11 UTC
Created attachment 810801 [details]
test case
I now have a fix both for the issue reported in this Jira and for the previous issue that caused this regression. I will proceed to tagging a release in the morning. Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Coding In Progress Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-758 This can be reproduced with configuration similar to the following: - {code} <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required"> <module-option name="bindDN" value="CN=as7" /> <module-option name="bindCredential" value="xxx" /> <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/> <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/> <module-option name="roleFilter" value="(distinguishedName={1})"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleNameAttributeID" value="name"/> <module-option name="recurseRoles" value="true"/> </login-module> {code} Note: One possible workaround could be if a definition is possible without the rolesFilter. Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Resolved Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-758 to Resolved Role recursion doesn't work when referrals are followed:
LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="referralUserAttributeIDToCheck" value="member"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
<module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="description"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
# important entries in dc=jboss,dc=org:
dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke
dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com
# important entries in dc=jboss,dc=com:
dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles
dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org
########################
user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule
It works as expected when the LdapExtLoginModule is used.
This issue has never attempted to address referrals. - Did mapping referrals work before this fix? - Did mapping referrals work before the fix that caused the regression that is fixed here? This issue is only about fixing the regression. (The version tested was CR1). The remaining issue is not a regression. Therefor I will set this issue to verified and create a new one for the referrals use-case. Russell, could you please describe the limitation in role search in Release Notes? Thanks. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |