Bug 1031005

Summary: AdvancedLdapLoginModule fails to follow referrals when role recursion is used
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Josef Cacek <jcacek>
Component: SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0   
Target Milestone: GA   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-29 14:05:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1017974    
Bug Blocks:    

Description Josef Cacek 2013-11-15 13:14:06 UTC 
Originally in: https://bugzilla.redhat.com/show_bug.cgi?id=1017974#c12

Role recursion doesn't work when referrals are followed:

LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
	<module-option name="baseFilter" value="(uid={0})"/>
	<module-option name="java.naming.referral" value="follow"/>
	<module-option name="bindDN" value="uid=admin,ou=system"/>
	<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
	<module-option name="referralUserAttributeIDToCheck" value="member"/>
	<module-option name="roleNameAttributeID" value="cn"/>
	<module-option name="recurseRoles" value="true"/>
	<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
	<module-option name="java.naming.security.authentication" value="simple"/>
	<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
	<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
	<module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
	<module-option name="bindCredential" value="secret"/>
	<module-option name="roleAttributeIsDN" value="true"/>
	<module-option name="roleAttributeID" value="description"/>
	<module-option name="throwValidateError" value="true"/>
</login-module>

# important entries in dc=jboss,dc=org:

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke

dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com

# important entries in dc=jboss,dc=com:

dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles

dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org

########################

user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule

It works as expected when the LdapExtLoginModule is used.
Comment 1 Josef Cacek 2014-07-29 14:05:58 UTC 
This issue reported against older version, cannot be reproduced against latest 6.3.0. bits, which means it was fixed earlier. Therefore, we are closing this bug.