PATCH NAME:
bz-1051227
PRODUCT NAME:
JBoss Enterprise Application Platform
VERSION:
6.2.0
SHORT DESCRIPTION:
LDAP Group Loading - Should Not Fail for Non-existent User
LONG DESCRIPTION:
Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP.
One example is local authentication where the user may not exist.
Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller.
Install Instructions:
Start jboss-cli.sh, do not connect to the server, then execute:
patch apply /path/to BZ1051227.zip
Instructions to uninstall:
Start jboss-cli.sh, do not connect to the server, then execute:
patch rollback --patch-id=eap-620-bz1051227 --reset-configuration=false
COMPATIBILITY:
DEPENDENCIES:
JBoss Enterprise Application Platform 6.2.0
SUPERSEDES:
SUPERSEDED BY:
CREATOR:
Derek Horton
DATE:
9 January 2014
Description of problem:
Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP.
One example is local authentication where the user may not exist.
Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller.
Steps to Reproduce:
Configure domain mode to use LDAP / RBAC for the management realm:
<security-realm name="ManagementRealm">
<authentication>
<ldap connection="ldap_connection" base-dn="ou=Users,dc=my-domain,dc=com">
<username-filter attribute="uid"/>
</ldap> </authentication>
<authorization map-groups-to-roles="true">
<ldap connection="ldap_connection">
<username-to-dn force="true">
<username-filter base-dn="ou=Users,dc=my-domain,dc=com" recursive="true" attribute="uid" user-dn-attribute="dn" />
</username-to-dn>
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
<group-to-principal base-dn="ou=Groups,dc=my-domain,dc=com" recursive="true" search-by="DISTINGUISHED_NAME">
<membership-filter principal-attribute="member" />
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realm>
Actual results:
Server instances fail to start:
[Server:server-one] 15:33:51,172 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("validate-authorization") failed - address: ([
[Server:server-one] ("core-service" => "management"),
[Server:server-one] ("security-realm" => "ManagementRealmLDAP"),
[Server:server-one] ("authorization" => "ldap")
[Server:server-one] ]) - failure description: "JBAS015290: Configuration for security realm 'ManagementRealmLDAP' does not contain any group-search resource within the authorization=ldap resource."
[Server:server-one] 15:33:51,178 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
Expected results:
Additional info:
Description of problem: Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP. One example is local authentication where the user may not exist. Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller. Steps to Reproduce: Configure domain mode to use LDAP / RBAC for the management realm: <security-realm name="ManagementRealm"> <authentication> <ldap connection="ldap_connection" base-dn="ou=Users,dc=my-domain,dc=com"> <username-filter attribute="uid"/> </ldap> </authentication> <authorization map-groups-to-roles="true"> <ldap connection="ldap_connection"> <username-to-dn force="true"> <username-filter base-dn="ou=Users,dc=my-domain,dc=com" recursive="true" attribute="uid" user-dn-attribute="dn" /> </username-to-dn> <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn"> <group-to-principal base-dn="ou=Groups,dc=my-domain,dc=com" recursive="true" search-by="DISTINGUISHED_NAME"> <membership-filter principal-attribute="member" /> </group-to-principal> </group-search> </ldap> </authorization> </security-realm> Actual results: Server instances fail to start: [Server:server-one] 15:33:51,172 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("validate-authorization") failed - address: ([ [Server:server-one] ("core-service" => "management"), [Server:server-one] ("security-realm" => "ManagementRealmLDAP"), [Server:server-one] ("authorization" => "ldap") [Server:server-one] ]) - failure description: "JBAS015290: Configuration for security realm 'ManagementRealmLDAP' does not contain any group-search resource within the authorization=ldap resource." [Server:server-one] 15:33:51,178 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. Expected results: Additional info: