Bug 1051240

Summary: [GSS] (6.2.x) LDAP Group Loading - Should Not Fail for Non-existent User
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: Domain ManagementAssignee: Derek Horton <dehort>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kremensky <pkremens>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: bmaxwell, brian.stansberry, cdewolf, dehort, emuckenh, myarboro, nziakova, smumford
Target Milestone: CR1Flags: smumford: needinfo-
Target Release: EAP 6.2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An issue was encountered in previous releases of JBoss EAP 6 that caused domain mode server instances to fail to start. In domain mode, where a security realm was configured to load groups from LDAP, the server instances would try to load the group information for a server 'user' and fail. This issue was resolved by modifying the code so that group information is not loaded if the remote user was an authenticated server. Server instances no longer fail when encountering a user not found in the LDAP directory.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-24 20:15:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1043667    
Bug Blocks: 1027004    

Description Derek Horton 2014-01-09 22:05:56 UTC
Description of problem:
Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP.
One example is local authentication where the user may not exist.
Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller.


Steps to Reproduce:

Configure domain mode to use LDAP / RBAC for the management realm:


            <security-realm name="ManagementRealm">                                                                                                                    
                <authentication>                                                                                                                                       
                    <ldap connection="ldap_connection" base-dn="ou=Users,dc=my-domain,dc=com">                                                                         
                        <username-filter attribute="uid"/>                                                                                                             
                    </ldap>                                                                                                                                                            </authentication>                                                                                                                                      
                <authorization map-groups-to-roles="true">                                                                                                             
                  <ldap connection="ldap_connection">                                                                                                                  
                    <username-to-dn force="true">                                                                                                                      
                      <username-filter base-dn="ou=Users,dc=my-domain,dc=com" recursive="true" attribute="uid" user-dn-attribute="dn" />                               
                    </username-to-dn>                                                                                                                                  
                    <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">                                              
                      <group-to-principal base-dn="ou=Groups,dc=my-domain,dc=com" recursive="true" search-by="DISTINGUISHED_NAME">                                     
                        <membership-filter principal-attribute="member" />                                                                                             
                      </group-to-principal>                                                                                                                            
                    </group-search>                                                                                                                                    
                  </ldap>                                                                                                                                              
                </authorization>                                                                                                                                       
            </security-realm>                                

Actual results:

Server instances fail to start:

[Server:server-one] 15:33:51,172 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("validate-authorization") failed - address: ([
[Server:server-one]     ("core-service" => "management"),
[Server:server-one]     ("security-realm" => "ManagementRealmLDAP"),
[Server:server-one]     ("authorization" => "ldap")
[Server:server-one] ]) - failure description: "JBAS015290: Configuration for security realm 'ManagementRealmLDAP' does not contain any group-search resource within the authorization=ldap resource."
[Server:server-one] 15:33:51,178 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.


Expected results:


Additional info:

Comment 5 Scott Mumford 2014-01-20 01:06:23 UTC
Marking for inclusion in 6.2.1 release notes documentation.

Comment 6 Scott Mumford 2014-01-23 00:00:07 UTC
Hi Derek, I'm hoping you could assist the documentation effort and fill in the blanks in the Doc Text field above for the release notes.

Comment 7 Nikoleta Hlavickova 2014-01-23 15:07:30 UTC
Verified with 6.2.1.CP.CR1-patch.

Comment 8 Scott Mumford 2014-01-24 00:03:31 UTC
Thanks for the help Derek. Marking final note for inclusion in the Release Notes document.

Comment 9 Nikoleta Hlavickova 2014-01-30 12:54:00 UTC
Fixed a typo in Doc Text

Comment 10 Russell Dickenson 2014-02-03 04:04:26 UTC
Minor amendments to release notes text.