Bug 1086787

Summary: [GSS] (6.3.0) LdapExt login module fetches to many attributes in RoleSearch
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: SecurityAssignee: Peter Skopek <pskopek>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: medium Docs Contact: Russell Dickenson <rdickens>
Priority: medium    
Version: 6.1.1CC: bbaranow, bmaxwell, cdewolf, darran.lofthouse, dehort, hmlnarik, kkhan, myarboro
Target Milestone: ER7   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1086795 (view as bug list) Environment:
Last Closed: 2014-06-28 15:30:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1086795, 1089068, 1104260, 1104269    

Description Tom Fonteyne 2014-04-11 13:31:48 UTC 
An LDAP server with (lets say) 1000 users in a group.
When authentication, a query is done to retrieve the groups for the user.

Most LDAP servers will limit the attributes send back based on authorization of the user, but can be configured to return all information.

The cause is:

/ Query for roles matching the role filter
SearchControls constraints = new SearchControls();
constraints.setSearchScope(searchScope);
constraints.setTimeLimit(searchTimeLimit);
rolesSearch(ctx, constraints, username, userDN, recursion, 0);

this used to also have:
constraints.setReturningAttributes(new String[0]);
at some time this was taken out.

It needs to go back in

According to the schedule it is to late for 6.3 as it would require a component update. Scheduling this for 6.4 when the flag becomes available. Will then also clone to get it into a 6.3 CP
Comment 1 Tom Fonteyne 2014-04-11 13:46:13 UTC 
The fix will be to upgrade the module PicketBox_4_0_21
Comment 2 Josef Cacek 2014-04-16 11:29:46 UTC 
Tom, if you fix the attribute search, then just check if referrals still work in role search (when 2 LDAP servers are used).

The change in search attribute was introduced by following commit:
https://source.jboss.org/changelog/PicketBox?cs=414

And the reason is described in:
https://bugzilla.redhat.com/show_bug.cgi?id=914821#c29
and
https://issues.jboss.org/browse/WFLY-808
Comment 9 JBoss JIRA Server 2014-06-03 17:38:59 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-836 to Resolved
Comment 10 Peter Skopek 2014-06-04 07:32:00 UTC 
component fixes:
JBoss Negotiation: https://github.com/wildfly-security/jboss-negotiation/tree/2.3.3.Final
PicketBox: http://git.app.eng.bos.redhat.com/git/picketbox.git/tag/?h=eap62&id=4.0.19.SP8
Comment 11 Kabir Khan 2014-06-04 08:55:55 UTC 
Fixed by https://bugzilla.redhat.com/show_bug.cgi?id=1104260 and https://bugzilla.redhat.com/show_bug.cgi?id=1104269
Comment 12 Hynek Mlnarik 2014-06-19 15:23:49 UTC 
Verified for 6.3.0.ER7