Bug 1086795

Summary: [GSS] (6.2.x) LdapExt login module fetches to many attributes in RoleSearch
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: SecurityAssignee: baranowb <bbaranow>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: medium Docs Contact: Russell Dickenson <rdickens>
Priority: medium    
Version: 6.1.1CC: bbaranow, bmaxwell, cdewolf, dehort, hmlnarik, jawilson, smumford
Target Milestone: CR1   
Target Release: EAP 6.2.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, the LdapExtended login module was found to be returning too many attributes when performing an authentication query using RoleSearch. The issue was caused by the removal of a constraint filter (`constraints.setReturningAttributes(new String[0]);`). This filter code has been reintroduced in this release of the product and the problem not longer presents.
 Story Points: ---
Clone Of: 1086787
: 1089068 (view as bug list) Environment:
Last Closed: 2014-08-07 12:12:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1086787    
Bug Blocks: 1067534, 1089068, 1104984, 1104987    

Description Tom Fonteyne 2014-04-11 13:47:57 UTC 
+++ This bug was initially created as a clone of Bug #1086787 +++

This BZ is meant for EAP 6.2.x next possible CP


An LDAP server with (lets say) 1000 users in a group.
When authentication, a query is done to retrieve the groups for the user.

Most LDAP servers will limit the attributes send back based on authorization of the user, but can be configured to return all information.

The cause is:

/ Query for roles matching the role filter
SearchControls constraints = new SearchControls();
constraints.setSearchScope(searchScope);
constraints.setTimeLimit(searchTimeLimit);
rolesSearch(ctx, constraints, username, userDN, recursion, 0);

this used to also have:
constraints.setReturningAttributes(new String[0]);
at some time this was taken out.

It needs to go back in

According to the schedule it is to late for 6.3 as it would require a component update. Scheduling this for 6.4 when the flag becomes available. Will then also clone to get it into a 6.3 CP
Comment 5 Jimmy Wilson 2014-06-09 18:07:45 UTC 
Setting status to POST to reflect component upgrade bug 1104984.
Comment 6 Hynek Mlnarik 2014-06-19 15:22:51 UTC 
Verified for 6.2.4.CP.CR1