Bug 1128176

Summary: [GSS] (6.3.1) Nonexistent ldap group causes authentication to fail in security-realm
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: Domain ManagementAssignee: Chao Wang <chaowan>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: bbaranow, bmaxwell, chaowan, darran.lofthouse, emuckenh, jawilson, jcacek, kkhan, myarboro, pkremens, rdickens, smumford
Target Milestone: CR1Keywords: Triaged
Target Release: EAP 6.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Authentication to a security realm fails when LDAP authorization is used for searching groups and a non-existent group is referenced from the user object. This behavior can be changed now and such failures can be skipped in the EAP 6.3.1+. To enable the "ignore nonexistent role" logic, set the org.jboss.as.domain.management.security.LdapGroupSearcherService.IGNORE_NONEXISTENT_ROLE system property to true. This can be accomplished by adding the following entry to bin/domain.conf (for domain mode): HOST_CONTROLLER_JAVA_OPTS="$HOST_CONTROLLER_JAVA_OPTS -Dorg.jboss.as.domain.management.security.LdapGroupSearcherService.IGNORE_NONEXISTENT_ROLE=true" or bin/standalone.conf (for standalone mode): JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.as.domain.management.security.LdapGroupSearcherService.IGNORE_NONEXISTENT_ROLE=true"
 Story Points: ---
Clone Of: 1105677 Environment:
Last Closed: 2014-10-13 18:36:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1105677    
Bug Blocks: 1102082, 1105619, 1127938, 1143052    
Attachments:
Description Flags
problem reproducer none

Description Derek Horton 2014-08-08 13:53:57 UTC 
Description of problem:
The LdapGroupSearcher code will fail if it tries to lookup a group that 
does not exist on the local ldap server.

This can happen when the ldap systems are configured as trusted domains.  
Even though the security-realm is not configured to use the trusted domain
(it is configured to only look at a single ldap server), the 
user's entry on one ldap server could point at a group that exists on 
the other (trusted) ldap server.

The LdapGroupSearcher code attempts to lookup this role and it fails.  This 
failure is sent back to the http server which results in an HTTP 500 error
and leaves the user with no way to authenticate/login.

There is currently not a way to tell the group searcher code to ignore the 
group/role that cannot be found.


How reproducible:
Create a user in ldap that has a "bogus" group.  Log into the admin console as that user.  Once the LdapGroupSearcher code looks up the user, it will fail when it attempts to lookup the "bogus" group.

PR
https://github.com/jbossas/jboss-eap/pull/1436
Comment 1 Derek Horton 2014-08-08 14:15:22 UTC 
I created a one-off [1] for this issue because a customer is running into this issue when RBAC is enabled.  When they run into this, it is impossible for the users to log into the management console.

The pull request was denied because a system property is used to enable the "ignore nonexistent group" logic.  This option needs to be added to the ldap group searcher xml section of the config file.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1127938
Comment 3 mark yarborough 2014-08-11 13:14:51 UTC 
Triage: Need to clarify if the fix appropropriate for production code. 
Jimmy will follow up.
Comment 4 Josef Cacek 2014-08-15 10:57:27 UTC 
Created attachment 927064 [details]
problem reproducer
Comment 7 Josef Cacek 2014-09-02 09:23:39 UTC 
Verified in 6.3.1.CR1.