Bug 1288962

Summary: [QE](6.4.z) LdapExtLoginModule does not handle loops in referrals
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Lukas <olukas>
Component: SecurityAssignee: jboss-set
Status: CLOSED WONTFIX QA Contact: Ondrej Lukas <olukas>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bdawidow, darran.lofthouse, istudens, pskopek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-09 13:18:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
app.war
none
server1.ldif
none
server2.ldif none

Description Ondrej Lukas 2015-12-07 06:20:50 UTC 
Created attachment 1103021 [details]
app.war

According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

When EAP server is configured to use LdapExtLoginModule which uses referrals and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.


How to reproduce:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif

2) Add following security domain to configuration:
<security-domain name="ldapSecurityDomain">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="referralUserAttributeIDToCheck" value="member"/>
            <module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="java.naming.referral" value="throw"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
        </login-module>
    </authentication>
</security-domain>

3) Deploy attached application app.war

4) Run periodically
curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin

-> java.lang.OutOfMemoryError on EAP server


[1] http://tools.ietf.org/html/rfc4511#section-4.1.10
Comment 1 Ondrej Lukas 2015-12-07 06:21:46 UTC 
Created attachment 1103022 [details]
server1.ldif
Comment 2 Ondrej Lukas 2015-12-07 06:22:13 UTC 
Created attachment 1103023 [details]
server2.ldif