| Summary: | NPE in principal-to-group group searching | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Ondrej Lukas <olukas> | ||||
| Component: | Domain Management, Security | Assignee: | jboss-set | ||||
| Status: | CLOSED DEFERRED | QA Contact: | Ondrej Lukas <olukas> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4.0 | CC: | bmaxwell, brian.stansberry, dandread, istudens | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-02-20 16:31:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Created attachment 1112781 [details]
groupsearch.ldif
|
In case when ldap authorization with principal-to-group group searching is used in security realm and LDAP entry found by value of 'group-attribute' does not include attribute mentioned in 'group-name-attribute' then it causes authentication fail. It is caused by missing null check for groupNameAttr and hidden NPE thrown from [1]. Steps to reproduce: 1) use following security domain: <security-realm name="ldap-security-realm"> <authentication> <ldap connection="ldap_connection" base-dn="dc=jboss,dc=org" recursive="true"> <username-filter attribute="uid"/> </ldap> </authentication> <authorization> <ldap connection="ldap_connection"> <group-search group-name="SIMPLE" iterative="false" group-dn-attribute="dn" group-name-attribute="description"> <principal-to-group group-attribute="sn"/> </group-search> </ldap> </authorization> </security-realm> ... <outbound-connections> <ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/> </outbound-connections> 2) Use this security domain for RBAC access to management console: <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ldap-security-realm"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="$local"/> <group name="JBossAdmin"/> </include> </role> </role-mapping> </access-control> 3) Use ldap server with attached ldif 4) Try to access management console with jduke/Password - it will fail. 5) Uncomment line 'description: Monitor' from ldif and try to access management console again - it will be successful. [1] https://github.com/jbossas/jboss-eap/blob/8d2e4ac38fc3a170b3d049532a3cbb0dc13efe65/domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java#L302