Bug 953513

Summary: spnego AdvancedLdapLoginModule cannot cope with roles contains a slash
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: brian.stansberry, jcacek, tfonteyn
Target Milestone: ER6   
Target Release: EAP 6.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-23 18:38:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Fonteyne 2013-04-18 10:55:47 UTC 
I have a group in AD with this DN:   CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com

and a user belonging to this group. RecurseRoles is set to true

Running test 3 of the negotiation toolkit fails.

Debugging led to: org/jboss/security/negotiation/AdvancedLdapLoginModule.java

   protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException

which bombs out with the exception:

Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com'


Further debugging led to a fix - here is the function that needs modifying:

   protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException
   {
      if (log.isTraceEnabled())
         log.trace("rolesSearch resultDN = " + dn);

      String[] attrNames =
      {roleAttributeID};

      Attributes result = searchContext.getAttributes(dn, attrNames);
      if (result != null && result.size() > 0)
      {
         Attribute roles = result.get(roleAttributeID);
         for (int n = 0; n < roles.size(); n++)
         {
            String roleName = (String) roles.get(n);
            if (roleAttributeIsDN)
            {
               // Query the roleDN location for the value of roleNameAttributeID
               String baseRoleDN = roleName;
               String roleDN = "\"" + baseRoleDN + "\"";

               loadRoleByRoleNameAttributeID(searchContext, roleDN);
               recurseRolesSearch(searchContext, baseRoleDN);
...


rewrite the last bit to:

               // Query the roleDN location for the value of roleNameAttributeID
               String roleDN = "\"" + roleName + "\"";

               loadRoleByRoleNameAttributeID(searchContext, roleDN);
               recurseRolesSearch(searchContext, roleDN);

this way, recurseRolesSearch gets the quoted role which prevent the JVM ldap code to throw the aforementioned exception.
Comment 1 Darran Lofthouse 2013-04-22 12:57:15 UTC 
From what I can see this was an oversight, assigning the quoted value to a variable would imply I did intend for it to be re-used.
Comment 2 JBoss JIRA Server 2013-04-22 13:17:59 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-735 to Coding In Progress
Comment 3 JBoss JIRA Server 2013-04-22 14:03:44 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-735 to Resolved
Comment 7 Josef Cacek 2013-05-03 10:31:06 UTC 
Verified in EAP 6.1.0.ER6.

PRs with regression tests:
https://github.com/wildfly/wildfly/pull/4456
https://github.com/jbossas/jboss-eap/pull/130
Comment 18 JBoss JIRA Server 2013-10-24 11:27:22 UTC 
Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-735

This issue is reproducible with configuration similar to the following: -

{code}
                      <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required">

                        <module-option name="bindDN" value="CN=as7" />
                        <module-option name="bindCredential" value="xxx" />

                        <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/>
        
                        <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>
                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                        <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>
                        
                        <module-option name="roleAttributeID" value="memberOf"/>
                        <module-option name="roleAttributeIsDN" value="true"/>
                        <module-option name="roleNameAttributeID" value="name"/>
        
                        <module-option name="recurseRoles" value="true"/>

                    </login-module>
{code}

The absence of a roleFilter is why the distinguished name is not being correctly quoted, adding the roleFilter would not be normally required as it does result in additional searches being performed by the LDAP server but in this case it is a possible workaround for the distinguished name to be quoted where required.
Comment 19 JBoss JIRA Server 2013-12-17 09:13:34 UTC 
Ivo Studensky <istudens> updated the status of jira JBPAPP-10719 to Coding In Progress
Comment 20 JBoss JIRA Server 2013-12-18 17:07:54 UTC 
Hui Wang <huwang> updated the status of jira JBPAPP-10719 to Resolved