Bug 981015

Summary: LDAP auth fails if user's DN contains a backslash
Product: [JBoss] JBoss Operations Network Reporter: Larry O'Leary <loleary>
Component: SecurityAssignee: Larry O'Leary <loleary>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: urgent    
Version: JON 3.1.2CC: hrupp, skondkar
Target Milestone: ER01   
Target Release: JON 3.2.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 985098 (view as bug list) Environment:
Last Closed: 2014-01-02 20:37:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 985098    
Attachments:
Description Flags
Proposed patch to better handle a DN from the search result. none

Description Larry O'Leary 2013-07-03 19:22:16 UTC 
Created attachment 768413 [details]
Proposed patch to better handle a DN from the search result.

Description of problem:
If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server.

For example:

    dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    cn: Charles H\Samlin
    sn: H\Samlin
    homephone: 555-555-1213
    mail: csamlin.com
    uid: csamlin
    userpassword:: cmVkaGF0
    ou: RHQ Admin Group
    description: User with backslash (\) in 'cn' in the RHQ Admin Group


Will result in:

    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person))
    INFO  [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.]
    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon


Version-Release number of selected component (if applicable):
4.4.0.JON312GA

How reproducible:
Always

Steps to Reproduce:
1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF:

dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Charles H\Samlin
sn: H\Samlin
homephone: 555-555-1213
mail: csamlin.com
uid: csamlin
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with backslash (\) in 'cn' in the RHQ Admin Group

2. Start JBoss ON and configure it to use LDAP
3. Attempt to log-in as the user who has a backslash in their CN.

       csamlin
       redhat

Actual results:
Login attempt fails due to invalid credentials. The following LDAP error is logged:

    LDAP: error code 49 - cannot bind the principalDn.

Expected results:
Login should be successful and no LDAP error should appear.

Additional info:
This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1].

To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. 


http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
Comment 1 Heiko W. Rupp 2013-07-17 14:33:24 UTC 
master 01cd91b130f5
Comment 2 Larry O'Leary 2013-07-22 15:38:03 UTC 
Looking into LdapGroupManagerBeanTest failures. Most likely a result of my change set removing the handling on JNDI quoting from the mock LDAP context.
Comment 3 Larry O'Leary 2013-07-22 21:13:58 UTC 
Fixed test failures with https://git.fedorahosted.org/cgit/rhq/rhq.git/commit/?id=567aee7f81c6aa0f7680d4f394cccb1974705320



commit 567aee7f81c6aa0f7680d4f394cccb1974705320
Author: Larry O'Leary <loleary>
Date:   Mon Jul 22 16:10:09 2013 -0500

    BZ 981015: Fix test failures introduced by commit 01cd91b
     - findLdapUserDetails was appending baseDN twice during fallback code
     - FakeLdapContext contained some lazy escaping on the mock group entries
Comment 4 Larry O'Leary 2013-09-06 14:30:21 UTC 
As this is MODIFIED or ON_QA, setting milestone to ER1.
Comment 5 Sunil Kondkar 2013-10-07 11:14:25 UTC 
Verified on Version: 3.2.0.ER2 Build Number: 9bf6f76:371eac0

Created below user on Redhat Directory Server 8.2.0

dn: cn=Charles H\\Samlin,dc=usersys,dc=redhat,dc=com
telephoneNumber: 555-555-1213
mail: csamlin.com
uid: csamlin
givenName: csamlin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: H\Samlin
cn: Charles H\Samlin
description: User with backslash (\) in cn
userPassword: {SSHA}ARklgcvmHqmjlUjETy1GP6r9+ocwqP0YeMYQNw==

Provided the LDAP details in Jboss ON Administration->System Settings'.
Logged in as the user having backslash in the CN (csamlin/redhat)

User is navigated successfully to registration screen and login is successful without error.