Bug 985098

Summary: LDAP auth fails if user's DN contains a backslash
Product: [JBoss] JBoss Operations Network Reporter: Larry O'Leary <loleary>
Component: SecurityAssignee: Larry O'Leary <loleary>
Status: CLOSED NEXTRELEASE QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: urgent    
Version: JON 3.1.2   
Target Milestone: ---   
Target Release: JON 3.1.3   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 981015
: 985099 (view as bug list) Environment:
Last Closed: 2013-09-06 02:24:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 981015    
Bug Blocks: 985099    

Description Larry O'Leary 2013-07-16 19:12:14 UTC 
+++ This bug was initially created as a clone of Bug #981015 +++

Description of problem:
If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server.

For example:

    dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    cn: Charles H\Samlin
    sn: H\Samlin
    homephone: 555-555-1213
    mail: csamlin.com
    uid: csamlin
    userpassword:: cmVkaGF0
    ou: RHQ Admin Group
    description: User with backslash (\) in 'cn' in the RHQ Admin Group


Will result in:

    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person))
    INFO  [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.]
    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon


Version-Release number of selected component (if applicable):
4.4.0.JON312GA

How reproducible:
Always

Steps to Reproduce:
1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF:

dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Charles H\Samlin
sn: H\Samlin
homephone: 555-555-1213
mail: csamlin.com
uid: csamlin
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with backslash (\) in 'cn' in the RHQ Admin Group

2. Start JBoss ON and configure it to use LDAP
3. Attempt to log-in as the user who has a backslash in their CN.

       csamlin
       redhat

Actual results:
Login attempt fails due to invalid credentials. The following LDAP error is logged:

    LDAP: error code 49 - cannot bind the principalDn.

Expected results:
Login should be successful and no LDAP error should appear.

Additional info:
This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1].

To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. 


http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
Comment 2 Larry O'Leary 2013-09-06 02:24:31 UTC 
Closing as there will not be a 3.1.3 release. This is being tracked for 3.2 in the 'depends on' field.