Bug 985099

Summary: [hotfix] LDAP auth fails if user's DN contains a backslash
Product: [JBoss] JBoss Operations Network Reporter: Larry O'Leary <loleary>
Component: SecurityAssignee: Larry O'Leary <loleary>
Status: CLOSED ERRATA QA Contact: Larry O'Leary <loleary>
Severity: high Docs Contact:
Priority: medium    
Version: JON 3.1.2   
Target Milestone: GA   
Target Release: JON 3.1.2   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 985098 Environment:
Last Closed: 2013-08-08 16:19:39 UTC Type: Support Patch
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 985098    
Bug Blocks: 994220    

Description Larry O'Leary 2013-07-16 19:14:32 UTC
+++ This bug was initially created as a clone of Bug #985098 +++

+++ This bug was initially created as a clone of Bug #981015 +++

Description of problem:
If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server.

For example:

    dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    cn: Charles H\Samlin
    sn: H\Samlin
    homephone: 555-555-1213
    mail: csamlin@rhq.redhat.com
    uid: csamlin
    userpassword:: cmVkaGF0
    ou: RHQ Admin Group
    description: User with backslash (\) in 'cn' in the RHQ Admin Group


Will result in:

    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person))
    INFO  [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.]
    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon


Version-Release number of selected component (if applicable):
4.4.0.JON312GA

How reproducible:
Always

Steps to Reproduce:
1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF:

dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Charles H\Samlin
sn: H\Samlin
homephone: 555-555-1213
mail: csamlin@rhq.redhat.com
uid: csamlin
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with backslash (\) in 'cn' in the RHQ Admin Group

2. Start JBoss ON and configure it to use LDAP
3. Attempt to log-in as the user who has a backslash in their CN.

       csamlin
       redhat

Actual results:
Login attempt fails due to invalid credentials. The following LDAP error is logged:

    LDAP: error code 49 - cannot bind the principalDn.

Expected results:
Login should be successful and no LDAP error should appear.

Additional info:
This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1].

To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. 


http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html

Comment 1 Larry O'Leary 2013-08-05 21:14:07 UTC
Committed to hotfix/jon3.1.2 as https://git.fedorahosted.org/cgit/rhq/rhq.git/commit/?id=bbe1c9b92ae47cda13927a3f541874ecb52c868d

Comment 3 Larry O'Leary 2013-08-06 22:51:11 UTC
Verified in jon-server-3.1.2.GA-hotfix-02 - 5544e322e3e5e48395f788180308d7bb

User with the following DN could log in successfully and their groups were properly loaded and mapped to JBoss ON roles:

DN: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com

Comment 4 Larry O'Leary 2013-08-08 16:19:39 UTC
Fixed in Server Hotfix-02 for JBoss ON 3.1.2.