1017974 – Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles

Bug 1017974 - Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles

Summary: Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.1.1
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	ER7
Target Release:	EAP 6.2.0
Assignee:	Darran Lofthouse
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:	1017976 1031005
TreeView+	depends on / blocked

Reported:	2013-10-10 21:30 UTC by Chris Dolphy
Modified:	2023-09-14 01:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-12-15 16:17:55 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
test case (3.45 KB, application/gzip) 2013-10-10 21:36 UTC, Chris Dolphy	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	953513	unspecified	CLOSED	spnego AdvancedLdapLoginModule cannot cope with roles contains a slash	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	SECURITY-758	Major	Resolved	AdvancedLdapLoginModule doesn't isn't mapping nested roles	2015-09-14 16:25:43 UTC
Red Hat Issue Tracker	SECURITY-761	Major	Resolved	Release JBoss Negotiation 2.2.6	2015-09-14 16:25:43 UTC

Internal Links: 953513

Description Chris Dolphy 2013-10-10 21:30:11 UTC

Description of problem:

The AdvancedLdapLoginModule isn't mapping nested roles.   This was a regression in 6.1.1.  Likely caused by SECURITY-735 (https://bugzilla.redhat.com/show_bug.cgi?id=953513).


Version-Release number of selected component (if applicable):
EAP 6.1.1
jboss-negotiation-extras 2.2.5-Final-redhat-2

How reproducible:
Unit test attached.

Steps to Reproduce:
1.  Run unit test

Actual results:


Expected results:


Additional info:

I traced the code and the issue seems to be caused by AdvancedLdapLoginModule.rolesSearch calling searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls); with filterArgs in quotes.  This returns no results.

I also noticed that SECURITY-749 made a similar change to LdapExtLoginModule, but it unescapes for the search.  

Finally, maybe the escaping needs to be revisited.  See http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4307193.

Comment 1 Chris Dolphy 2013-10-10 21:36:04 UTC

Created attachment 810801 [details]
test case

Comment 4 Darran Lofthouse 2013-10-23 17:24:50 UTC

I now have a fix both for the issue reported in this Jira and for the previous issue that caused this regression.

I will proceed to tagging a release in the morning.

Comment 7 JBoss JIRA Server 2013-10-24 10:39:15 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Coding In Progress

Comment 8 JBoss JIRA Server 2013-10-24 11:25:16 UTC

Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-758

This can be reproduced with configuration similar to the following: -

{code}
                      <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required">

                        <module-option name="bindDN" value="CN=as7" />
                        <module-option name="bindCredential" value="xxx" />

                        <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/>
        
                        <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>
                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                        <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>

                        <module-option name="roleFilter" value="(distinguishedName={1})"/>
                        
                        <module-option name="roleAttributeID" value="memberOf"/>
                        <module-option name="roleAttributeIsDN" value="true"/>
                        <module-option name="roleNameAttributeID" value="name"/>
        
                        <module-option name="recurseRoles" value="true"/>

                    </login-module>
{code}

Note: One possible workaround could be if a definition is possible without the rolesFilter.

Comment 9 JBoss JIRA Server 2013-10-24 11:28:17 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Resolved

Comment 10 JBoss JIRA Server 2013-10-24 11:59:36 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-758 to Resolved

Comment 12 Josef Cacek 2013-11-15 12:17:32 UTC

Role recursion doesn't work when referrals are followed:

LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
	<module-option name="baseFilter" value="(uid={0})"/>
	<module-option name="java.naming.referral" value="follow"/>
	<module-option name="bindDN" value="uid=admin,ou=system"/>
	<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
	<module-option name="referralUserAttributeIDToCheck" value="member"/>
	<module-option name="roleNameAttributeID" value="cn"/>
	<module-option name="recurseRoles" value="true"/>
	<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
	<module-option name="java.naming.security.authentication" value="simple"/>
	<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
	<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
	<module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
	<module-option name="bindCredential" value="secret"/>
	<module-option name="roleAttributeIsDN" value="true"/>
	<module-option name="roleAttributeID" value="description"/>
	<module-option name="throwValidateError" value="true"/>
</login-module>

# important entries in dc=jboss,dc=org:

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke

dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com

# important entries in dc=jboss,dc=com:

dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles

dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org

########################

user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule

It works as expected when the LdapExtLoginModule is used.

Comment 13 Darran Lofthouse 2013-11-15 12:24:42 UTC

This issue has never attempted to address referrals.
 - Did mapping referrals work before this fix?
 - Did mapping referrals work before the fix that caused the regression that is fixed here?

This issue is only about fixing the regression.

Comment 14 Josef Cacek 2013-11-15 13:09:59 UTC

(The version tested was CR1).

The remaining issue is not a regression. Therefor I will set this issue to verified and create a new one for the referrals use-case.

Comment 15 Josef Cacek 2013-11-15 13:16:25 UTC

Russell, could you please describe the limitation in role search in Release Notes? Thanks.

Comment 17 Red Hat Bugzilla 2023-09-14 01:51:54 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.