Bug 1017974 - Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles
Summary: Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.1
Hardware: All
OS: All
Target Milestone: ER7
: EAP 6.2.0
Assignee: Darran Lofthouse
QA Contact: Josef Cacek
Russell Dickenson
Depends On:
Blocks: 1017976 1031005
TreeView+ depends on / blocked
Reported: 2013-10-10 21:30 UTC by Chris Dolphy
Modified: 2023-09-14 01:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-12-15 16:17:55 UTC
Type: Bug

Attachments (Terms of Use)
test case (3.45 KB, application/gzip)
2013-10-10 21:36 UTC, Chris Dolphy
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 953513 0 unspecified CLOSED spnego AdvancedLdapLoginModule cannot cope with roles contains a slash 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker SECURITY-758 0 Major Resolved AdvancedLdapLoginModule doesn't isn't mapping nested roles 2015-09-14 16:25:43 UTC
Red Hat Issue Tracker SECURITY-761 0 Major Resolved Release JBoss Negotiation 2.2.6 2015-09-14 16:25:43 UTC

Internal Links: 953513

Description Chris Dolphy 2013-10-10 21:30:11 UTC
Description of problem:

The AdvancedLdapLoginModule isn't mapping nested roles.   This was a regression in 6.1.1.  Likely caused by SECURITY-735 (https://bugzilla.redhat.com/show_bug.cgi?id=953513).

Version-Release number of selected component (if applicable):
EAP 6.1.1
jboss-negotiation-extras 2.2.5-Final-redhat-2

How reproducible:
Unit test attached.

Steps to Reproduce:
1.  Run unit test

Actual results:

Expected results:

Additional info:

I traced the code and the issue seems to be caused by AdvancedLdapLoginModule.rolesSearch calling searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls); with filterArgs in quotes.  This returns no results.

I also noticed that SECURITY-749 made a similar change to LdapExtLoginModule, but it unescapes for the search.  

Finally, maybe the escaping needs to be revisited.  See http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4307193.

Comment 1 Chris Dolphy 2013-10-10 21:36:04 UTC
Created attachment 810801 [details]
test case

Comment 4 Darran Lofthouse 2013-10-23 17:24:50 UTC
I now have a fix both for the issue reported in this Jira and for the previous issue that caused this regression.

I will proceed to tagging a release in the morning.

Comment 7 JBoss JIRA Server 2013-10-24 10:39:15 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Coding In Progress

Comment 8 JBoss JIRA Server 2013-10-24 11:25:16 UTC
Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-758

This can be reproduced with configuration similar to the following: -

                      <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required">

                        <module-option name="bindDN" value="CN=as7" />
                        <module-option name="bindCredential" value="xxx" />

                        <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/>
                        <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>
                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                        <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>

                        <module-option name="roleFilter" value="(distinguishedName={1})"/>
                        <module-option name="roleAttributeID" value="memberOf"/>
                        <module-option name="roleAttributeIsDN" value="true"/>
                        <module-option name="roleNameAttributeID" value="name"/>
                        <module-option name="recurseRoles" value="true"/>


Note: One possible workaround could be if a definition is possible without the rolesFilter.

Comment 9 JBoss JIRA Server 2013-10-24 11:28:17 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Resolved

Comment 10 JBoss JIRA Server 2013-10-24 11:59:36 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-758 to Resolved

Comment 12 Josef Cacek 2013-11-15 12:17:32 UTC
Role recursion doesn't work when referrals are followed:

LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
	<module-option name="baseFilter" value="(uid={0})"/>
	<module-option name="java.naming.referral" value="follow"/>
	<module-option name="bindDN" value="uid=admin,ou=system"/>
	<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
	<module-option name="referralUserAttributeIDToCheck" value="member"/>
	<module-option name="roleNameAttributeID" value="cn"/>
	<module-option name="recurseRoles" value="true"/>
	<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
	<module-option name="java.naming.security.authentication" value="simple"/>
	<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
	<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
	<module-option name="java.naming.provider.url" value="ldap://"/>
	<module-option name="bindCredential" value="secret"/>
	<module-option name="roleAttributeIsDN" value="true"/>
	<module-option name="roleAttributeID" value="description"/>
	<module-option name="throwValidateError" value="true"/>

# important entries in dc=jboss,dc=org:

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke

dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com

# important entries in dc=jboss,dc=com:

dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles

dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org


user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule

It works as expected when the LdapExtLoginModule is used.

Comment 13 Darran Lofthouse 2013-11-15 12:24:42 UTC
This issue has never attempted to address referrals.
 - Did mapping referrals work before this fix?
 - Did mapping referrals work before the fix that caused the regression that is fixed here?

This issue is only about fixing the regression.

Comment 14 Josef Cacek 2013-11-15 13:09:59 UTC
(The version tested was CR1).

The remaining issue is not a regression. Therefor I will set this issue to verified and create a new one for the referrals use-case.

Comment 15 Josef Cacek 2013-11-15 13:16:25 UTC
Russell, could you please describe the limitation in role search in Release Notes? Thanks.

Comment 17 Red Hat Bugzilla 2023-09-14 01:51:54 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.