Description of problem: The AdvancedLdapLoginModule isn't mapping nested roles. This was a regression in 6.1.1. Likely caused by SECURITY-735 (https://bugzilla.redhat.com/show_bug.cgi?id=953513). Version-Release number of selected component (if applicable): EAP 6.1.1 jboss-negotiation-extras 2.2.5-Final-redhat-2 How reproducible: Unit test attached. Steps to Reproduce: 1. Run unit test Actual results: Expected results: Additional info: I traced the code and the issue seems to be caused by AdvancedLdapLoginModule.rolesSearch calling searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls); with filterArgs in quotes. This returns no results. I also noticed that SECURITY-749 made a similar change to LdapExtLoginModule, but it unescapes for the search. Finally, maybe the escaping needs to be revisited. See http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4307193.
Created attachment 810801 [details] test case
I now have a fix both for the issue reported in this Jira and for the previous issue that caused this regression. I will proceed to tagging a release in the morning.
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Coding In Progress
Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-758 This can be reproduced with configuration similar to the following: - {code} <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required"> <module-option name="bindDN" value="CN=as7" /> <module-option name="bindCredential" value="xxx" /> <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/> <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/> <module-option name="roleFilter" value="(distinguishedName={1})"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleNameAttributeID" value="name"/> <module-option name="recurseRoles" value="true"/> </login-module> {code} Note: One possible workaround could be if a definition is possible without the rolesFilter.
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-761 to Resolved
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-758 to Resolved
Role recursion doesn't work when referrals are followed: LM configuration: <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required"> <module-option name="baseFilter" value="(uid={0})"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="bindDN" value="uid=admin,ou=system"/> <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/> <module-option name="referralUserAttributeIDToCheck" value="member"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="recurseRoles" value="true"/> <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/> <module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/> <module-option name="bindCredential" value="secret"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleAttributeID" value="description"/> <module-option name="throwValidateError" value="true"/> </login-module> # important entries in dc=jboss,dc=org: dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: uidObject objectclass: person uid: jduke cn: Java Duke sn: Duke userPassword: theduke dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefRoles ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com # important entries in dc=jboss,dc=com: dn: ou=SharedRoles,dc=jboss,dc=com objectclass: top objectclass: organizationalUnit ou: SharedRoles dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com objectClass: top objectClass: groupOfNames cn: Admin description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com member: uid=jduke,ou=People,dc=jboss,dc=org ######################## user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule It works as expected when the LdapExtLoginModule is used.
This issue has never attempted to address referrals. - Did mapping referrals work before this fix? - Did mapping referrals work before the fix that caused the regression that is fixed here? This issue is only about fixing the regression.
(The version tested was CR1). The remaining issue is not a regression. Therefor I will set this issue to verified and create a new one for the referrals use-case.
Russell, could you please describe the limitation in role search in Release Notes? Thanks.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days