Bug 1025496 - Securing management console with LDAP authentication prevents access
Securing management console with LDAP authentication prevents access
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity unspecified
: CR1
: EAP 6.2.0
Assigned To: Darran Lofthouse
Jakub Cechacek
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-31 15:48 EDT by Chris Dolphy
Modified: 2015-02-01 18:00 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:15:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
standalone.xml to reproduce issue (16.67 KB, text/xml)
2013-10-31 15:49 EDT, Chris Dolphy
no flags Details

  None (edit)
Description Chris Dolphy 2013-10-31 15:48:16 EDT
Description of problem:
Recieve following error in browser when trying to access /console:
  The management interface could not be loaded.
  Authentication required.
after enabling LDAP authentication for http-interface and although the user is successfully looked up in LDAP, 

Same configuration works in EAP 6.1.1.

Version-Release number of selected component (if applicable):
EAP 6.2.0 beta

How reproducible:
reproducible with steps below

Steps to Reproduce:
1.  setup LDAP server with appropriate user
2.  create outbound-connection.  e.g.

<outbound-connections>
   <ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>

3.create ldap security realm:

<security-realm name="ldap_security_realm">
  <authentication>
    <ldap connection="ldap_connection" base-dn="ou=users,ou=system" recursive="true" user-dn="dn">
      <username-filter attribute="uid"/>
    </ldap>
  </authentication>
</security-realm>

4. change http-interface to use security-realm:  e.g.

<http-interface security-realm="ldap_security_realm">

5. login to http:localhost:9990/console

Actual results:

Login is accepted, but browser displays:
The management interface could not be loaded.
Authentication required.

Log file shows:

14:32:28,062 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Performing recursive search
14:32:28,062 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Searching for user 'testuser' using filter '(uid={0})'.
14:32:28,064 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) DN 'cn=testuser,ou=users,ou=system' found for user 'testuser'
14:32:28,066 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Password verified for user 'testuser'


Expected results:

management console is displayed.

Additional info:

see attachment for standalone.xml
Comment 1 Chris Dolphy 2013-10-31 15:49:07 EDT
Created attachment 818044 [details]
standalone.xml to reproduce issue
Comment 5 Darran Lofthouse 2013-11-01 08:07:38 EDT
I will have a look.
Comment 6 Darran Lofthouse 2013-11-01 08:38:28 EDT
A quick test on WildFly and WildFly does not seem affected.
Comment 7 Darran Lofthouse 2013-11-01 08:47:14 EDT
I can reproduce on the latest EAP - there should not actually be anything specific to the console so for that reason I am going to take ownership for now while I investigate further.

Due to the different HTTP servers in use between WildFly and EAP I would suspect a mistake in the merge between the two.

I don't actually see a question being asked with the needinfo flag so I am going to clear it as I am now investigating.
Comment 8 Darran Lofthouse 2013-11-01 09:17:00 EDT
Found it - an issue specific to the BasicAuthenticator within EAP, should only be a minor change.
Comment 10 Josef Cacek 2013-11-11 08:57:28 EST
Verified in CR1-preview.

Note You need to log in before you can comment on or make changes to this bug.