Bug 1031005 - AdvancedLdapLoginModule fails to follow referrals when role recursion is used
AdvancedLdapLoginModule fails to follow referrals when role recursion is used
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: GA
: EAP 6.3.0
Assigned To: Darran Lofthouse
Josef Cacek
Russell Dickenson
Depends On: 1017974
  Show dependency treegraph
Reported: 2013-11-15 08:14 EST by Josef Cacek
Modified: 2014-07-29 10:05 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-07-29 10:05:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josef Cacek 2013-11-15 08:14:06 EST
Originally in: https://bugzilla.redhat.com/show_bug.cgi?id=1017974#c12

Role recursion doesn't work when referrals are followed:

LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
	<module-option name="baseFilter" value="(uid={0})"/>
	<module-option name="java.naming.referral" value="follow"/>
	<module-option name="bindDN" value="uid=admin,ou=system"/>
	<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
	<module-option name="referralUserAttributeIDToCheck" value="member"/>
	<module-option name="roleNameAttributeID" value="cn"/>
	<module-option name="recurseRoles" value="true"/>
	<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
	<module-option name="java.naming.security.authentication" value="simple"/>
	<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
	<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
	<module-option name="java.naming.provider.url" value="ldap://"/>
	<module-option name="bindCredential" value="secret"/>
	<module-option name="roleAttributeIsDN" value="true"/>
	<module-option name="roleAttributeID" value="description"/>
	<module-option name="throwValidateError" value="true"/>

# important entries in dc=jboss,dc=org:

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke

dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com

# important entries in dc=jboss,dc=com:

dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles

dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org


user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule

It works as expected when the LdapExtLoginModule is used.
Comment 1 Josef Cacek 2014-07-29 10:05:58 EDT
This issue reported against older version, cannot be reproduced against latest 6.3.0. bits, which means it was fixed earlier. Therefore, we are closing this bug.

Note You need to log in before you can comment on or make changes to this bug.