Bug 1031005 - AdvancedLdapLoginModule fails to follow referrals when role recursion is used
Summary: AdvancedLdapLoginModule fails to follow referrals when role recursion is used
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: GA
: EAP 6.3.0
Assignee: Darran Lofthouse
QA Contact: Josef Cacek
Russell Dickenson
URL:
Whiteboard:
Depends On: 1017974
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-15 13:14 UTC by Josef Cacek
Modified: 2014-07-29 14:05 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-29 14:05:58 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Josef Cacek 2013-11-15 13:14:06 UTC 
Originally in: https://bugzilla.redhat.com/show_bug.cgi?id=1017974#c12

Role recursion doesn't work when referrals are followed:

LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
	<module-option name="baseFilter" value="(uid={0})"/>
	<module-option name="java.naming.referral" value="follow"/>
	<module-option name="bindDN" value="uid=admin,ou=system"/>
	<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
	<module-option name="referralUserAttributeIDToCheck" value="member"/>
	<module-option name="roleNameAttributeID" value="cn"/>
	<module-option name="recurseRoles" value="true"/>
	<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
	<module-option name="java.naming.security.authentication" value="simple"/>
	<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
	<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
	<module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
	<module-option name="bindCredential" value="secret"/>
	<module-option name="roleAttributeIsDN" value="true"/>
	<module-option name="roleAttributeID" value="description"/>
	<module-option name="throwValidateError" value="true"/>
</login-module>

# important entries in dc=jboss,dc=org:

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke

dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com

# important entries in dc=jboss,dc=com:

dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles

dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org

########################

user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule

It works as expected when the LdapExtLoginModule is used.
Comment 1 Josef Cacek 2014-07-29 14:05:58 UTC 
This issue reported against older version, cannot be reproduced against latest 6.3.0. bits, which means it was fixed earlier. Therefore, we are closing this bug.
Note You need to log in before you can comment on or make changes to this bug.