Originally in: https://bugzilla.redhat.com/show_bug.cgi?id=1017974#c12 Role recursion doesn't work when referrals are followed: LM configuration: <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required"> <module-option name="baseFilter" value="(uid={0})"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="bindDN" value="uid=admin,ou=system"/> <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/> <module-option name="referralUserAttributeIDToCheck" value="member"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="recurseRoles" value="true"/> <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/> <module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/> <module-option name="bindCredential" value="secret"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleAttributeID" value="description"/> <module-option name="throwValidateError" value="true"/> </login-module> # important entries in dc=jboss,dc=org: dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: uidObject objectclass: person uid: jduke cn: Java Duke sn: Duke userPassword: theduke dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org objectClass: extensibleObject objectClass: referral objectClass: top ou: RefRoles ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com # important entries in dc=jboss,dc=com: dn: ou=SharedRoles,dc=jboss,dc=com objectclass: top objectclass: organizationalUnit ou: SharedRoles dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com objectClass: top objectClass: groupOfNames cn: Admin description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com member: uid=jduke,ou=People,dc=jboss,dc=org ######################## user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule It works as expected when the LdapExtLoginModule is used.
This issue reported against older version, cannot be reproduced against latest 6.3.0. bits, which means it was fixed earlier. Therefore, we are closing this bug.