1051227 – [EAP 6.2.0] LDAP Group Loading - Should Not Fail for Non-existent User

Bug 1051227 - [EAP 6.2.0] LDAP Group Loading - Should Not Fail for Non-existent User

Summary: [EAP 6.2.0] LDAP Group Loading - Should Not Fail for Non-existent User

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	One-off release
Assignee:	Derek Horton
QA Contact:	Petr Kremensky
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-09 21:34 UTC by Derek Horton
Modified:	2014-09-02 13:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-09-02 13:25:34 UTC
Type:	Support Patch
Embargoed:

Attachments	(Terms of Use)
patch (1.03 MB, application/zip) 2014-01-09 22:22 UTC, Derek Horton	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-2660	0	Critical	Resolved	LDAP Group Loading - Should Not Fail for Non-existent User.	2014-09-02 13:25:08 UTC

Description Derek Horton 2014-01-09 21:34:48 UTC

Description of problem:
Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP.
One example is local authentication where the user may not exist.
Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller.


Steps to Reproduce:

Configure domain mode to use LDAP / RBAC for the management realm:


            <security-realm name="ManagementRealm">                                                                                                                    
                <authentication>                                                                                                                                       
                    <ldap connection="ldap_connection" base-dn="ou=Users,dc=my-domain,dc=com">                                                                         
                        <username-filter attribute="uid"/>                                                                                                             
                    </ldap>                                                                                                                                                            </authentication>                                                                                                                                      
                <authorization map-groups-to-roles="true">                                                                                                             
                  <ldap connection="ldap_connection">                                                                                                                  
                    <username-to-dn force="true">                                                                                                                      
                      <username-filter base-dn="ou=Users,dc=my-domain,dc=com" recursive="true" attribute="uid" user-dn-attribute="dn" />                               
                    </username-to-dn>                                                                                                                                  
                    <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">                                              
                      <group-to-principal base-dn="ou=Groups,dc=my-domain,dc=com" recursive="true" search-by="DISTINGUISHED_NAME">                                     
                        <membership-filter principal-attribute="member" />                                                                                             
                      </group-to-principal>                                                                                                                            
                    </group-search>                                                                                                                                    
                  </ldap>                                                                                                                                              
                </authorization>                                                                                                                                       
            </security-realm>                                

Actual results:

Server instances fail to start:

[Server:server-one] 15:33:51,172 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("validate-authorization") failed - address: ([
[Server:server-one]     ("core-service" => "management"),
[Server:server-one]     ("security-realm" => "ManagementRealmLDAP"),
[Server:server-one]     ("authorization" => "ldap")
[Server:server-one] ]) - failure description: "JBAS015290: Configuration for security realm 'ManagementRealmLDAP' does not contain any group-search resource within the authorization=ldap resource."
[Server:server-one] 15:33:51,178 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.


Expected results:


Additional info:

Comment 1 Derek Horton 2014-01-09 22:22:51 UTC

Created attachment 847885 [details]
patch

Note You need to log in before you can comment on or make changes to this bug.