Bug 1051240 - [GSS] (6.2.x) LDAP Group Loading - Should Not Fail for Non-existent User
Summary: [GSS] (6.2.x) LDAP Group Loading - Should Not Fail for Non-existent User
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: CR1
: EAP 6.2.1
Assignee: Derek Horton
QA Contact: Petr Kremensky
Russell Dickenson
URL:
Whiteboard:
Depends On: 1043667
Blocks: eap62-cp01-blockers
TreeView+ depends on / blocked
 
Reported: 2014-01-09 22:05 UTC by Derek Horton
Modified: 2018-12-04 16:54 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An issue was encountered in previous releases of JBoss EAP 6 that caused domain mode server instances to fail to start. In domain mode, where a security realm was configured to load groups from LDAP, the server instances would try to load the group information for a server 'user' and fail. This issue was resolved by modifying the code so that group information is not loaded if the remote user was an authenticated server. Server instances no longer fail when encountering a user not found in the LDAP directory.
Clone Of:
Environment:
Last Closed: 2014-02-24 20:15:59 UTC
Type: Bug
smumford: needinfo-


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2660 Critical Resolved LDAP Group Loading - Should Not Fail for Non-existent User. 2015-07-15 19:11:26 UTC

Description Derek Horton 2014-01-09 22:05:56 UTC
Description of problem:
Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP.
One example is local authentication where the user may not exist.
Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller.


Steps to Reproduce:

Configure domain mode to use LDAP / RBAC for the management realm:


            <security-realm name="ManagementRealm">                                                                                                                    
                <authentication>                                                                                                                                       
                    <ldap connection="ldap_connection" base-dn="ou=Users,dc=my-domain,dc=com">                                                                         
                        <username-filter attribute="uid"/>                                                                                                             
                    </ldap>                                                                                                                                                            </authentication>                                                                                                                                      
                <authorization map-groups-to-roles="true">                                                                                                             
                  <ldap connection="ldap_connection">                                                                                                                  
                    <username-to-dn force="true">                                                                                                                      
                      <username-filter base-dn="ou=Users,dc=my-domain,dc=com" recursive="true" attribute="uid" user-dn-attribute="dn" />                               
                    </username-to-dn>                                                                                                                                  
                    <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">                                              
                      <group-to-principal base-dn="ou=Groups,dc=my-domain,dc=com" recursive="true" search-by="DISTINGUISHED_NAME">                                     
                        <membership-filter principal-attribute="member" />                                                                                             
                      </group-to-principal>                                                                                                                            
                    </group-search>                                                                                                                                    
                  </ldap>                                                                                                                                              
                </authorization>                                                                                                                                       
            </security-realm>                                

Actual results:

Server instances fail to start:

[Server:server-one] 15:33:51,172 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("validate-authorization") failed - address: ([
[Server:server-one]     ("core-service" => "management"),
[Server:server-one]     ("security-realm" => "ManagementRealmLDAP"),
[Server:server-one]     ("authorization" => "ldap")
[Server:server-one] ]) - failure description: "JBAS015290: Configuration for security realm 'ManagementRealmLDAP' does not contain any group-search resource within the authorization=ldap resource."
[Server:server-one] 15:33:51,178 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.


Expected results:


Additional info:

Comment 5 Scott Mumford 2014-01-20 01:06:23 UTC
Marking for inclusion in 6.2.1 release notes documentation.

Comment 6 Scott Mumford 2014-01-23 00:00:07 UTC
Hi Derek, I'm hoping you could assist the documentation effort and fill in the blanks in the Doc Text field above for the release notes.

Comment 7 Nikoleta Hlavickova 2014-01-23 15:07:30 UTC
Verified with 6.2.1.CP.CR1-patch.

Comment 8 Scott Mumford 2014-01-24 00:03:31 UTC
Thanks for the help Derek. Marking final note for inclusion in the Release Notes document.

Comment 9 Nikoleta Hlavickova 2014-01-30 12:54:00 UTC
Fixed a typo in Doc Text

Comment 10 Russell Dickenson 2014-02-03 04:04:26 UTC
Minor amendments to release notes text.


Note You need to log in before you can comment on or make changes to this bug.