Bug 1074560 - [GSS] (6.3.0) EAP management authorization throws an exception when an LDAP group contains a slash character
Summary: [GSS] (6.3.0) EAP management authorization throws an exception when an LDAP g...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.2.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: DR4
: EAP 6.3.0
Assignee: Tom Fonteyne
QA Contact: Josef Cacek
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1075082
TreeView+ depends on / blocked
 
Reported: 2014-03-10 14:33 UTC by Tom Fonteyne
Modified: 2018-12-06 16:03 UTC (History)
7 users (show)

(edit)
Previous versions of JBoss EAP were found to contain a bug that prevented the 'backslash' (/) character from being escaped correctly when it was used in an LDAP group on a Windows Active Directory LDAP server. The bug would cause EAP management authorization to throw a NamingException. This release included an update that ensures the character is escaped correctly and the exception no longer presents.
Clone Of:
: 1075082 (view as bug list)
(edit)
Last Closed: 2014-06-28 15:26:17 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-3099 Major Resolved management authorization throws an exception when an LDAP group contains a slash/backslash character 2017-04-12 14:27 UTC

Description Tom Fonteyne 2014-03-10 14:33:29 UTC
Description of problem:

Using EAP 6.2.1 and Wndows AD 2008R2 as the LDAP server

- create an LDAP group that has a slash:
     CN=slash / group,CN=Users,DC=jbossuk,DC=com
- assign a user to that group
  the user can also be assigned to other groups.

- configure for RBAC:
            <security-realm name="ADManagementRealm">
                <authentication>
                    <ldap connection="adcon" base-dn="dc=jbossuk,dc=com" recursive="true">
                        <username-filter attribute="sAMAccountName"/>
                    </ldap>
                </authentication>
                <authorization>
                    <ldap connection="adcon">
                        <group-search group-dn-attribute="dn" group-name-attribute="cn">
                            <principal-to-group group-attribute="memberOf"/>
                        </group-search>
                    </ldap>
                </authorization>
            </security-realm>


    <management>
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="tom"/>
                        <user name="$local"/>
                        <group name="JBossAdmin"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>

Use the CLI, and login with that user:

Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed


debugging lead to:

org.jboss.as.domain.management.security.LdapGroupSearcherService

        public LdapEntry[] groupSearch(DirContext dirContext, LdapEntry entry) throws IOException, NamingException {
            Set<LdapEntry> foundEntries = new HashSet<LdapEntry>();
            // Load the list of group.
            Attributes groups = dirContext.getAttributes(entry.getDistinguishedName(), new String[] {groupAttribute});
            Attribute groupRef = groups.get(groupAttribute);
            if (groupRef != null) {
                NamingEnumeration<String> groupRefValues = (NamingEnumeration<String>) groupRef.getAll();
                while (groupRefValues.hasMore()) {
                    String current = groupRefValues.next();
                    String groupName = null;
                    if (groupNameAttribute != null) {
                        // Load the Name
                        Attributes groupNameAttrs = dirContext.getAttributes(current, new String[] { groupNameAttribute });

The last line throws an exception:

e = (javax.naming.NamingException) javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0

(note: it would be nice if this was in fact send to the log file)

Remaining name contained two elements:
  CN=slash<space>
  <space>group,CN=Users,DC=jbossuk,DC=com

It seems the "/" is seen as a "syntaxSeparator" (this is a field on the object)
CN=slash

Comment 1 Tom Fonteyne 2014-03-10 15:37:49 UTC
https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx

Shows a set of characters to escape. The "/" is not one of them though.

I'm setting up a test where I'll escape the "/" to check.

Comment 2 Tom Fonteyne 2014-03-10 15:47:00 UTC
same page also says:

In the canonicalName both the forward slash and backslash characters are escaped using the backslash escape character. However, no other characters are escaped.

Sounds spot on

Comment 3 Tom Fonteyne 2014-03-11 10:17:06 UTC
this fixed it for bot slashes and backslashes

String current = groupRefValues.next().replace("\\", "\\\\").replace("/", "\\/");

I'll be doing wilfly and eap jira/bz and pull requests later today.

assigning this BZ to myself due to that.

Comment 4 Tom Fonteyne 2014-03-11 13:01:35 UTC
Fixed in branch 6.x

domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java


pull request send:
https://github.com/jbossas/jboss-eap/pull/1046

Comment 5 Kabir Khan 2014-03-11 23:54:17 UTC
Tom, POST is when a PR is done; MODIFIED when I have merged it :-)

Comment 6 Ondrej Lukas 2014-03-19 14:41:18 UTC
Verified on EAP 6.3.0.DR4.


Note You need to log in before you can comment on or make changes to this bug.