Bug 1074560 - [GSS] (6.3.0) EAP management authorization throws an exception when an LDAP group contains a slash character
Summary: [GSS] (6.3.0) EAP management authorization throws an exception when an LDAP g...
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.2.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: DR4
: EAP 6.3.0
Assignee: Tom Fonteyne
QA Contact: Josef Cacek
Depends On:
Blocks: 1075082
TreeView+ depends on / blocked
Reported: 2014-03-10 14:33 UTC by Tom Fonteyne
Modified: 2018-12-06 16:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP were found to contain a bug that prevented the 'backslash' (/) character from being escaped correctly when it was used in an LDAP group on a Windows Active Directory LDAP server. The bug would cause EAP management authorization to throw a NamingException. This release included an update that ensures the character is escaped correctly and the exception no longer presents.
Clone Of:
: 1075082 (view as bug list)
Last Closed: 2014-06-28 15:26:17 UTC
Type: Bug

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat One Jira Issue Tracker WFLY-3099 Major Resolved management authorization throws an exception when an LDAP group contains a slash/backslash character 2017-04-12 14:27:47 UTC

Description Tom Fonteyne 2014-03-10 14:33:29 UTC
Description of problem:

Using EAP 6.2.1 and Wndows AD 2008R2 as the LDAP server

- create an LDAP group that has a slash:
     CN=slash / group,CN=Users,DC=jbossuk,DC=com
- assign a user to that group
  the user can also be assigned to other groups.

- configure for RBAC:
            <security-realm name="ADManagementRealm">
                    <ldap connection="adcon" base-dn="dc=jbossuk,dc=com" recursive="true">
                        <username-filter attribute="sAMAccountName"/>
                    <ldap connection="adcon">
                        <group-search group-dn-attribute="dn" group-name-attribute="cn">
                            <principal-to-group group-attribute="memberOf"/>

        <access-control provider="rbac">
                <role name="SuperUser">
                        <user name="tom"/>
                        <user name="$local"/>
                        <group name="JBossAdmin"/>

Use the CLI, and login with that user:

Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

debugging lead to:


        public LdapEntry[] groupSearch(DirContext dirContext, LdapEntry entry) throws IOException, NamingException {
            Set<LdapEntry> foundEntries = new HashSet<LdapEntry>();
            // Load the list of group.
            Attributes groups = dirContext.getAttributes(entry.getDistinguishedName(), new String[] {groupAttribute});
            Attribute groupRef = groups.get(groupAttribute);
            if (groupRef != null) {
                NamingEnumeration<String> groupRefValues = (NamingEnumeration<String>) groupRef.getAll();
                while (groupRefValues.hasMore()) {
                    String current = groupRefValues.next();
                    String groupName = null;
                    if (groupNameAttribute != null) {
                        // Load the Name
                        Attributes groupNameAttrs = dirContext.getAttributes(current, new String[] { groupNameAttribute });

The last line throws an exception:

e = (javax.naming.NamingException) javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0

(note: it would be nice if this was in fact send to the log file)

Remaining name contained two elements:

It seems the "/" is seen as a "syntaxSeparator" (this is a field on the object)

Comment 1 Tom Fonteyne 2014-03-10 15:37:49 UTC

Shows a set of characters to escape. The "/" is not one of them though.

I'm setting up a test where I'll escape the "/" to check.

Comment 2 Tom Fonteyne 2014-03-10 15:47:00 UTC
same page also says:

In the canonicalName both the forward slash and backslash characters are escaped using the backslash escape character. However, no other characters are escaped.

Sounds spot on

Comment 3 Tom Fonteyne 2014-03-11 10:17:06 UTC
this fixed it for bot slashes and backslashes

String current = groupRefValues.next().replace("\\", "\\\\").replace("/", "\\/");

I'll be doing wilfly and eap jira/bz and pull requests later today.

assigning this BZ to myself due to that.

Comment 4 Tom Fonteyne 2014-03-11 13:01:35 UTC
Fixed in branch 6.x


pull request send:

Comment 5 Kabir Khan 2014-03-11 23:54:17 UTC
Tom, POST is when a PR is done; MODIFIED when I have merged it :-)

Comment 6 Ondrej Lukas 2014-03-19 14:41:18 UTC
Verified on EAP 6.3.0.DR4.

Note You need to log in before you can comment on or make changes to this bug.