Red Hat Bugzilla – Bug 1074560
[GSS] (6.3.0) EAP management authorization throws an exception when an LDAP group contains a slash character
Last modified: 2017-10-09 20:08:49 EDT
Description of problem: Using EAP 6.2.1 and Wndows AD 2008R2 as the LDAP server - create an LDAP group that has a slash: CN=slash / group,CN=Users,DC=jbossuk,DC=com - assign a user to that group the user can also be assigned to other groups. - configure for RBAC: <security-realm name="ADManagementRealm"> <authentication> <ldap connection="adcon" base-dn="dc=jbossuk,dc=com" recursive="true"> <username-filter attribute="sAMAccountName"/> </ldap> </authentication> <authorization> <ldap connection="adcon"> <group-search group-dn-attribute="dn" group-name-attribute="cn"> <principal-to-group group-attribute="memberOf"/> </group-search> </ldap> </authorization> </security-realm> <management> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="tom"/> <user name="$local"/> <group name="JBossAdmin"/> </include> </role> </role-mapping> </access-control> </management> Use the CLI, and login with that user: Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed debugging lead to: org.jboss.as.domain.management.security.LdapGroupSearcherService public LdapEntry[] groupSearch(DirContext dirContext, LdapEntry entry) throws IOException, NamingException { Set<LdapEntry> foundEntries = new HashSet<LdapEntry>(); // Load the list of group. Attributes groups = dirContext.getAttributes(entry.getDistinguishedName(), new String[] {groupAttribute}); Attribute groupRef = groups.get(groupAttribute); if (groupRef != null) { NamingEnumeration<String> groupRefValues = (NamingEnumeration<String>) groupRef.getAll(); while (groupRefValues.hasMore()) { String current = groupRefValues.next(); String groupName = null; if (groupNameAttribute != null) { // Load the Name Attributes groupNameAttrs = dirContext.getAttributes(current, new String[] { groupNameAttribute }); The last line throws an exception: e = (javax.naming.NamingException) javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 (note: it would be nice if this was in fact send to the log file) Remaining name contained two elements: CN=slash<space> <space>group,CN=Users,DC=jbossuk,DC=com It seems the "/" is seen as a "syntaxSeparator" (this is a field on the object) CN=slash
https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx Shows a set of characters to escape. The "/" is not one of them though. I'm setting up a test where I'll escape the "/" to check.
same page also says: In the canonicalName both the forward slash and backslash characters are escaped using the backslash escape character. However, no other characters are escaped. Sounds spot on
this fixed it for bot slashes and backslashes String current = groupRefValues.next().replace("\\", "\\\\").replace("/", "\\/"); I'll be doing wilfly and eap jira/bz and pull requests later today. assigning this BZ to myself due to that.
Fixed in branch 6.x domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java pull request send: https://github.com/jbossas/jboss-eap/pull/1046
Tom, POST is when a PR is done; MODIFIED when I have merged it :-)
Verified on EAP 6.3.0.DR4.