Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1075082

Summary:	[QE][GSS] (6.2.x) management authorization throws an exception when an LDAP group contains a slash character
Product:	[JBoss] JBoss Enterprise Application Platform 6	Reporter:	Tom Fonteyne <tfonteyn>
Component:	Domain Management	Assignee:	Tom Fonteyne <tfonteyn>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Josef Cacek <jcacek>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.2.1	CC:	bmaxwell, cdewolf, darran.lofthouse, emuckenh, myarboro, olukas, rsvoboda, smumford
Target Milestone:	CR2
Target Release:	EAP 6.2.3
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	Previous versions of JBoss EAP were found to contain a bug that prevented the 'backslash' (/) character from being escaped correctly when it was used in an LDAP group on a Windows Active Directory LDAP server. The bug would cause EAP management authorization to throw a NamingException. This release included an update that ensures the character is escaped correctly and the exception no longer presents.	Story Points:	---
Clone Of:	1074560	Environment:
Last Closed:	2014-06-09 12:46:35 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1074560
Bug Blocks:	1067532

Description Tom Fonteyne 2014-03-11 13:05:05 UTC

+++ This bug was initially created as a clone of Bug #1074560 +++

and is meant for branch 6.2.x

Description of problem:

Using EAP 6.2.1 and Wndows AD 2008R2 as the LDAP server

- create an LDAP group that has a slash:
     CN=slash / group,CN=Users,DC=jbossuk,DC=com
- assign a user to that group
  the user can also be assigned to other groups.

- configure for RBAC:
            <security-realm name="ADManagementRealm">
                <authentication>
                    <ldap connection="adcon" base-dn="dc=jbossuk,dc=com" recursive="true">
                        <username-filter attribute="sAMAccountName"/>
                    </ldap>
                </authentication>
                <authorization>
                    <ldap connection="adcon">
                        <group-search group-dn-attribute="dn" group-name-attribute="cn">
                            <principal-to-group group-attribute="memberOf"/>
                        </group-search>
                    </ldap>
                </authorization>
            </security-realm>


    <management>
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="tom"/>
                        <user name="$local"/>
                        <group name="JBossAdmin"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>

Use the CLI, and login with that user:

Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed


debugging lead to:

org.jboss.as.domain.management.security.LdapGroupSearcherService

        public LdapEntry[] groupSearch(DirContext dirContext, LdapEntry entry) throws IOException, NamingException {
            Set<LdapEntry> foundEntries = new HashSet<LdapEntry>();
            // Load the list of group.
            Attributes groups = dirContext.getAttributes(entry.getDistinguishedName(), new String[] {groupAttribute});
            Attribute groupRef = groups.get(groupAttribute);
            if (groupRef != null) {
                NamingEnumeration<String> groupRefValues = (NamingEnumeration<String>) groupRef.getAll();
                while (groupRefValues.hasMore()) {
                    String current = groupRefValues.next();
                    String groupName = null;
                    if (groupNameAttribute != null) {
                        // Load the Name
                        Attributes groupNameAttrs = dirContext.getAttributes(current, new String[] { groupNameAttribute });

The last line throws an exception:

e = (javax.naming.NamingException) javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0

(note: it would be nice if this was in fact send to the log file)

Remaining name contained two elements:
  CN=slash<space>
  <space>group,CN=Users,DC=jbossuk,DC=com

It seems the "/" is seen as a "syntaxSeparator" (this is a field on the object)
CN=slash

--- Additional comment from Tom Fonteyne on 2014-03-10 11:37:49 EDT ---

https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx

Shows a set of characters to escape. The "/" is not one of them though.

I'm setting up a test where I'll escape the "/" to check.

--- Additional comment from Tom Fonteyne on 2014-03-10 11:47:00 EDT ---

same page also says:

In the canonicalName both the forward slash and backslash characters are escaped using the backslash escape character. However, no other characters are escaped.

Sounds spot on

--- Additional comment from Tom Fonteyne on 2014-03-11 06:17:06 EDT ---

this fixed it for bot slashes and backslashes

String current = groupRefValues.next().replace("\\", "\\\\").replace("/", "\\/");

I'll be doing wilfly and eap jira/bz and pull requests later today.

assigning this BZ to myself due to that.

Comment 1 Tom Fonteyne 2014-03-11 13:27:02 UTC

@Josef:  I don't see a flag to request "jboss‑eap‑6.2.x" ?

but this one is meant to go into the next CP: 2 or 3 ?

Comment 2 Ondrej Lukas 2014-05-06 11:28:53 UTC

Verified in EAP 6.2.3.CR2.