+++ This bug was initially created as a clone of Bug #1074560 +++ and is meant for branch 6.2.x Description of problem: Using EAP 6.2.1 and Wndows AD 2008R2 as the LDAP server - create an LDAP group that has a slash: CN=slash / group,CN=Users,DC=jbossuk,DC=com - assign a user to that group the user can also be assigned to other groups. - configure for RBAC: <security-realm name="ADManagementRealm"> <authentication> <ldap connection="adcon" base-dn="dc=jbossuk,dc=com" recursive="true"> <username-filter attribute="sAMAccountName"/> </ldap> </authentication> <authorization> <ldap connection="adcon"> <group-search group-dn-attribute="dn" group-name-attribute="cn"> <principal-to-group group-attribute="memberOf"/> </group-search> </ldap> </authorization> </security-realm> <management> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="tom"/> <user name="$local"/> <group name="JBossAdmin"/> </include> </role> </role-mapping> </access-control> </management> Use the CLI, and login with that user: Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed debugging lead to: org.jboss.as.domain.management.security.LdapGroupSearcherService public LdapEntry[] groupSearch(DirContext dirContext, LdapEntry entry) throws IOException, NamingException { Set<LdapEntry> foundEntries = new HashSet<LdapEntry>(); // Load the list of group. Attributes groups = dirContext.getAttributes(entry.getDistinguishedName(), new String[] {groupAttribute}); Attribute groupRef = groups.get(groupAttribute); if (groupRef != null) { NamingEnumeration<String> groupRefValues = (NamingEnumeration<String>) groupRef.getAll(); while (groupRefValues.hasMore()) { String current = groupRefValues.next(); String groupName = null; if (groupNameAttribute != null) { // Load the Name Attributes groupNameAttrs = dirContext.getAttributes(current, new String[] { groupNameAttribute }); The last line throws an exception: e = (javax.naming.NamingException) javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 (note: it would be nice if this was in fact send to the log file) Remaining name contained two elements: CN=slash<space> <space>group,CN=Users,DC=jbossuk,DC=com It seems the "/" is seen as a "syntaxSeparator" (this is a field on the object) CN=slash --- Additional comment from Tom Fonteyne on 2014-03-10 11:37:49 EDT --- https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx Shows a set of characters to escape. The "/" is not one of them though. I'm setting up a test where I'll escape the "/" to check. --- Additional comment from Tom Fonteyne on 2014-03-10 11:47:00 EDT --- same page also says: In the canonicalName both the forward slash and backslash characters are escaped using the backslash escape character. However, no other characters are escaped. Sounds spot on --- Additional comment from Tom Fonteyne on 2014-03-11 06:17:06 EDT --- this fixed it for bot slashes and backslashes String current = groupRefValues.next().replace("\\", "\\\\").replace("/", "\\/"); I'll be doing wilfly and eap jira/bz and pull requests later today. assigning this BZ to myself due to that.
@Josef: I don't see a flag to request "jboss‑eap‑6.2.x" ? but this one is meant to go into the next CP: 2 or 3 ?
Verified in EAP 6.2.3.CR2.