An LDAP server with (lets say) 1000 users in a group. When authentication, a query is done to retrieve the groups for the user. Most LDAP servers will limit the attributes send back based on authorization of the user, but can be configured to return all information. The cause is: / Query for roles matching the role filter SearchControls constraints = new SearchControls(); constraints.setSearchScope(searchScope); constraints.setTimeLimit(searchTimeLimit); rolesSearch(ctx, constraints, username, userDN, recursion, 0); this used to also have: constraints.setReturningAttributes(new String[0]); at some time this was taken out. It needs to go back in According to the schedule it is to late for 6.3 as it would require a component update. Scheduling this for 6.4 when the flag becomes available. Will then also clone to get it into a 6.3 CP
The fix will be to upgrade the module PicketBox_4_0_21
Tom, if you fix the attribute search, then just check if referrals still work in role search (when 2 LDAP servers are used). The change in search attribute was introduced by following commit: https://source.jboss.org/changelog/PicketBox?cs=414 And the reason is described in: https://bugzilla.redhat.com/show_bug.cgi?id=914821#c29 and https://issues.jboss.org/browse/WFLY-808
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-836 to Resolved
component fixes: JBoss Negotiation: https://github.com/wildfly-security/jboss-negotiation/tree/2.3.3.Final PicketBox: http://git.app.eng.bos.redhat.com/git/picketbox.git/tag/?h=eap62&id=4.0.19.SP8
Fixed by https://bugzilla.redhat.com/show_bug.cgi?id=1104260 and https://bugzilla.redhat.com/show_bug.cgi?id=1104269
Verified for 6.3.0.ER7