1086787 – [GSS] (6.3.0) LdapExt login module fetches to many attributes in RoleSearch

Bug 1086787 - [GSS] (6.3.0) LdapExt login module fetches to many attributes in RoleSearch

Summary: [GSS] (6.3.0) LdapExt login module fetches to many attributes in RoleSearch

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ER7
Target Release:	EAP 6.3.0
Assignee:	Peter Skopek
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:	1086795 1089068 1104260 1104269
TreeView+	depends on / blocked

Reported:	2014-04-11 13:31 UTC by Tom Fonteyne
Modified:	2014-06-28 15:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1086795 (view as bug list)
Environment:
Last Closed:	2014-06-28 15:30:21 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	914821	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Issue Tracker	SECURITY-819	0	Major	Open	LdapExt login module fetches to many attributes in RoleSearch	2014-07-24 09:50:35 UTC
Red Hat Issue Tracker	SECURITY-836	0	Major	Resolved	AdvancedLdapLoginModule querying too many attributes.	2014-07-24 09:50:36 UTC
Red Hat Issue Tracker	WFLY-808	0	None	None	None	Never

Internal Links: 914821

Description Tom Fonteyne 2014-04-11 13:31:48 UTC

An LDAP server with (lets say) 1000 users in a group.
When authentication, a query is done to retrieve the groups for the user.

Most LDAP servers will limit the attributes send back based on authorization of the user, but can be configured to return all information.

The cause is:

/ Query for roles matching the role filter
SearchControls constraints = new SearchControls();
constraints.setSearchScope(searchScope);
constraints.setTimeLimit(searchTimeLimit);
rolesSearch(ctx, constraints, username, userDN, recursion, 0);

this used to also have:
constraints.setReturningAttributes(new String[0]);
at some time this was taken out.

It needs to go back in

According to the schedule it is to late for 6.3 as it would require a component update. Scheduling this for 6.4 when the flag becomes available. Will then also clone to get it into a 6.3 CP

Comment 1 Tom Fonteyne 2014-04-11 13:46:13 UTC

The fix will be to upgrade the module PicketBox_4_0_21

Comment 2 Josef Cacek 2014-04-16 11:29:46 UTC

Tom, if you fix the attribute search, then just check if referrals still work in role search (when 2 LDAP servers are used).

The change in search attribute was introduced by following commit:
https://source.jboss.org/changelog/PicketBox?cs=414

And the reason is described in:
https://bugzilla.redhat.com/show_bug.cgi?id=914821#c29
and
https://issues.jboss.org/browse/WFLY-808

Comment 9 JBoss JIRA Server 2014-06-03 17:38:59 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-836 to Resolved

Comment 10 Peter Skopek 2014-06-04 07:32:00 UTC

component fixes:
JBoss Negotiation: https://github.com/wildfly-security/jboss-negotiation/tree/2.3.3.Final
PicketBox: http://git.app.eng.bos.redhat.com/git/picketbox.git/tag/?h=eap62&id=4.0.19.SP8

Comment 11 Kabir Khan 2014-06-04 08:55:55 UTC

Fixed by https://bugzilla.redhat.com/show_bug.cgi?id=1104260 and https://bugzilla.redhat.com/show_bug.cgi?id=1104269

Comment 12 Hynek Mlnarik 2014-06-19 15:23:49 UTC

Verified for 6.3.0.ER7

Note You need to log in before you can comment on or make changes to this bug.