1105619 – [GSS] (6.2.x) Nonexistent ldap group causes authentication to fail in security-realm

Bug 1105619 - [GSS] (6.2.x) Nonexistent ldap group causes authentication to fail in security-realm

Summary: [GSS] (6.2.x) Nonexistent ldap group causes authentication to fail in securit...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management
Sub Component:
Version:	6.2.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	EAP 6.2.4
Assignee:	Carlo de Wolf
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:	1105677 1128176
Blocks:	eap62-cp04-blockers 1127938 1143052
TreeView+	depends on / blocked

Reported:	2014-06-06 14:30 UTC by Derek Horton
Modified:	2019-03-22 07:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1105677 1127938 (view as bug list)
Environment:
Last Closed:	2014-06-12 08:45:22 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-3464	0	Major	Resolved	Nonexistent ldap group causes authentication to fail in security-realm	2017-08-11 13:36:25 UTC

Description Derek Horton 2014-06-06 14:30:32 UTC

Description of problem:
The LdapGroupSearcher code will fail if it tries to lookup a group that 
does not exist on the local ldap server.

This can happen when the ldap systems are configured as trusted domains.  
Even though the security-realm is not configured to use the trusted domain
(it is configured to only look at a single ldap server), the 
user's entry on one ldap server could point at a group that exists on 
the other (trusted) ldap server.

The LdapGroupSearcher code attempts to lookup this role and it fails.  This 
failure is sent back to the http server which results in an HTTP 500 error
and leaves the user with no way to authenticate/login.

There is currently not a way to tell the group searcher code to ignore the 
group/role that cannot be found.


How reproducible:
Create a user in ldap that has a "bogus" group.  Log into the admin console as that user.  Once the LdapGroupSearcher code looks up the user, it will fail when it attempts to lookup the "bogus" group.

Comment 3 Carlo de Wolf 2014-06-12 08:45:39 UTC

Missed the cut.

Note You need to log in before you can comment on or make changes to this bug.