+++ This bug was initially created as a clone of Bug #1105619 +++ Description of problem: The LdapGroupSearcher code will fail if it tries to lookup a group that does not exist on the local ldap server. This can happen when the ldap systems are configured as trusted domains. Even though the security-realm is not configured to use the trusted domain (it is configured to only look at a single ldap server), the user's entry on one ldap server could point at a group that exists on the other (trusted) ldap server. The LdapGroupSearcher code attempts to lookup this role and it fails. This failure is sent back to the http server which results in an HTTP 500 error and leaves the user with no way to authenticate/login. There is currently not a way to tell the group searcher code to ignore the group/role that cannot be found. How reproducible: Create a user in ldap that has a "bogus" group. Log into the admin console as that user. Once the LdapGroupSearcher code looks up the user, it will fail when it attempts to lookup the "bogus" group.
PR https://github.com/jbossas/jboss-eap/pull/1436
I closed the PR without merging it according to Darran's comments, there is some more info on https://bugzilla.redhat.com/show_bug.cgi?id=1105619
I created a one-off [1] for this issue because a customer is running into this issue when RBAC is enabled. When they run into this, it is impossible for the users to log into the management console. The pull request was denied because a system property is used to enable the "ignore nonexistent group" logic. This option needs to be added to the ldap group searcher xml section of the config file. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1127938
Verified in 6.4.0.DR4.