RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1194226 - Filter part of LdapURL is not handled properly in com.sun.jndi.ldap.LdapReferralContext class
Summary: Filter part of LdapURL is not handled properly in com.sun.jndi.ldap.LdapRefer...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: java-1.7.0-openjdk
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Stanislav Baiduzhyi
QA Contact: Lukáš Zachar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-19 11:23 UTC by Josef Cacek
Modified: 2016-05-05 04:41 UTC (History)
5 users (show)

Fixed In Version: java-1.7.0-openjdk-1.7.0.80-2.6.0.0.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 03:54:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch, submitted for review to upstream (5.38 KB, patch)
2015-04-15 16:58 UTC, Stanislav Baiduzhyi 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Icedtea Bugzilla 2470 0 None None None Never
Red Hat Product Errata RHEA-2015:2177 0 normal SHIPPED_LIVE java-1.7.0-openjdk bug fix and enhancement update 2015-11-19 07:52:28 UTC

Description Josef Cacek 2015-02-19 11:23:20 UTC 
Description of problem:

LDAP URL is not parsed properly in the LdapReferralContext class.

The LDAP URL as defined in RFC-2255 [1] has an optional filter part. The RFC says:
If filter is omitted, a filter of "(objectClass=*)" is assumed.

The filter can be omitted in 2 ways:
1) filter part is missing in the URL:
ldap://localhost:10389/ou=RefPeople,dc=example,dc=com??sub
2) filter part is empty in the URL
ldap://localhost:10389/ou=RefPeople,dc=example,dc=com??sub?

The second way is not supported by com.sun.jndi.ldap.LdapReferralContext class. It fails to follow LDAP referrals, because it checks the filter only for null value and not for the empty String.

Version-Release number of selected component (if applicable):
OpenJDK 1.6.0
OpenJDK 1.7.0
OpenJDK 1.8.0

How reproducible:
always

Steps to Reproduce:
1. install OpenDS LDAP server and add some referrals
2. search the LDAP from a Java client with java.naming.referral="follow" set
(I'll provide more detail steps in the next comment.)

Actual results:
Exception in thrown - javax.naming.PartialResultException [Root exception is javax.naming.directory.InvalidSearchFilterException: Empty filter [Root exception is com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'ou=People,dc=example,dc=com']; remaining name '']

Expected results:
The Java client successfully follows referrals in the same way as the "ldapsearch" util (from the OpenLDAP package) does.

Additional info:

[1] https://tools.ietf.org/html/rfc2255#section-3
Comment 1 Josef Cacek 2015-02-19 11:23:58 UTC 
Detailed reproducer:
---------------------

# install JDKs and LDAP utils
yum install -y java-1.6.0-openjdk-devel java-1.7.0-openjdk-devel openldap-clients

# OpenDS has some issues with newer Java versions, so let's use 1.6
export OPENDS_JAVA_BIN=/usr/lib/jvm/java-1.6.0-openjdk.x86_64/bin/java

# for the Java LDAP client we'll use OpenJDK 1.7
export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk
export PATH=$JAVA_HOME/bin:$PATH

# download and unpack the OpenDS LDAP server
wget http://java.net/downloads/opends/promoted-builds/2.2.1/OpenDS-2.2.1.zip
unzip -q OpenDS-2.2.1.zip

# configure and start OpenDS on port 10389
cd OpenDS-2.2.1
./setup -i -n -b "dc=example,dc=com" -a -p 10389 -S -D "cn=Directory Manager" -w secret

# add sample LDAP data (with a referral pointing to the same server)
ldapadd -x -H "ldap://localhost:10389/" -D "cn=Directory Manager" -w secret << EOT
dn: ou=People,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People

dn: ou=RefPeople,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: RefPeople

dn: uid=jduke,ou=People,dc=example,dc=com
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke

dn: ou=Refs,ou=People,dc=example,dc=com
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: Refs
ref: ldap://localhost:10389/ou=RefPeople,dc=example,dc=com

EOT

# prepare Java test program
cat << EOT >> LdapTest.java
import java.util.Properties;

import javax.naming.*;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.*;

public class LdapTest {

    public static void main(String[] args) throws NamingException {
        final String ldapUrl = "ldap://localhost:10389";
        final Properties env = new Properties();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, ldapUrl);
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, "cn=Directory Manager");
        env.put(Context.SECURITY_CREDENTIALS, "secret");
        env.put(Context.REFERRAL, "follow");
        final LdapContext ctx = new InitialLdapContext(env, null);
        final NamingEnumeration<?> namingEnum = ctx.search("ou=People,dc=example,dc=com", "(objectclass=*)", null);
        while (namingEnum.hasMore()) {
            SearchResult sr = (SearchResult) namingEnum.next();
            System.out.println("NameInNamespace: " + sr.getNameInNamespace());
            System.out.println("Name:            " + sr.getName());
            System.out.println();
        }
        namingEnum.close();
        ctx.close();
    }
}
EOT

# compile and run the Java client
javac LdapTest.java
java LdapTest

# result is: Exception in thread "main" javax.naming.PartialResultException [Root exception is javax.naming.directory.InvalidSearchFilterException: Empty filter [Root exception is com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'ou=People,dc=example,dc=com']; remaining name '']

# do the same search with ldapsearch util:
ldapsearch -x -H 'ldap://localhost:10389/' -b 'ou=People,dc=example,dc=com' -D "cn=Directory Manager" -w secret -C

# the expected data are correctly displayed

# let's fix the behavior in the Java debugger (we'll simply replace empty String by null)
# start the client suspeded in debug mode
java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=8787 LdapTest

# attach with the debugger
jdb -attach 8787

# use following commands in the debugger interface:
# add the breakpoint to LdapReferralContext.overrideFilter method
stop in com.sun.jndi.ldap.LdapReferralContext.overrideFilter(java.lang.String)
# run the suspended program 
cont
# print what's in the LdapReferralContext object
dump this
# change value of member variable urlFilter from empty String to null
set this.urlFilter=null
# check the values again (you should see the null value in the urlFilter)
dump this
# let the program continue
cont

# Now the Java client finished succesfully with the expected result:
# [root@host OpenDS-2.2.1]# java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=8787 LdapTest
# Listening for transport dt_socket at address: 8787
# NameInNamespace: uid=jduke,ou=People,dc=example,dc=com
# Name:            uid=jduke
# 
# NameInNamespace: ou=RefPeople,dc=example,dc=com
# Name:            ldap://localhost:10389/ou=RefPeople,dc=example,dc=com
Comment 3 Stanislav Baiduzhyi 2015-04-15 16:58:56 UTC 
Created attachment 1014906 [details]
Patch, submitted for review to upstream
Comment 5 Stanislav Baiduzhyi 2015-06-23 14:23:14 UTC 
Patch backported to 8u-dev, will appear in 8u60 release.
http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/d4186d4bc3fb
Comment 10 errata-xmlrpc 2015-11-19 03:54:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2177.html
Note You need to log in before you can comment on or make changes to this bug.