Bug 1194226
| Summary: | Filter part of LdapURL is not handled properly in com.sun.jndi.ldap.LdapReferralContext class | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Josef Cacek <jcacek> | ||||
| Component: | java-1.7.0-openjdk | Assignee: | Stanislav Baiduzhyi <sbaiduzh> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Lukáš Zachar <lzachar> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.0 | CC: | ahughes, dbhole, isenfeld, oskutka, sbaiduzh | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | java-1.7.0-openjdk-1.7.0.80-2.6.0.0.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-19 03:54:53 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Josef Cacek
2015-02-19 11:23:20 UTC
Detailed reproducer: --------------------- # install JDKs and LDAP utils yum install -y java-1.6.0-openjdk-devel java-1.7.0-openjdk-devel openldap-clients # OpenDS has some issues with newer Java versions, so let's use 1.6 export OPENDS_JAVA_BIN=/usr/lib/jvm/java-1.6.0-openjdk.x86_64/bin/java # for the Java LDAP client we'll use OpenJDK 1.7 export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk export PATH=$JAVA_HOME/bin:$PATH # download and unpack the OpenDS LDAP server wget http://java.net/downloads/opends/promoted-builds/2.2.1/OpenDS-2.2.1.zip unzip -q OpenDS-2.2.1.zip # configure and start OpenDS on port 10389 cd OpenDS-2.2.1 ./setup -i -n -b "dc=example,dc=com" -a -p 10389 -S -D "cn=Directory Manager" -w secret # add sample LDAP data (with a referral pointing to the same server) ldapadd -x -H "ldap://localhost:10389/" -D "cn=Directory Manager" -w secret << EOT dn: ou=People,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: People dn: ou=RefPeople,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: RefPeople dn: uid=jduke,ou=People,dc=example,dc=com objectclass: top objectclass: uidObject objectclass: person uid: jduke cn: Java Duke sn: Duke userPassword: theduke dn: ou=Refs,ou=People,dc=example,dc=com objectClass: extensibleObject objectClass: referral objectClass: top ou: Refs ref: ldap://localhost:10389/ou=RefPeople,dc=example,dc=com EOT # prepare Java test program cat << EOT >> LdapTest.java import java.util.Properties; import javax.naming.*; import javax.naming.directory.SearchResult; import javax.naming.ldap.*; public class LdapTest { public static void main(String[] args) throws NamingException { final String ldapUrl = "ldap://localhost:10389"; final Properties env = new Properties(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, ldapUrl); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=Directory Manager"); env.put(Context.SECURITY_CREDENTIALS, "secret"); env.put(Context.REFERRAL, "follow"); final LdapContext ctx = new InitialLdapContext(env, null); final NamingEnumeration<?> namingEnum = ctx.search("ou=People,dc=example,dc=com", "(objectclass=*)", null); while (namingEnum.hasMore()) { SearchResult sr = (SearchResult) namingEnum.next(); System.out.println("NameInNamespace: " + sr.getNameInNamespace()); System.out.println("Name: " + sr.getName()); System.out.println(); } namingEnum.close(); ctx.close(); } } EOT # compile and run the Java client javac LdapTest.java java LdapTest # result is: Exception in thread "main" javax.naming.PartialResultException [Root exception is javax.naming.directory.InvalidSearchFilterException: Empty filter [Root exception is com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'ou=People,dc=example,dc=com']; remaining name ''] # do the same search with ldapsearch util: ldapsearch -x -H 'ldap://localhost:10389/' -b 'ou=People,dc=example,dc=com' -D "cn=Directory Manager" -w secret -C # the expected data are correctly displayed # let's fix the behavior in the Java debugger (we'll simply replace empty String by null) # start the client suspeded in debug mode java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=8787 LdapTest # attach with the debugger jdb -attach 8787 # use following commands in the debugger interface: # add the breakpoint to LdapReferralContext.overrideFilter method stop in com.sun.jndi.ldap.LdapReferralContext.overrideFilter(java.lang.String) # run the suspended program cont # print what's in the LdapReferralContext object dump this # change value of member variable urlFilter from empty String to null set this.urlFilter=null # check the values again (you should see the null value in the urlFilter) dump this # let the program continue cont # Now the Java client finished succesfully with the expected result: # [root@host OpenDS-2.2.1]# java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=8787 LdapTest # Listening for transport dt_socket at address: 8787 # NameInNamespace: uid=jduke,ou=People,dc=example,dc=com # Name: uid=jduke # # NameInNamespace: ou=RefPeople,dc=example,dc=com # Name: ldap://localhost:10389/ou=RefPeople,dc=example,dc=com Created attachment 1014906 [details]
Patch, submitted for review to upstream
Patch backported to 8u-dev, will appear in 8u60 release. http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/d4186d4bc3fb Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2177.html |