First Last Prev Next    This bug is not in your last search results.
Bug 1265713 - Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Status: NEW
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.4.0
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: jboss-set
Ondrej Lukas
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-23 10:07 EDT by Ondrej Lukas
Modified: 2015-09-23 10:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Ondrej Lukas 2015-09-23 10:07:39 EDT 
LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.

This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".

You can reproduce it by following configuration:

Security domain:
<security-domain name="ldap">
    <authentication>
        <login-module code="AdvancedLdap" flag="required">
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="searchScope" value="OBJECT_SCOPE"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
        </login-module>
    </authentication>
</security-domain>

LDIF for role:
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Roles

dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
member: uid=jduke,ou=People,dc=jboss,dc=org


It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.