Bug 1265713 - Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Summary: Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: jboss-set
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-23 14:07 UTC by Ondrej Lukas
Modified: 2019-08-19 12:44 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:44:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Ondrej Lukas 2015-09-23 14:07:39 UTC 
LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.

This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".

You can reproduce it by following configuration:

Security domain:
<security-domain name="ldap">
    <authentication>
        <login-module code="AdvancedLdap" flag="required">
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="searchScope" value="OBJECT_SCOPE"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
        </login-module>
    </authentication>
</security-domain>

LDIF for role:
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Roles

dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
member: uid=jduke,ou=People,dc=jboss,dc=org


It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.
Note You need to log in before you can comment on or make changes to this bug.