Bug 1265713 - Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Status: NEW
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: jboss-set
Ondrej Lukas
Depends On:
  Show dependency treegraph
Reported: 2015-09-23 10:07 EDT by Ondrej Lukas
Modified: 2015-09-23 10:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ondrej Lukas 2015-09-23 10:07:39 EDT
LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.

This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".

You can reproduce it by following configuration:

Security domain:
<security-domain name="ldap">
        <login-module code="AdvancedLdap" flag="required">
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="searchScope" value="OBJECT_SCOPE"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>

LDIF for role:
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Roles

dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
member: uid=jduke,ou=People,dc=jboss,dc=org

It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.

Note You need to log in before you can comment on or make changes to this bug.