Bug 1288962 - [QE](6.4.z) LdapExtLoginModule does not handle loops in referrals
Summary: [QE](6.4.z) LdapExtLoginModule does not handle loops in referrals
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: jboss-set
QA Contact: Ondrej Lukas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-07 06:20 UTC by Ondrej Lukas
Modified: 2016-03-09 13:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-09 13:18:37 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
app.war (3.40 KB, application/zip)
2015-12-07 06:20 UTC, Ondrej Lukas 		no flags Details
server1.ldif (699 bytes, text/plain)
2015-12-07 06:21 UTC, Ondrej Lukas 		no flags Details
server2.ldif (425 bytes, text/plain)
2015-12-07 06:22 UTC, Ondrej Lukas 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-2156 0 Critical New LdapExtLoginModule does not handle loops in referrals 2017-01-24 16:23:32 UTC

Description Ondrej Lukas 2015-12-07 06:20:50 UTC 
Created attachment 1103021 [details]
app.war

According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

When EAP server is configured to use LdapExtLoginModule which uses referrals and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.


How to reproduce:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif

2) Add following security domain to configuration:
<security-domain name="ldapSecurityDomain">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="referralUserAttributeIDToCheck" value="member"/>
            <module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="java.naming.referral" value="throw"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
        </login-module>
    </authentication>
</security-domain>

3) Deploy attached application app.war

4) Run periodically
curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin

-> java.lang.OutOfMemoryError on EAP server


[1] http://tools.ietf.org/html/rfc4511#section-4.1.10
Comment 1 Ondrej Lukas 2015-12-07 06:21:46 UTC 
Created attachment 1103022 [details]
server1.ldif
Comment 2 Ondrej Lukas 2015-12-07 06:22:13 UTC 
Created attachment 1103023 [details]
server2.ldif
Note You need to log in before you can comment on or make changes to this bug.