Bug 1288965 - [QE](6.4.z) AdvancedLdapLoginModule does not handle loops in referrals
[QE](6.4.z) AdvancedLdapLoginModule does not handle loops in referrals
Status: CLOSED WONTFIX
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.4.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: jboss-set
Ondrej Lukas
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-07 01:26 EST by Ondrej Lukas
Modified: 2016-03-09 08:21 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-09 08:21:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
app.war (3.70 KB, application/zip)
2015-12-07 01:26 EST, Ondrej Lukas
no flags Details
server1.ldif (699 bytes, text/plain)
2015-12-07 01:27 EST, Ondrej Lukas
no flags Details
server2.ldif (425 bytes, text/plain)
2015-12-07 01:27 EST, Ondrej Lukas
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-2157 Critical Closed AdvancedLdapLoginModule does not handle loops in referrals 2017-04-23 21:37 EDT

  None (edit)
Description Ondrej Lukas 2015-12-07 01:26:35 EST
Created attachment 1103025 [details]
app.war

According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

When EAP server is configured to use AdvancedLdapLoginModule which uses referrals and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.


How to reproduce:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif

2) Add following security domain to configuration:
<security-domain name="ldapSecurityDomain">
    <authentication>
        <login-module code="AdvancedLdap" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="referralUserAttributeIDToCheck" value="member"/>
            <module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="java.naming.referral" value="throw"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
        </login-module>
    </authentication>
</security-domain>

3) Deploy attached application app.war

4) Run periodically
curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin

-> java.lang.OutOfMemoryError on EAP server


[1] http://tools.ietf.org/html/rfc4511#section-4.1.10
Comment 1 Ondrej Lukas 2015-12-07 01:27 EST
Created attachment 1103026 [details]
server1.ldif
Comment 2 Ondrej Lukas 2015-12-07 01:27 EST
Created attachment 1103028 [details]
server2.ldif

Note You need to log in before you can comment on or make changes to this bug.