In case when ldap authorization with principal-to-group group searching is used in security realm and LDAP entry found by value of 'group-attribute' does not include attribute mentioned in 'group-name-attribute' then it causes authentication fail. It is caused by missing null check for groupNameAttr and hidden NPE thrown from [1]. Steps to reproduce: 1) use following security domain: <security-realm name="ldap-security-realm"> <authentication> <ldap connection="ldap_connection" base-dn="dc=jboss,dc=org" recursive="true"> <username-filter attribute="uid"/> </ldap> </authentication> <authorization> <ldap connection="ldap_connection"> <group-search group-name="SIMPLE" iterative="false" group-dn-attribute="dn" group-name-attribute="description"> <principal-to-group group-attribute="sn"/> </group-search> </ldap> </authorization> </security-realm> ... <outbound-connections> <ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/> </outbound-connections> 2) Use this security domain for RBAC access to management console: <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ldap-security-realm"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="$local"/> <group name="JBossAdmin"/> </include> </role> </role-mapping> </access-control> 3) Use ldap server with attached ldif 4) Try to access management console with jduke/Password - it will fail. 5) Uncomment line 'description: Monitor' from ldif and try to access management console again - it will be successful. [1] https://github.com/jbossas/jboss-eap/blob/8d2e4ac38fc3a170b3d049532a3cbb0dc13efe65/domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java#L302
Created attachment 1112781 [details] groupsearch.ldif