Bug 652800 - Unable to use parentheses in search filters for LDAP configuration
Summary: Unable to use parentheses in search filters for LDAP configuration
Status: CLOSED ERRATA
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: Core Server
Version: JON 3.1.2
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ER01
: JON 3.3.3
Assignee: RHQ Project Maintainer
QA Contact: Sunil Kondkar
URL:
Whiteboard:
Keywords: Improvement, TestCaseNeeded
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-12 19:53 UTC by Marc Shirley
Modified: 2018-11-14 16:26 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-30 16:41:16 UTC


Attachments (Terms of Use)
Screenshot (34.75 KB, image/png)
2015-07-14 09:09 UTC, Sunil Kondkar
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1525 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.3.3 update 2015-07-30 20:41:08 UTC
Red Hat Knowledge Base (Solution) 42646 None None None Never

Description Marc Shirley 2010-11-12 19:53:16 UTC
Description of problem:
Currently, if parentheses are specified within the Group Search Filter, the LDAP search will return no results.  Removing the parentheses results in the correct results being returned.

Version-Release number of selected component (if applicable):
2.4_GA

How reproducible:
Very

Steps to Reproduce:
1. In LDAP configuration, set Group Search Filter property to below example, or equivalent for the LDAP environment:
   (objectclass=groupOfUniqueNames)
  
Actual results:
No results are returned when attempting to assign LDAP groups to roles .

Expected results:
Expect that LDAP groups would be retrieved in the same manner as when the Group Search Filter does not use parentheses, such as in below example:
   objectclass=groupOfUniqueNames

Comment 1 Charles Crouch 2010-12-01 22:39:46 UTC
It would be nice to be a little more lax in this case since I would expect the extra brackets are ignored by most ldap query tools, and we should aim to act similarly here.

Comment 2 Charles Crouch 2011-09-30 17:47:44 UTC
FutureFeature Improvement

Comment 3 Tom Fonteyne 2013-07-19 12:00:09 UTC
We have hit this now also with JON 3.1.2 and newer versions of Java.

In older versions of Java this failed silently and no groups were returned.

In newer versions, we tested with 1.6.0_45 and 1.7.0_17, Java actually will throw an exception:

ERROR [org.rhq.enterprise.server.resource.group.LdapGroupManagerBean] The ldap group filter defined is invalid
javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'dc=jbossuk,dc=redhat,dc=com'
        at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
        at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
        at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)

Comment 4 Jay Shaughnessy 2014-06-30 19:47:02 UTC
Simeon, any idea of this was ever enhaced?

Comment 5 Simeon Pinder 2014-09-17 13:13:38 UTC
We have not yet fixed/relaxed this handling.  It should just be a matter of checking for brackets and not adding them when they are already there with the underlying query.  I suspect the customers would like to add more complicated LDAP group logic here. Currently focused on JON 3.3 so not sure how soon we'll get to this.

Comment 7 Larry O'Leary 2015-01-05 17:52:42 UTC
This is considered a bug as parenthesis are a standard part of a directory search query. The problem here is that JBoss ON is adding parenthesis when it shouldn't. As comment 5 indicates, the expected behavior here is if no parenthesis are provided by the user/configuration, they get implicitly added.

Comment 8 Michael Burman 2015-06-24 18:12:29 UTC
This looks like a duplicate of BZ 784164, which was fixed. Can someone verify that the bug really exists in JON 3.3?

Comment 9 Sunil Kondkar 2015-07-14 09:08:18 UTC
Verified on JBoss ON 3.3.3 ER01 build and Windows server 2008 active directory.

In LDAP configuration, set Group Search Filter property to (objectclass=group)
The LDAP configuration is saved successfully without exception.

Results are returned while attempting to assign LDAP groups to roles. Also verified that the results filter in available groups is working. Please refer the attached screenshot.

Comment 10 Sunil Kondkar 2015-07-14 09:09:08 UTC
Created attachment 1051704 [details]
Screenshot

Comment 11 Sunil Kondkar 2015-07-14 09:26:17 UTC
Test case added:
https://tcms.engineering.redhat.com/run/253435/#caserun_10357781

Comment 13 errata-xmlrpc 2015-07-30 16:41:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1525.html


Note You need to log in before you can comment on or make changes to this bug.