I have a group in AD with this DN: CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com and a user belonging to this group. RecurseRoles is set to true Running test 3 of the negotiation toolkit fails. Debugging led to: org/jboss/security/negotiation/AdvancedLdapLoginModule.java protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException which bombs out with the exception: Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com' Further debugging led to a fix - here is the function that needs modifying: protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException { if (log.isTraceEnabled()) log.trace("rolesSearch resultDN = " + dn); String[] attrNames = {roleAttributeID}; Attributes result = searchContext.getAttributes(dn, attrNames); if (result != null && result.size() > 0) { Attribute roles = result.get(roleAttributeID); for (int n = 0; n < roles.size(); n++) { String roleName = (String) roles.get(n); if (roleAttributeIsDN) { // Query the roleDN location for the value of roleNameAttributeID String baseRoleDN = roleName; String roleDN = "\"" + baseRoleDN + "\""; loadRoleByRoleNameAttributeID(searchContext, roleDN); recurseRolesSearch(searchContext, baseRoleDN); ... rewrite the last bit to: // Query the roleDN location for the value of roleNameAttributeID String roleDN = "\"" + roleName + "\""; loadRoleByRoleNameAttributeID(searchContext, roleDN); recurseRolesSearch(searchContext, roleDN); this way, recurseRolesSearch gets the quoted role which prevent the JVM ldap code to throw the aforementioned exception.
From what I can see this was an oversight, assigning the quoted value to a variable would imply I did intend for it to be re-used.
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-735 to Coding In Progress
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-735 to Resolved
Verified in EAP 6.1.0.ER6. PRs with regression tests: https://github.com/wildfly/wildfly/pull/4456 https://github.com/jbossas/jboss-eap/pull/130
Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-735 This issue is reproducible with configuration similar to the following: - {code} <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required"> <module-option name="bindDN" value="CN=as7" /> <module-option name="bindCredential" value="xxx" /> <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/> <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleNameAttributeID" value="name"/> <module-option name="recurseRoles" value="true"/> </login-module> {code} The absence of a roleFilter is why the distinguished name is not being correctly quoted, adding the roleFilter would not be normally required as it does result in additional searches being performed by the LDAP server but in this case it is a possible workaround for the distinguished name to be quoted where required.
Ivo Studensky <istudens> updated the status of jira JBPAPP-10719 to Coding In Progress
Hui Wang <huwang> updated the status of jira JBPAPP-10719 to Resolved