Bug 953513 - spnego AdvancedLdapLoginModule cannot cope with roles contains a slash
Summary: spnego AdvancedLdapLoginModule cannot cope with roles contains a slash
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ER6
: EAP 6.1.0
Assignee: Darran Lofthouse
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-18 10:55 UTC by Tom Fonteyne
Modified: 2018-12-01 16:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-23 18:38:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 959140 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 1017974 0 unspecified CLOSED Spnego AdvancedLdapLoginModule doesn't isn't mapping nested roles 2023-09-14 01:51:54 UTC
Red Hat Issue Tracker JBPAPP-10717 0 Major Resolved spnego AdvancedLdapLoginModule cannot cope with roles contains a slash 2017-11-08 07:56:22 UTC
Red Hat Issue Tracker JBPAPP-10719 0 Blocker Resolved Upgrade Picketbox Negotiation to 2.1.4 2017-11-08 07:56:22 UTC
Red Hat Issue Tracker SECURITY-735 0 Major Resolved spnego AdvancedLdapLoginModule cannot cope with roles contains a slash 2017-11-08 07:56:22 UTC
Red Hat Issue Tracker SECURITY-737 0 Major Resolved spnego AdvancedLdapLoginModule cannot cope with roles contains a slash 2017-11-08 07:56:22 UTC

Internal Links: 959140 1017974

Description Tom Fonteyne 2013-04-18 10:55:47 UTC
I have a group in AD with this DN:   CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com

and a user belonging to this group. RecurseRoles is set to true

Running test 3 of the negotiation toolkit fails.

Debugging led to: org/jboss/security/negotiation/AdvancedLdapLoginModule.java

   protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException

which bombs out with the exception:

Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com'


Further debugging led to a fix - here is the function that needs modifying:

   protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException
   {
      if (log.isTraceEnabled())
         log.trace("rolesSearch resultDN = " + dn);

      String[] attrNames =
      {roleAttributeID};

      Attributes result = searchContext.getAttributes(dn, attrNames);
      if (result != null && result.size() > 0)
      {
         Attribute roles = result.get(roleAttributeID);
         for (int n = 0; n < roles.size(); n++)
         {
            String roleName = (String) roles.get(n);
            if (roleAttributeIsDN)
            {
               // Query the roleDN location for the value of roleNameAttributeID
               String baseRoleDN = roleName;
               String roleDN = "\"" + baseRoleDN + "\"";

               loadRoleByRoleNameAttributeID(searchContext, roleDN);
               recurseRolesSearch(searchContext, baseRoleDN);
...


rewrite the last bit to:

               // Query the roleDN location for the value of roleNameAttributeID
               String roleDN = "\"" + roleName + "\"";

               loadRoleByRoleNameAttributeID(searchContext, roleDN);
               recurseRolesSearch(searchContext, roleDN);

this way, recurseRolesSearch gets the quoted role which prevent the JVM ldap code to throw the aforementioned exception.

Comment 1 Darran Lofthouse 2013-04-22 12:57:15 UTC
From what I can see this was an oversight, assigning the quoted value to a variable would imply I did intend for it to be re-used.

Comment 2 JBoss JIRA Server 2013-04-22 13:17:59 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-735 to Coding In Progress

Comment 3 JBoss JIRA Server 2013-04-22 14:03:44 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-735 to Resolved

Comment 7 Josef Cacek 2013-05-03 10:31:06 UTC
Verified in EAP 6.1.0.ER6.

PRs with regression tests:
https://github.com/wildfly/wildfly/pull/4456
https://github.com/jbossas/jboss-eap/pull/130

Comment 18 JBoss JIRA Server 2013-10-24 11:27:22 UTC
Darran Lofthouse <darran.lofthouse> made a comment on jira SECURITY-735

This issue is reproducible with configuration similar to the following: -

{code}
                      <login-module code="AdvancedLdap" module="org.jboss.security.negotiation" flag="required">

                        <module-option name="bindDN" value="CN=as7" />
                        <module-option name="bindCredential" value="xxx" />

                        <module-option name="java.naming.provider.url" value="ldap://ec2-xx-xx-xx-xx.compute-1.amazonaws.com"/>
        
                        <module-option name="baseCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>
                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                        <module-option name="rolesCtxDN" value="CN=Users,DC=darranl,DC=jboss,DC=org"/>
                        
                        <module-option name="roleAttributeID" value="memberOf"/>
                        <module-option name="roleAttributeIsDN" value="true"/>
                        <module-option name="roleNameAttributeID" value="name"/>
        
                        <module-option name="recurseRoles" value="true"/>

                    </login-module>
{code}

The absence of a roleFilter is why the distinguished name is not being correctly quoted, adding the roleFilter would not be normally required as it does result in additional searches being performed by the LDAP server but in this case it is a possible workaround for the distinguished name to be quoted where required.

Comment 19 JBoss JIRA Server 2013-12-17 09:13:34 UTC
Ivo Studensky <istudens> updated the status of jira JBPAPP-10719 to Coding In Progress

Comment 20 JBoss JIRA Server 2013-12-18 17:07:54 UTC
Hui Wang <huwang> updated the status of jira JBPAPP-10719 to Resolved


Note You need to log in before you can comment on or make changes to this bug.