Bug 981015 - LDAP auth fails if user's DN contains a backslash
LDAP auth fails if user's DN contains a backslash
Status: CLOSED CURRENTRELEASE
Product: JBoss Operations Network
Classification: JBoss
Component: Security (Show other bugs)
JON 3.1.2
All All
urgent Severity high
: ER01
: JON 3.2.0
Assigned To: Larry O'Leary
Mike Foley
:
Depends On:
Blocks: 985098
  Show dependency treegraph
 
Reported: 2013-07-03 15:22 EDT by Larry O'Leary
Modified: 2014-01-02 15:37 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 985098 (view as bug list)
Environment:
Last Closed: 2014-01-02 15:37:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch to better handle a DN from the search result. (3.51 KB, patch)
2013-07-03 15:22 EDT, Larry O'Leary
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 414733 None None None Never

  None (edit)
Description Larry O'Leary 2013-07-03 15:22:16 EDT
Created attachment 768413 [details]
Proposed patch to better handle a DN from the search result.

Description of problem:
If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server.

For example:

    dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    cn: Charles H\Samlin
    sn: H\Samlin
    homephone: 555-555-1213
    mail: csamlin@rhq.redhat.com
    uid: csamlin
    userpassword:: cmVkaGF0
    ou: RHQ Admin Group
    description: User with backslash (\) in 'cn' in the RHQ Admin Group


Will result in:

    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person))
    INFO  [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.]
    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon


Version-Release number of selected component (if applicable):
4.4.0.JON312GA

How reproducible:
Always

Steps to Reproduce:
1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF:

dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Charles H\Samlin
sn: H\Samlin
homephone: 555-555-1213
mail: csamlin@rhq.redhat.com
uid: csamlin
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with backslash (\) in 'cn' in the RHQ Admin Group

2. Start JBoss ON and configure it to use LDAP
3. Attempt to log-in as the user who has a backslash in their CN.

       csamlin
       redhat

Actual results:
Login attempt fails due to invalid credentials. The following LDAP error is logged:

    LDAP: error code 49 - cannot bind the principalDn.

Expected results:
Login should be successful and no LDAP error should appear.

Additional info:
This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1].

To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. 


http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
Comment 1 Heiko W. Rupp 2013-07-17 10:33:24 EDT
master 01cd91b130f5
Comment 2 Larry O'Leary 2013-07-22 11:38:03 EDT
Looking into LdapGroupManagerBeanTest failures. Most likely a result of my change set removing the handling on JNDI quoting from the mock LDAP context.
Comment 3 Larry O'Leary 2013-07-22 17:13:58 EDT
Fixed test failures with https://git.fedorahosted.org/cgit/rhq/rhq.git/commit/?id=567aee7f81c6aa0f7680d4f394cccb1974705320



commit 567aee7f81c6aa0f7680d4f394cccb1974705320
Author: Larry O'Leary <loleary@redhat.com>
Date:   Mon Jul 22 16:10:09 2013 -0500

    BZ 981015: Fix test failures introduced by commit 01cd91b
     - findLdapUserDetails was appending baseDN twice during fallback code
     - FakeLdapContext contained some lazy escaping on the mock group entries
Comment 4 Larry O'Leary 2013-09-06 10:30:21 EDT
As this is MODIFIED or ON_QA, setting milestone to ER1.
Comment 5 Sunil Kondkar 2013-10-07 07:14:25 EDT
Verified on Version: 3.2.0.ER2 Build Number: 9bf6f76:371eac0

Created below user on Redhat Directory Server 8.2.0

dn: cn=Charles H\\Samlin,dc=usersys,dc=redhat,dc=com
telephoneNumber: 555-555-1213
mail: csamlin@rhq.redhat.com
uid: csamlin
givenName: csamlin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: H\Samlin
cn: Charles H\Samlin
description: User with backslash (\) in cn
userPassword: {SSHA}ARklgcvmHqmjlUjETy1GP6r9+ocwqP0YeMYQNw==

Provided the LDAP details in Jboss ON Administration->System Settings'.
Logged in as the user having backslash in the CN (csamlin/redhat)

User is navigated successfully to registration screen and login is successful without error.

Note You need to log in before you can comment on or make changes to this bug.