Created attachment 768413 [details] Proposed patch to better handle a DN from the search result. Description of problem: If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server. For example: dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Charles H\Samlin sn: H\Samlin homephone: 555-555-1213 mail: csamlin.com uid: csamlin userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with backslash (\) in 'cn' in the RHQ Admin Group Will result in: DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person)) INFO [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.] DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon Version-Release number of selected component (if applicable): 4.4.0.JON312GA How reproducible: Always Steps to Reproduce: 1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF: dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Charles H\Samlin sn: H\Samlin homephone: 555-555-1213 mail: csamlin.com uid: csamlin userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with backslash (\) in 'cn' in the RHQ Admin Group 2. Start JBoss ON and configure it to use LDAP 3. Attempt to log-in as the user who has a backslash in their CN. csamlin redhat Actual results: Login attempt fails due to invalid credentials. The following LDAP error is logged: LDAP: error code 49 - cannot bind the principalDn. Expected results: Login should be successful and no LDAP error should appear. Additional info: This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1]. To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
master 01cd91b130f5
Looking into LdapGroupManagerBeanTest failures. Most likely a result of my change set removing the handling on JNDI quoting from the mock LDAP context.
Fixed test failures with https://git.fedorahosted.org/cgit/rhq/rhq.git/commit/?id=567aee7f81c6aa0f7680d4f394cccb1974705320 commit 567aee7f81c6aa0f7680d4f394cccb1974705320 Author: Larry O'Leary <loleary> Date: Mon Jul 22 16:10:09 2013 -0500 BZ 981015: Fix test failures introduced by commit 01cd91b - findLdapUserDetails was appending baseDN twice during fallback code - FakeLdapContext contained some lazy escaping on the mock group entries
As this is MODIFIED or ON_QA, setting milestone to ER1.
Verified on Version: 3.2.0.ER2 Build Number: 9bf6f76:371eac0 Created below user on Redhat Directory Server 8.2.0 dn: cn=Charles H\\Samlin,dc=usersys,dc=redhat,dc=com telephoneNumber: 555-555-1213 mail: csamlin.com uid: csamlin givenName: csamlin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: H\Samlin cn: Charles H\Samlin description: User with backslash (\) in cn userPassword: {SSHA}ARklgcvmHqmjlUjETy1GP6r9+ocwqP0YeMYQNw== Provided the LDAP details in Jboss ON Administration->System Settings'. Logged in as the user having backslash in the CN (csamlin/redhat) User is navigated successfully to registration screen and login is successful without error.