+++ This bug was initially created as a clone of Bug #981015 +++ Description of problem: If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server. For example: dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Charles H\Samlin sn: H\Samlin homephone: 555-555-1213 mail: csamlin.com uid: csamlin userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with backslash (\) in 'cn' in the RHQ Admin Group Will result in: DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person)) INFO [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.] DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon Version-Release number of selected component (if applicable): 4.4.0.JON312GA How reproducible: Always Steps to Reproduce: 1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF: dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Charles H\Samlin sn: H\Samlin homephone: 555-555-1213 mail: csamlin.com uid: csamlin userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with backslash (\) in 'cn' in the RHQ Admin Group 2. Start JBoss ON and configure it to use LDAP 3. Attempt to log-in as the user who has a backslash in their CN. csamlin redhat Actual results: Login attempt fails due to invalid credentials. The following LDAP error is logged: LDAP: error code 49 - cannot bind the principalDn. Expected results: Login should be successful and no LDAP error should appear. Additional info: This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1]. To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
Closing as there will not be a 3.1.3 release. This is being tracked for 3.2 in the 'depends on' field.