Bug 985099 - [hotfix] LDAP auth fails if user's DN contains a backslash
[hotfix] LDAP auth fails if user's DN contains a backslash
Status: CLOSED ERRATA
Product: JBoss Operations Network
Classification: JBoss
Component: Security (Show other bugs)
JON 3.1.2
All All
medium Severity high
: GA
: JON 3.1.2
Assigned To: Larry O'Leary
Larry O'Leary
:
Depends On: 985098
Blocks: 994220
  Show dependency treegraph
 
Reported: 2013-07-16 15:14 EDT by Larry O'Leary
Modified: 2013-09-20 18:58 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 985098
Environment:
Last Closed: 2013-08-08 12:19:39 EDT
Type: Support Patch
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 414733 None None None Never

  None (edit)
Description Larry O'Leary 2013-07-16 15:14:32 EDT
+++ This bug was initially created as a clone of Bug #985098 +++

+++ This bug was initially created as a clone of Bug #981015 +++

Description of problem:
If a user's LDAP entry contains a backslash (\) that will result in its DN to include such backslash, JBoss ON fails to authenticate the user due to an invalid DN being sent to the LDAP server.

For example:

    dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    cn: Charles H\Samlin
    sn: H\Samlin
    homephone: 555-555-1213
    mail: csamlin@rhq.redhat.com
    uid: csamlin
    userpassword:: cmVkaGF0
    ou: RHQ Admin Group
    description: User with backslash (\) in 'cn' in the RHQ Admin Group


Will result in:

    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Using LDAP filter=(&(uid=scannon)(objectClass=person))
    INFO  [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Failed to validate password: [LDAP: error code 49 - cannot bind the principalDn.]
    DEBUG [org.rhq.enterprise.server.core.jaas.LdapLoginModule] Bad password for username=scannon


Version-Release number of selected component (if applicable):
4.4.0.JON312GA

How reproducible:
Always

Steps to Reproduce:
1. Add a user to LDAP that includes a backslash (\) in their CN and that uses CN in the DN. Such as the following LDIF:

dn: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Charles H\Samlin
sn: H\Samlin
homephone: 555-555-1213
mail: csamlin@rhq.redhat.com
uid: csamlin
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with backslash (\) in 'cn' in the RHQ Admin Group

2. Start JBoss ON and configure it to use LDAP
3. Attempt to log-in as the user who has a backslash in their CN.

       csamlin
       redhat

Actual results:
Login attempt fails due to invalid credentials. The following LDAP error is logged:

    LDAP: error code 49 - cannot bind the principalDn.

Expected results:
Login should be successful and no LDAP error should appear.

Additional info:
This issue relates to how Java JNDI entries are returned in search results. This is explained in Oracle's JVM LDAP tutorial under handling special characters[1].

To fix this we need to treat the search result as a composite name or retrieve the name is it is in its namespace. To demonstrate the fix, I have attached a proposed patch. 


http://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html
Comment 1 Larry O'Leary 2013-08-05 17:14:07 EDT
Committed to hotfix/jon3.1.2 as https://git.fedorahosted.org/cgit/rhq/rhq.git/commit/?id=bbe1c9b92ae47cda13927a3f541874ecb52c868d
Comment 3 Larry O'Leary 2013-08-06 18:51:11 EDT
Verified in jon-server-3.1.2.GA-hotfix-02 - 5544e322e3e5e48395f788180308d7bb

User with the following DN could log in successfully and their groups were properly loaded and mapped to JBoss ON roles:

DN: cn=Charles H\\Samlin,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
Comment 4 Larry O'Leary 2013-08-08 12:19:39 EDT
Fixed in Server Hotfix-02 for JBoss ON 3.1.2.

Note You need to log in before you can comment on or make changes to this bug.