[jboss-jira] [JBoss JIRA] (SECURITY-712) Variable expansion and Vault are not supported in the module-option of the LdapRolesMappingProvider mapping-module

Peter Skopek (JIRA) jira-events at lists.jboss.org
Wed Jan 23 11:27:47 EST 2013 

     [ https://issues.jboss.org/browse/SECURITY-712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Peter Skopek updated SECURITY-712:
----------------------------------

    Fix Version/s: PicketBox_4_0_16.Final

    
> Variable expansion and Vault are not supported in the module-option of the LdapRolesMappingProvider mapping-module
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-712
>                 URL: https://issues.jboss.org/browse/SECURITY-712
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: PicketBox_v4_0_9.Final
>         Environment: RHEL 6.3
>            Reporter: guillaume cornet
>            Assignee: Peter Skopek
>             Fix For: PicketBox_4_0_16.Final
>
>
> When using LdapRolesMappingProviders mapping-module, I don't want to put the bindCredential/password in clear in the configuration file.
> So I'm trying to use vault, this way :
> <mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider" type="role">
>     <module-option name="java.naming.provider.url" value="ldap://192.168.122.101:389" />
>     <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
>     <module-option name="java.naming.security.authentication" value="simple" />
>     <module-option name="bindDN" value="CN=Administrator,CN=users,DC=cloud,DC=local" />
>     <module-option name="bindCredential" value="${VAULT::AD::addspass::YTgyMDI0ZjUtOWQwZi00MWZlLTkzMjMtMTM0YzRjZTY3ZWZmTElORV9CUkVBS3ZhdWx0}" />
>     <module-option name="rolesCtxDN" value="CN=users,DC=cloud,DC=local" />
>     <module-option name="roleFilter" value="(userPrincipalName={0})" />
>     <module-option name="roleAttributeID" value="memberOf" />
>     <module-option name="roleNameAttributeID" value="CN" />
>     <module-option name="roleAttributeIsDN" value="true" />
>     <module-option name="parseRoleNameFromDN" value="false" />
>     <module-option name="roleRecursion" value="0" />
>     <module-option name="searchScope"  value="ONELEVEL_SCOPE" />
> </mapping-module>
> Unfortunatly, with this configuration, I cannot connect anymore to my Active Directory Directory Service....
> I get the following error message in the jboss log :
> 14:59:35,019 ERROR [org.jboss.security.mapping.providers.role.LdapRolesMappingProvider] (http-/0.0.0.0:8080-1) Error connecting to LDAP server: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
> 	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_09-icedtea]
> 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_09-icedtea]
> 	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_09-icedtea]
> 	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_09-icedtea]
> 	at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_09-icedtea]
> 	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_09-icedtea]
> 	at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.constructInitialLdapContext(LdapRolesMappingProvider.java:256)
> 	at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:192)
> 	at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:53)
> 	at org.jboss.security.mapping.MappingContext.performMapping(MappingContext.java:54)
> 	at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:397)
> 	at org.jboss.security.plugins.JBossAuthorizationManager.getSubjectRoles(JBossAuthorizationManager.java:324)
> 	at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:230)
> 	at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
> 	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679)
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931)
> 	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]
> I do some remote debug and I beleive that the vault expression is not resolved ....
> package org.jboss.security.mapping.providers.role, class LdapRolesMappingProvider, method init(Map<String, Object> options).
> This method don't perform any Variable expansion and nor Vault expansion.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list