]
Darran Lofthouse resolved WFLY-5395.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is
deprecated.
Search scope OBJECT_SCOPE does not work correctly for
LdapExtLoginModule
------------------------------------------------------------------------
Key: WFLY-5395
URL:
https://issues.jboss.org/browse/WFLY-5395
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 10.0.0.CR1
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Major
LDAP authentication fails (HTTP 401 returned) when login module option
searchScope=OBJECT_SCOPE is used.
This problem is caused by searching attributes for role DN which starts with comma - e.g.
",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".
You can reproduce it by following configuration:
Security domain:
{code:xml}
<security-domain name="ldap">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="required">
<module-option name="searchScope"
value="OBJECT_SCOPE"/>
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldap://localhost:10389"/>
<module-option name="roleAttributeIsDN"
value="true"/>
<module-option name="roleFilter"
value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN"
value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="bindDN"
value="uid=admin,ou=system"/>
<module-option name="bindCredential"
value="secret"/>
<module-option name="baseCtxDN"
value="ou=People,dc=jboss,dc=org"/>
<module-option name="throwValidateError"
value="true"/>
<module-option name="baseFilter"
value="(uid={0})"/>
<module-option name="roleNameAttributeID"
value="cn"/>
</login-module>
</authentication>
</security-domain>
{code}
LDIF for role:
{code}
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People
dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1
dn: ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Roles
dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
member: uid=jduke,ou=People,dc=jboss,dc=org
{code}
It seems the method LdapExtLoginModule.canonicalize() causes this problem.