[jboss-jira] [JBoss JIRA] Resolved: (SECURITY-559) AdvancedLdapLoginModule: Service Principal is not constructed from java.naming.provider.url
[
https://issues.jboss.org/browse/SECURITY-559?page=com.atlassian.jira.plug...
]
Darran Lofthouse resolved SECURITY-559.
---------------------------------------
Resolution: Won't Fix
The AdvancedLdapLoginModule is not involved in the ticket exchange to negotiate the LDAP
connection.
The login module instantiates a InitialLdapContext which by default uses
com.sun.jndi.ldap.LdapCtxFactory to communicate with LDAP, these are classes supplied with
the JRE that handle the actual connection.
AdvancedLdapLoginModule: Service Principal is not constructed from
java.naming.provider.url
-------------------------------------------------------------------------------------------
Key: SECURITY-559
URL: https://issues.jboss.org/browse/SECURITY-559
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Negotiation
Affects Versions: Negotiation_2.0.3.GA
Environment: Windows Server 2008 R2 domain controller, Red Hat 5.5 Application
Server (JBoss), Windows 7 Clients
Reporter: John Ruiz
Assignee: Darran Lofthouse
Labels: activedirectory, ldap, serviceprincipal
When using org.jboss.security.negotiation.AdvancedLdapLoginModule chained with
SPNEGO/Kerberos against Active Directory, the service principal specified in the TGS-REQ
is ldap/foo.com, even though java.naming.provider.url is set to LDAP://dc1.foo.com.
Because of this, the /Secured test in the jboss-negotiation-toolkit will fail to bind to
AD/LDAP because the KDC returns an error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
The correct service principal name that the TGS-REQ should request is LDAP/dc1.foo.com
because dc1.foo.com is what was provided in java.naming.provider.url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira