[
https://issues.jboss.org/browse/WFLY-5787?page=com.atlassian.jira.plugin....
]
Ondrej Lukas updated WFLY-5787:
-------------------------------
Description:
According to LDAP specification [1]: "Clients that follow referrals MUST ensure that
they do not loop between servers. They MUST NOT repeatedly contact the same server for the
same request with the same parameters.".
When Wildfly server is configured to use AdvancedLdapLoginModule which uses referrals and
LDAP servers contain loop then it leads to infinite cycle. It can results to
java.lang.OutOfMemoryError on Wildfly server.
[1]
http://tools.ietf.org/html/rfc4511#section-4.1.10
was:
According to LDAP specification [1]: "Clients that follow referrals MUST ensure that
they do not loop between servers. They MUST NOT repeatedly contact the same server for the
same request with the same parameters.".
When EAP server is configured to use AdvancedLdapLoginModule which uses referrals and LDAP
servers contain loop then it leads to infinite cycle. It can results to
java.lang.OutOfMemoryError on EAP server.
We hit this issue during certification of 3rd Party LDAP servers. This issue is not
regression to EAP 6.x.
[1]
http://tools.ietf.org/html/rfc4511#section-4.1.10
Steps to Reproduce:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif
2) Add following security domain to configuration:
{code:xml}
<security-domain name="ldapSecurityDomain">
<authentication>
<login-module code="AdvancedLdap" flag="required">
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldap://localhost:10389"/>
<module-option name="referralUserAttributeIDToCheck"
value="member"/>
<module-option name="roleFilter"
value="(|(objectClass=referral)(member={1}))"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN"
value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="bindDN"
value="uid=admin,ou=system"/>
<module-option name="bindCredential"
value="secret"/>
<module-option name="baseCtxDN"
value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.referral"
value="throw"/>
<module-option name="throwValidateError"
value="true"/>
<module-option name="baseFilter"
value="(uid={0})"/>
</login-module>
</authentication>
</security-domain>
{code}
3) Deploy attached application app.war
4) Run periodically
{noformat}
curl -u jduke:Password1
http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin
{noformat}
-> java.lang.OutOfMemoryError on Wildfly server
was:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif
2) Add following security domain to configuration:
{code:xml}
<security-domain name="ldapSecurityDomain">
<authentication>
<login-module code="AdvancedLdap" flag="required">
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldap://localhost:10389"/>
<module-option name="referralUserAttributeIDToCheck"
value="member"/>
<module-option name="roleFilter"
value="(|(objectClass=referral)(member={1}))"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN"
value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="bindDN"
value="uid=admin,ou=system"/>
<module-option name="bindCredential"
value="secret"/>
<module-option name="baseCtxDN"
value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.referral"
value="throw"/>
<module-option name="throwValidateError"
value="true"/>
<module-option name="baseFilter"
value="(uid={0})"/>
</login-module>
</authentication>
</security-domain>
{code}
3) Deploy attached application app.war
4) Run periodically
{noformat}
curl -u jduke:Password1
http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin
{noformat}
-> java.lang.OutOfMemoryError on EAP server
Affects Version/s: 10.0.0.CR4
AdvancedLdapLoginModule does not handle loops in referrals
----------------------------------------------------------
Key: WFLY-5787
URL:
https://issues.jboss.org/browse/WFLY-5787
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 10.0.0.CR4
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Critical
According to LDAP specification [1]: "Clients that follow referrals MUST ensure that
they do not loop between servers. They MUST NOT repeatedly contact the same server for the
same request with the same parameters.".
When Wildfly server is configured to use AdvancedLdapLoginModule which uses referrals and
LDAP servers contain loop then it leads to infinite cycle. It can results to
java.lang.OutOfMemoryError on Wildfly server.
[1]
http://tools.ietf.org/html/rfc4511#section-4.1.10
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)