[
https://issues.jboss.org/browse/WFLY-5786?page=com.atlassian.jira.plugin....
]
Ondrej Lukas updated WFLY-5786:
-------------------------------
Steps to Reproduce:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif
2) Add following security domain to configuration:
{code:xml}
<security-domain name="ldapSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="required">
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldap://localhost:10389"/>
<module-option name="referralUserAttributeIDToCheck"
value="member"/>
<module-option name="roleFilter"
value="(|(objectClass=referral)(member={1}))"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN"
value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="bindDN"
value="uid=admin,ou=system"/>
<module-option name="bindCredential"
value="secret"/>
<module-option name="baseCtxDN"
value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.referral"
value="throw"/>
<module-option name="throwValidateError"
value="true"/>
<module-option name="baseFilter"
value="(uid={0})"/>
</login-module>
</authentication>
</security-domain>
{code}
3) Deploy attached application app.war
4) Run periodically
{noformat}
curl -u jduke:Password1
http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin
{noformat}
-> java.lang.OutOfMemoryError on Wildfly server
was:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif
2) Add following security domain to configuration:
{code:xml}
<security-domain name="ldapSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
flag="required">
<module-option name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="ldap://localhost:10389"/>
<module-option name="referralUserAttributeIDToCheck"
value="member"/>
<module-option name="roleFilter"
value="(|(objectClass=referral)(member={1}))"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN"
value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication"
value="simple"/>
<module-option name="bindDN"
value="uid=admin,ou=system"/>
<module-option name="bindCredential"
value="secret"/>
<module-option name="baseCtxDN"
value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.referral"
value="throw"/>
<module-option name="throwValidateError"
value="true"/>
<module-option name="baseFilter"
value="(uid={0})"/>
</login-module>
</authentication>
</security-domain>
{code}
3) Deploy attached application app.war
4) Run periodically
{noformat}
curl -u jduke:Password1
http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin
{noformat}
-> java.lang.OutOfMemoryError on EAP server
LdapExtLoginModule does not handle loops in referrals
-----------------------------------------------------
Key: WFLY-5786
URL:
https://issues.jboss.org/browse/WFLY-5786
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Critical
Attachments: app.war, server1.ldif, server2.ldif
According to LDAP specification [1]: "Clients that follow referrals MUST ensure that
they do not loop between servers. They MUST NOT repeatedly contact the same server for the
same request with the same parameters.".
When EAP server is configured to use LdapExtLoginModule which uses referrals and LDAP
servers contain loop then it leads to infinite cycle. It can results to
java.lang.OutOfMemoryError on EAP server.
We hit this issue during certification of 3rd Party LDAP servers. This issue is not
regression to EAP 6.x.
[1]
http://tools.ietf.org/html/rfc4511#section-4.1.10
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)