AdvancedLdapLoginModule authentication fails when some part of DN is part of LDAP URL ------------------------------------------------------------------------------------- Key: SECURITY-943 URL: https://issues.jboss.org/browse/SECURITY-943 Project: PicketBox Issue Type: Bug Components: Negotiation Affects Versions: Negotiation_3_0_2_Final Reporter: Ondrej Lukas Assignee: Darran Lofthouse Fix For: Negotiation_3_0_4_CR1 In case when part of DN is placed in LDAP URL instead of baseCtxDN then authentication fails (see [1] for details about this URL) in AdvancedLdapLoginModule. Authentication is provided by binding with user DN and password, but in this case user DN does not include DN part from LDAP URL which leads to fail. Thrown exception: {code} javax.naming.AuthenticationException: LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jduke,ou=People com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135) com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081) com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883) com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797) com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) org.jboss.as.naming.InitialContext.init(InitialContext.java:99) javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89) org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) javax.naming.InitialContext.init(InitialContext.java:244) javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:486) org.jboss.security.negotiation.AdvancedLdapLoginModule.authenticate(AdvancedLdapLoginModule.java:669) org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:397) org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967) org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ... {code} [1] https://tools.ietf.org/html/rfc2255