]
Darran Lofthouse updated SECURITY-943:
--------------------------------------
Fix Version/s: Negotiation_3_0_4_CR1
(was: Negotiation_3_0_3_Final)
AdvancedLdapLoginModule authentication fails when some part of DN is
part of LDAP URL
-------------------------------------------------------------------------------------
Key: SECURITY-943
URL:
https://issues.jboss.org/browse/SECURITY-943
Project: PicketBox
Issue Type: Bug
Components: Negotiation
Affects Versions: Negotiation_3_0_2_Final
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Fix For: Negotiation_3_0_4_CR1
In case when part of DN is placed in LDAP URL instead of baseCtxDN then authentication
fails (see [1] for details about this URL) in AdvancedLdapLoginModule. Authentication is
provided by binding with user DN and password, but in this case user DN does not include
DN part from LDAP URL which leads to fail.
Thrown exception:
{code}
javax.naming.AuthenticationException: LDAP: error code 49 - INVALID_CREDENTIALS: Bind
failed: ERR_229 Cannot authenticate user uid=jduke,ou=People
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
javax.naming.InitialContext.init(InitialContext.java:244)
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:486)
org.jboss.security.negotiation.AdvancedLdapLoginModule.authenticate(AdvancedLdapLoginModule.java:669)
org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:397)
org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
{code}
[1]
https://tools.ietf.org/html/rfc2255