[JBoss JIRA] (SECURITY-946) AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure

Friday, 29 July 2016



     [
https://issues.jboss.org/browse/SECURITY-946?page=com.atlassian.jira.plug...
]

Darran Lofthouse updated SECURITY-946:
--------------------------------------
    Fix Version/s: Negotiation_3_0_3_CR1


...
 AdvancedLdapLoginModule with rolesCtxDN="" can lead to
authentication failure
 -----------------------------------------------------------------------------

                 Key: SECURITY-946
                 URL: https://issues.jboss.org/browse/SECURITY-946
             Project: PicketBox 
          Issue Type: Bug
          Components: Negotiation
    Affects Versions: Negotiation_3_0_2_Final
            Reporter: Ondrej Lukas
            Assignee: Tomas Hofman
             Fix For: Negotiation_3_0_3_CR1


 In case when AdvancedLdapLoginModule is correctly configured for authentication and its
attribute rolesCtxDN="", then authentication can fail. This happens when any
role is found in LDAP by role search. It is caused by {{canonicalize}} method which
returns string which ends with comma for empty rolesCtxDN which is invalid name for
searching LDAP. 
 In correct behavior authentication should pass and found roles should be assigned to
user.
 In case when no role is found, then authentication succeed which is correct behavior.
 Thrown exception:
 {code}
 javax.naming.InvalidNameException:
cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,:
[LDAP: error code 34 - Invalid root Dn given :
cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,
(0x63 0x6E 0x3D 0x45 0x63 0x68 0x6F 0x2C 0x6F 0x75 0x3D 0x52 0x6F 0x6C 0x65 0x73 0x32 0x2C
0x6F 0x3D 0x41 0x64 0x76 0x61 0x6E 0x63 0x65 0x64 0x4C 0x64 0x61 0x70 0x4C 0x4D 0x45 0x6D
0x70 0x74 0x79 0x52 0x6F 0x6C 0x65 0x73 0x43 0x74 0x78 0x44 0x6E 0x4F 0x70 0x74 0x69 0x6F
0x6E 0x54 0x65 0x73 0x74 0x43 0x61 0x73 0x65 0x65 0x37 0x62 0x36 0x62 0x32 0x39 0x64 0x2C
0x6F 0x3D 0x70 0x72 0x69 0x6D 0x61 0x72 0x79 0x2C 0x64 0x63 0x3D 0x6A 0x62 0x6F 0x73 0x73
0x2C 0x64 0x63 0x3D 0x6F 0x72 0x67 0x2C ) is invalid]; remaining name
'cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,'
     com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3074)
     com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
     com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)
    
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)
    
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
    
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)
     javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
     javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
    
org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:801)
    
org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:737)
    
org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403)
    
org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
    
org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     ...
 {code} 


--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006