]
Darran Lofthouse resolved SECURITY-981.
---------------------------------------
Resolution: Done
Referrals roles assignment for referral user does not work for
AdvancedLdapLoginModule with Active Directory
------------------------------------------------------------------------------------------------------------
Key: SECURITY-981
URL:
https://issues.jboss.org/browse/SECURITY-981
Project: PicketBox
Issue Type: Bug
Components: Negotiation
Affects Versions: Negotiation_3_0_4_Final
Reporter: Jiri Ondrusek
Assignee: Jiri Ondrusek
Priority: Minor
Fix For: Negotiation_3_0_5_CR1
Consider two MS Active Directory domains with configured crossRef to each other. EAP
using AdvancedLdapLoginModule for MS AD with referrals and rolesCtxDN is set to the
referral DN where user account are stored; also EAP is configured for searching roles
based on users entries (mapping users to roles).
If referral users (from EAP point of view - hostname is configured for original LDAP and
user is obtained as referral user - from second of domains) authenticate then they have
not assigned roles from AD attribute from 'roleAttributeID' option.
Example:
I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B)
with crossRef.
Part of ldif for Domain A:
{code}
...
dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
objectClass: groupOfNames
objectClass: top
cn: TheDuke
businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
...
{code}
Part of ldif for Domain B
{code}
...
dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
objectclass: top
objectclass: person
objectClass: inetOrgPerson
cn: jduke
sn: Duke
description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
userPassword: Password1
dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
objectClass: groupOfNames
objectClass: top
cn: Admin
businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
...
{code}
EAP AdvancedLdapLoginModule is configured:
{code:xml}
<security-domain name="AdvancedLdapReferrals">
<authentication>
<login-module code="AdvancedLdap"
flag="required">
<module-option
name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url"
value="HOSTNAME_OF_DOMAIN_A"/>
<module-option name="bindDN"
value="BIND_DN"/>
<module-option name="bindCredential"
value="PASSWORD"/>
<module-option
name="referralUserAttributeIDToCheck" value="businessCategory"/>
<module-option name="roleAttributeIsDN"
value="true"/>
<module-option name="roleFilter"
value="(CN={0})"/>
<module-option name="roleAttributeID"
value="description"/>
<module-option name="rolesCtxDN"
value="OU=People,O=eapqe,DC=jboss,DC=test2"/>
<module-option
name="java.naming.security.authentication" value="simple"/>
<module-option name="baseCtxDN"
value="OU=People,O=eapqe,DC=jboss,DC=test2"/>
<module-option name="java.naming.referral"
value="follow"/>
<module-option name="throwValidateError"
value="true"/>
<module-option name="baseFilter"
value="(CN={0})"/>
<module-option name="roleNameAttributeID"
value="CN"/>
</login-module>
</authentication>
</security-domain>
{code}
Then when jduke try to authenticate to application roles TheDuke and Admin should be
assigned to him.