11:38 p.m.
[
https://issues.jboss.org/browse/WFCORE-1281?page=com.atlassian.jira.plugi...
]
Ondrej Lukas updated WFCORE-1281:
---------------------------------
Steps to Reproduce:
1) use following security realm:
{code:xml}
<security-realm name="ldap-security-realm">
<authentication>
<ldap connection="ldap_connection"
base-dn="dc=jboss,dc=org" recursive="true">
<username-filter attribute="uid"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap_connection">
<group-search group-name="SIMPLE"
iterative="false" group-dn-attribute="dn"
group-name-attribute="description">
<principal-to-group group-attribute="sn"/>
</group-search>
</ldap>
</authorization>
</security-realm>
{code}
...
{code:xml}
<outbound-connections>
<ldap name="ldap_connection"
url="ldap://localhost:10389" search-dn="uid=admin,ou=system"
search-credential="secret"/>
</outbound-connections>
{code}
2) Use this security domain for RBAC access to management console:
{code:xml}
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ldap-security-realm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<group name="JBossAdmin"/>
</include>
</role>
</role-mapping>
</access-control>
{code}
3) Use ldap server with attached ldif
4) Try to access management console with jduke/Password - it will fail.
5) Uncomment line 'description: Monitor' from ldif and try to access management
console again - it will be successful.
was:
1) use following security domain:
{code:xml}
<security-realm name="ldap-security-realm">
<authentication>
<ldap connection="ldap_connection"
base-dn="dc=jboss,dc=org" recursive="true">
<username-filter attribute="uid"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap_connection">
<group-search group-name="SIMPLE"
iterative="false" group-dn-attribute="dn"
group-name-attribute="description">
<principal-to-group group-attribute="sn"/>
</group-search>
</ldap>
</authorization>
</security-realm>
{code}
...
{code:xml}
<outbound-connections>
<ldap name="ldap_connection"
url="ldap://localhost:10389" search-dn="uid=admin,ou=system"
search-credential="secret"/>
</outbound-connections>
{code}
2) Use this security domain for RBAC access to management console:
{code:xml}
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ldap-security-realm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<group name="JBossAdmin"/>
</include>
</role>
</role-mapping>
</access-control>
{code}
3) Use ldap server with attached ldif
4) Try to access management console with jduke/Password - it will fail.
5) Uncomment line 'description: Monitor' from ldif and try to access management
console again - it will be successful.
NPE in principal-to-group group searching
-----------------------------------------
Key: WFCORE-1281
URL: https://issues.jboss.org/browse/WFCORE-1281
Project: WildFly Core
Issue Type: Bug
Components: Domain Management, Security
Affects Versions: 2.0.5.Final
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Attachments: groupsearch.ldif
In case when ldap authorization with principal-to-group group searching is used in
security realm and LDAP entry found by value of 'group-attribute' does not include
attribute mentioned in 'group-name-attribute' then it causes authentication fail.
It is caused by missing null check for groupNameAttr and hidden NPE thrown from [1].
[1]
https://github.com/wildfly/wildfly-core/blob/18393273a1c9e464fb0cc9597951...
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
3775
days inactive
3775
days old
0 comments
1 participants
participants (1)
-
Ondrej Lukas (JIRA)