[ https://issues.jboss.org/browse/WFCORE-2341?page=com.atlassian.jira.plugi... ] Peter Palaga updated WFCORE-2341: --------------------------------- Description: Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1418685 ldap role should ignore javax.naming.PartialResultException when referrals=ignore. In this case, the user has a role which is causing a referral. They have referrals=ignore which causes a PartialResultException to be logged. This ends up causing a 500 error. {code} 16:22:09,407 TRACE [org.jboss.as.domain.management.security] (management task-4) Failure supplementing Subject: javax.naming.PartialResultException: [LDAP: error code 10 - REFERRAL: failed for MessageType : SEARCH_REQUEST Message ID : 4 SearchRequest baseDn : 'cn=refrole1,ou=ReferralRoles,dc=subtree,dc=keycloak,dc=org' filter : '(objectClass=*)' scope : base object typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : deref Always attributes : 'cn' org.apache.directory.api.ldap.model.message.SearchRequestImpl@7887cbbc ManageDsaITImpl Control Type OID : '2.16.840.1.113730.3.4.2' Criticality : 'false' ' : ERR_315 cannot create an entry under a referral when the Context.REFERRAL is set to 'ignore']; remaining name 'cn=refrole1,ou=ReferralRoles,dc=subtree,dc=keycloak,dc=org' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:313) at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:217) at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225) at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroupEntries(LdapSubjectSupplementalService.java:250) at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:227) at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:220) at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:194) at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$SecurityRealmImpl$RealmIdentityImpl.getGroups(LdapSubjectSupplementalService.java:334) at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$SecurityRealmImpl$RealmIdentityImpl.getAuthorizationIdentity(LdapSubjectSupplementalService.java:319) at org.wildfly.security.auth.realm.AggregateSecurityRealm$Identity.getAuthorizationIdentity(AggregateSecurityRealm.java:157) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.doAuthorization(ServerAuthenticationContext.java:1716) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.authorize(ServerAuthenticationContext.java:1741) at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:470) at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:465) at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:750) at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:728) at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113) at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authorize(UsernamePasswordAuthenticationMechanism.java:92) at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:154) at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115) at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77) at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:110) at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94) at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78) at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:84) at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} Setting referrals=follows worked around the issue in this case. Steps to reproduce: https://bugzilla.redhat.com/show_bug.cgi?id=1417272 was: Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1418685 ldap role should ignore javax.naming.PartialResultException when referrals=ignore. In this case, the customer has a role which is causing a referral. They have referrals=ignore which causes a PartialResultException to be logged. This ends up causing a 500 error. {code} 15:10:04,355 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 7) Group found with distinguishedName=CN=AGENTS-REGISTERED-DS 7431,OU=Automated,OU=Groups,DC=AGENTS,DC=AMFAM,DC=NET 15:10:04,357 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 7) Failure supplementing Subject: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100742, data 0, 1 access points ref 1: 'AGENTS.AMFAM.NET' \00]; remaining name 'CN=AGENTS-REGISTERED-DS 7431,OU=Automated,OU=Groups,DC=AGENTS,DC=AMFAM,DC=NET' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329) [rt.jar:1.8.0_66] at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) [rt.jar:1.8.0_66] at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) [rt.jar:1.8.0_66] at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) [rt.jar:1.8.0_66] at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) [rt.jar:1.8.0_66] at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) [rt.jar:1.8.0_66] at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:297) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:215) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroupEntries(LdapSubjectSupplementalService.java:218) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:195) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.loadGroups(LdapSubjectSupplementalService.java:188) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapSubjectSupplemental.supplementSubject(LdapSubjectSupplementalService.java:163) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.management.security.SecurityRealmService$1.createSubjectUserInfo(SecurityRealmService.java:223) [jboss-as-domain-management-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(BasicAuthenticator.java:120) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.http.server.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:85) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64) at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710) at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78) at org.jboss.as.domain.http.server.XFrameHeaderFilter.doFilter(XFrameHeaderFilter.java:45) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:48) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:680) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_66] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_66] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_66] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1] {code} Setting referrals=follows worked around the issue in this case. Steps to reproduce: https://bugzilla.redhat.com/show_bug.cgi?id=1417272 -- This message was sent by Atlassian JIRA (v7.2.3#72005)