[jboss-jira] [JBoss JIRA] Updated: (SECURITY-559) AdvancedLdapLoginModule: Service Principal is not constructed from java.naming.provider.url
Darran Lofthouse (JIRA)
jira-events at lists.jboss.org
Thu Jan 27 06:21:03 EST 2011
[ https://issues.jboss.org/browse/SECURITY-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse updated SECURITY-559:
--------------------------------------
Priority: Major (was: Critical)
> AdvancedLdapLoginModule: Service Principal is not constructed from java.naming.provider.url
> -------------------------------------------------------------------------------------------
>
> Key: SECURITY-559
> URL: https://issues.jboss.org/browse/SECURITY-559
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Affects Versions: Negotiation_2.0.3.GA
> Environment: Windows Server 2008 R2 domain controller, Red Hat 5.5 Application Server (JBoss), Windows 7 Clients
> Reporter: John Ruiz
> Assignee: Darran Lofthouse
> Labels: activedirectory, ldap, serviceprincipal
>
> When using org.jboss.security.negotiation.AdvancedLdapLoginModule chained with SPNEGO/Kerberos against Active Directory, the service principal specified in the TGS-REQ is ldap/foo.com, even though java.naming.provider.url is set to LDAP://dc1.foo.com.
> Because of this, the /Secured test in the jboss-negotiation-toolkit will fail to bind to AD/LDAP because the KDC returns an error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
> The correct service principal name that the TGS-REQ should request is LDAP/dc1.foo.com because dc1.foo.com is what was provided in java.naming.provider.url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list