[jboss-jira] [JBoss JIRA] (SECURITY-847) LdapExtLoginModule rolesSearch yields Decode Error

Juergen H (JIRA) issues at jboss.org
Tue Jun 24 09:01:31 EDT 2014 

    [ https://issues.jboss.org/browse/SECURITY-847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12978898#comment-12978898 ] 

Juergen H commented on SECURITY-847:
------------------------------------

Ok, further investigation results:

The roles to be queried are dynamic groups.
One group has a large number of members (multiple 10k).

With jboss-4.2.3.GA SearchControls.setReturningAttributes == new String[0] it will be defaulted by java jndi to OID 1.1. "no attributes", not returning any of the group's attributes (except its CN ?)

With current wildfly-8.1 picketbos-4.0.21.Beta1.jar SearchControls.setReturningAttributes == null it will return ALL attributes of roles found, including the extremely large multi-value member attribute.

In it's current version, there is no way to influence roles SearchControls via module properties, neither for LdapExtLoginModule nor for AdvancedLdapLoginModule.

My plan of attack is to subclass org.jboss.security.negotiation.AdvancedLdapLoginModule and manipulate it's roleSearchControls.

I still think that SearchControls.setReturningAttributes should be set to new String[0] or new String[] { "1.1." } as it happened in 4.2.3.GA.



> LdapExtLoginModule rolesSearch yields Decode Error
> --------------------------------------------------
>
>                 Key: SECURITY-847
>                 URL: https://issues.jboss.org/browse/SECURITY-847
>             Project: PicketBox 
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: PicketBox_4_0_21.Beta1
>            Reporter: Juergen H
>            Assignee: Stefan Guilhen
>              Labels: ldap
>
> Migrating an application using LdapExtLoginModule from jboss-4.2.3.GA to wildfly-8.1
> Encountered a problem with ldap roles search:
> javax.naming.NamingException: [LDAP: error code 1 - Decode Error in response from BE (backend problem)]; remaining name 'ou=
> debugging and comparing result:
> jboss-4.2.3.GA LdapExtLoginModule does set javax.naming.directory.SearchControls.setReturningAttributes for role search:
> {code:title=jboss-4.2.3.GA LdapExtLoginModule}
>          SearchControls constraints = new SearchControls();
>          constraints.setSearchScope(searchScope);
>          constraints.setReturningAttributes(new String[0]);
>          constraints.setTimeLimit(searchTimeLimit);
>          rolesSearch(ctx, constraints, username, userDN, recursion, 0);
> {code}
> wildfly-8.1 picketbox-4.0.21.Beta1.jar LdapExtLoginModule does NOT set javax.naming.directory.SearchControls.setReturningAttributes for role search:
> {code:title=wildfly-8.1 LdapExtLoginModule}
>          // Query for roles matching the role filter
>          SearchControls constraints = new SearchControls();
>          constraints.setSearchScope(searchScope);
>          constraints.setTimeLimit(searchTimeLimit);
>          rolesSearch(ctx, constraints, username, userDN, recursion, 0);
> {code}



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list