[jboss-jira] [JBoss JIRA] (SECURITY-847) LdapExtLoginModule rolesSearch yields Decode Error

Juergen H (JIRA) issues at jboss.org
Tue Jun 24 09:49:24 EDT 2014 

    [ https://issues.jboss.org/browse/SECURITY-847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12978917#comment-12978917 ] 

Juergen H commented on SECURITY-847:
------------------------------------

My workaround AdvancedLdapLoginModule, seems to work for me at least:

{code}
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.spi.LoginModule;

import org.jboss.security.negotiation.AdvancedLdapLoginModule;

public class MyAdvancedLdapLoginModule extends AdvancedLdapLoginModule implements LoginModule
{
	@Override
	public void initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)
	{
		super.initialize(subject, handler, sharedState, options);
		
		Set<String> s = new HashSet<String>();
		if (roleAttributeID != null) {
			s.add(roleAttributeID);
		}
		if (roleNameAttributeID != null) {
			s.add(roleNameAttributeID);
		}
		String[] attrs = s.toArray(new String[s.size()]);
		roleSearchControls.setReturningAttributes(attrs);
	}
}
{code}


> LdapExtLoginModule rolesSearch yields Decode Error
> --------------------------------------------------
>
>                 Key: SECURITY-847
>                 URL: https://issues.jboss.org/browse/SECURITY-847
>             Project: PicketBox 
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: PicketBox_4_0_21.Beta1
>            Reporter: Juergen H
>            Assignee: Stefan Guilhen
>              Labels: ldap
>
> Migrating an application using LdapExtLoginModule from jboss-4.2.3.GA to wildfly-8.1
> Encountered a problem with ldap roles search:
> javax.naming.NamingException: [LDAP: error code 1 - Decode Error in response from BE (backend problem)]; remaining name 'ou=
> debugging and comparing result:
> jboss-4.2.3.GA LdapExtLoginModule does set javax.naming.directory.SearchControls.setReturningAttributes for role search:
> {code:title=jboss-4.2.3.GA LdapExtLoginModule}
>          SearchControls constraints = new SearchControls();
>          constraints.setSearchScope(searchScope);
>          constraints.setReturningAttributes(new String[0]);
>          constraints.setTimeLimit(searchTimeLimit);
>          rolesSearch(ctx, constraints, username, userDN, recursion, 0);
> {code}
> wildfly-8.1 picketbox-4.0.21.Beta1.jar LdapExtLoginModule does NOT set javax.naming.directory.SearchControls.setReturningAttributes for role search:
> {code:title=wildfly-8.1 LdapExtLoginModule}
>          // Query for roles matching the role filter
>          SearchControls constraints = new SearchControls();
>          constraints.setSearchScope(searchScope);
>          constraints.setTimeLimit(searchTimeLimit);
>          rolesSearch(ctx, constraints, username, userDN, recursion, 0);
> {code}



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list