[jboss-jira] [JBoss JIRA] (WFLY-5786) LdapExtLoginModule does not handle loops in referrals
Ondrej Lukas (JIRA)
issues at jboss.org
Fri Dec 4 04:25:01 EST 2015
[ https://issues.jboss.org/browse/WFLY-5786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated WFLY-5786:
-------------------------------
Steps to Reproduce:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif
2) Add following security domain to configuration:
{code:xml}
<security-domain name="ldapSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="referralUserAttributeIDToCheck" value="member"/>
<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.referral" value="throw"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="baseFilter" value="(uid={0})"/>
</login-module>
</authentication>
</security-domain>
{code}
3) Deploy attached application app.war
4) Run periodically
{noformat}
curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin
{noformat}
-> java.lang.OutOfMemoryError on Wildfly server
was:
1) Start two LDAP servers which use attached server1.ldif and server2.ldif
2) Add following security domain to configuration:
{code:xml}
<security-domain name="ldapSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="referralUserAttributeIDToCheck" value="member"/>
<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.referral" value="throw"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="baseFilter" value="(uid={0})"/>
</login-module>
</authentication>
</security-domain>
{code}
3) Deploy attached application app.war
4) Run periodically
{noformat}
curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin
{noformat}
-> java.lang.OutOfMemoryError on EAP server
> LdapExtLoginModule does not handle loops in referrals
> -----------------------------------------------------
>
> Key: WFLY-5786
> URL: https://issues.jboss.org/browse/WFLY-5786
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
> Attachments: app.war, server1.ldif, server2.ldif
>
>
> According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".
> When EAP server is configured to use LdapExtLoginModule which uses referrals and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.
> We hit this issue during certification of 3rd Party LDAP servers. This issue is not regression to EAP 6.x.
> [1] http://tools.ietf.org/html/rfc4511#section-4.1.10
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list