[jboss-jira] [JBoss JIRA] (WFLY-5395) Search scope OBJECT_SCOPE does not work correctly for LdapExtLoginModule

Ondrej Lukas (JIRA) issues at jboss.org
Wed Sep 23 10:40:00 EDT 2015 

Ondrej Lukas created WFLY-5395:
----------------------------------

             Summary: Search scope OBJECT_SCOPE does not work correctly for LdapExtLoginModule
                 Key: WFLY-5395
                 URL: https://issues.jboss.org/browse/WFLY-5395
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Ondrej Lukas
            Assignee: Darran Lofthouse


LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.

This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".

You can reproduce it by following configuration:

Security domain:
{code:xml}
<security-domain name="ldap">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="searchScope" value="OBJECT_SCOPE"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="roleAttributeIsDN" value="true"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
            <module-option name="roleNameAttributeID" value="cn"/>
        </login-module>
    </authentication>
</security-domain>
{code}

LDIF for role:
{code}
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Roles

dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
member: uid=jduke,ou=People,dc=jboss,dc=org
{code}

It seems the method LdapExtLoginModule.canonicalize() causes this problem.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list