[jboss-jira] [JBoss JIRA] (WFLY-5396) Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Ondrej Lukas (JIRA)
issues at jboss.org
Wed Sep 23 10:40:00 EDT 2015
Ondrej Lukas created WFLY-5396:
----------------------------------
Summary: Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Key: WFLY-5396
URL: https://issues.jboss.org/browse/WFLY-5396
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.
This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".
You can reproduce it by following configuration:
Security domain:
{code:xml}
<security-domain name="ldap">
<authentication>
<login-module code="AdvancedLdap" flag="required">
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
<module-option name="searchScope" value="OBJECT_SCOPE"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication" value="simple"/>
</login-module>
</authentication>
</security-domain>
{code}
LDIF for role:
{code}
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People
dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1
dn: ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Roles
dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
cn: JBossAdmin
member: uid=jduke,ou=People,dc=jboss,dc=org
{code}
It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list