[jboss-jira] [JBoss JIRA] (WFLY-6532) AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure

Ondrej Lukas (JIRA) issues at jboss.org
Tue Apr 19 02:02:00 EDT 2016


Ondrej Lukas created WFLY-6532:
----------------------------------

             Summary: AdvancedLdapLoginModule with rolesCtxDN="" can lead to authentication failure
                 Key: WFLY-6532
                 URL: https://issues.jboss.org/browse/WFLY-6532
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Ondrej Lukas
            Assignee: Darran Lofthouse


In case when AdvancedLdapLoginModule is correctly configured for authentication and its attribute rolesCtxDN="", then authentication can fail. This happens when any role is found in LDAP by role search. It is caused by {{canonicalize}} method which returns string which ends with comma for empty rolesCtxDN which is invalid name for searching LDAP. 

In correct behavior authentication should pass and found roles should be assigned to user.

In case when no role is found, then authentication succeed which is correct behavior.

Thrown exception:
{code}
javax.naming.InvalidNameException: cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,: [LDAP: error code 34 - Invalid root Dn given : cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org, (0x63 0x6E 0x3D 0x45 0x63 0x68 0x6F 0x2C 0x6F 0x75 0x3D 0x52 0x6F 0x6C 0x65 0x73 0x32 0x2C 0x6F 0x3D 0x41 0x64 0x76 0x61 0x6E 0x63 0x65 0x64 0x4C 0x64 0x61 0x70 0x4C 0x4D 0x45 0x6D 0x70 0x74 0x79 0x52 0x6F 0x6C 0x65 0x73 0x43 0x74 0x78 0x44 0x6E 0x4F 0x70 0x74 0x69 0x6F 0x6E 0x54 0x65 0x73 0x74 0x43 0x61 0x73 0x65 0x65 0x37 0x62 0x36 0x62 0x32 0x39 0x64 0x2C 0x6F 0x3D 0x70 0x72 0x69 0x6D 0x61 0x72 0x79 0x2C 0x64 0x63 0x3D 0x6A 0x62 0x6F 0x73 0x73 0x2C 0x64 0x63 0x3D 0x6F 0x72 0x67 0x2C ) is invalid]; remaining name 'cn=Echo,ou=Roles2,o=AdvancedLdapLMEmptyRolesCtxDnOptionTestCasee7b6b29d,o=primary,dc=jboss,dc=org,'
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3074)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)
    com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)
    javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
    javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.obtainRole(AdvancedLdapLoginModule.java:801)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.rolesSearch(AdvancedLdapLoginModule.java:737)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:403)
    org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
    org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ...
{code}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)


More information about the jboss-jira mailing list