[jboss-jira] [JBoss JIRA] (WFLY-6534) LdapExtLoginModule authentication fails when some part of DN is part of LDAP URL

Ondrej Lukas (JIRA) issues at jboss.org
Tue Apr 19 02:08:00 EDT 2016 

Ondrej Lukas created WFLY-6534:
----------------------------------

             Summary: LdapExtLoginModule authentication fails when some part of DN is part of LDAP URL
                 Key: WFLY-6534
                 URL: https://issues.jboss.org/browse/WFLY-6534
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Ondrej Lukas
            Assignee: Darran Lofthouse


In case when part of DN is placed in LDAP URL instead of baseCtxDN then authentication fails (see [1] for details about this URL) in LdapExtLoginModule. Authentication is provided by binding with user DN and password, but in this case user DN does not include DN part from LDAP URL which leads to fail.

Thrown exception:
{code}
javax.naming.AuthenticationException: LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jduke,ou=People
    com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
    com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
    com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
    org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
    javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
    org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
    javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    javax.naming.InitialContext.init(InitialContext.java:244)
    javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:836)
    org.jboss.security.auth.spi.LdapExtLoginModule.bindDNAuthentication(LdapExtLoginModule.java:565)
    org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:465)
    org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:343)
    org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ...
{code}

[1] https://tools.ietf.org/html/rfc2255



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list