[jboss-jira] [JBoss JIRA] (WFCORE-1313) User with Slash char in LDAP name cannot log in through security-realm
Hynek Švábek (JIRA)
issues at jboss.org
Wed Jan 20 05:14:00 EST 2016
[ https://issues.jboss.org/browse/WFCORE-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hynek Švábek updated WFCORE-1313:
---------------------------------
Steps to Reproduce:
1. Start LDAP server which uses attached users.ldif
2. Add these to EAP configuration file
* Security realm - "ldap-realm"
* Outbound-connection - ldap - "ldap-connection"
{code}
<management>
....
<security-realms>
....
<security-realm name="ldap-realm">
<authentication>
<ldap connection="ldap-connection" base-dn="ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org">
<advanced-filter filter="(uid={0})"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap-connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>
....
</management>
{code}
Change ManagementRealm in <management-interfaces>
{code}
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
{code}
to our ldap-realm
{code}
<http-interface security-realm="ldap-realm" http-upgrade-enabled="true">
{code}
3. Try to log in to management localhost:9990
* jduke with Password1 -> OK
* Slash/Char with Password1 -> NOK (but it would be OK)
* Back\Slash with Password1 -> NOK (but it would be OK)
was:
1. Start LDAP server which uses attached users.ldif
2. Add these to EAP configuration file
* Security realm - "ldap-realm"
* Outbound-connection - ldap - "ldap-connection"
{code}
<management>
....
<security-realms>
....
<security-realm name="ldap-realm">
<authentication>
<ldap connection="ldap-connection" base-dn="ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org">
<advanced-filter filter="(uid={0})"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap-connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>
....
</management>
{code}
Change ManagementRealm in <management-interfaces>
{code}
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
{code}
to our ldap-realm
{code}
<http-interface security-realm="ldap-realm" http-upgrade-enabled="true">
{code}
3. Try to log in to management localhost:9990
* jduke with Password1 -> OK
* Slash/Char with Password1 -> NOK (but it would be OK)
> User with Slash char in LDAP name cannot log in through security-realm
> ----------------------------------------------------------------------
>
> Key: WFCORE-1313
> URL: https://issues.jboss.org/browse/WFCORE-1313
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
> Attachments: users.ldif
>
>
> According to LDAP specification [1], DN can contain slash char without escaping, etc.
> I am not able to log in to management console with username "Slash/Char". But I would be able to log in there.
> I can see this in Wireshark
> {code}
> LDAPMessage bindRequest(1) ""uid=Slash/Char",ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org" simple
> LDAPMessage bindResponse(1) invalidDNSyntax (Incorrect DN given : "uid=Slash/Char",ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org (0x22 0x75 0x69 0x64 0x3D 0x53 0x6C 0x61 0x73 0x68 0x2F 0x43 0x68 0x61 0x72 0x2
> {code}
> You can see there quotation marks around *uid=Slash/Char*.
> In my opinion problem can be somewhere around this
> {code}
> javax.naming.NameImpl.stringifyComp(String comp)
> {code}
> [1] https://tools.ietf.org/html/rfc2253#section-3
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list