[jboss-jira] [JBoss JIRA] (SECURITY-943) AdvancedLdapLoginModule authentication fails when some part of DN is part of LDAP URL

Bartosz Spyrko-Śmietanko (JIRA) issues at jboss.org
Thu Jun 9 10:19:00 EDT 2016 

    [ https://issues.jboss.org/browse/SECURITY-943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250333#comment-13250333 ] 

Bartosz Spyrko-Śmietanko commented on SECURITY-943:
---------------------------------------------------

[~dlofthouse] if you haven't already started working on this one, do you mind if I take it over?

> AdvancedLdapLoginModule authentication fails when some part of DN is part of LDAP URL
> -------------------------------------------------------------------------------------
>
>                 Key: SECURITY-943
>                 URL: https://issues.jboss.org/browse/SECURITY-943
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: Negotiation
>    Affects Versions: Negotiation_3_0_2_Final
>            Reporter: Ondrej Lukas
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_3_0_3_CR1
>
>
> In case when part of DN is placed in LDAP URL instead of baseCtxDN then authentication fails (see [1] for details about this URL) in AdvancedLdapLoginModule. Authentication is provided by binding with user DN and password, but in this case user DN does not include DN part from LDAP URL which leads to fail.
> Thrown exception:
> {code}
> javax.naming.AuthenticationException: LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=jduke,ou=People
>     com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
>     com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
>     com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
>     com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
>     com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
>     com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
>     com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
>     com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
>     com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
>     org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
>     org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
>     javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
>     org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
>     org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
>     javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>     javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
>     javax.naming.InitialContext.init(InitialContext.java:244)
>     javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
>     org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:486)
>     org.jboss.security.negotiation.AdvancedLdapLoginModule.authenticate(AdvancedLdapLoginModule.java:669)
>     org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:397)
>     org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:967)
>     org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:326)
>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     ...
> {code}
> [1] https://tools.ietf.org/html/rfc2255



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list