[jboss-jira] [JBoss JIRA] (SECURITY-956) New behavior for empty string in rolesCtxDN in LdapExtLoginModule in EAP 7.1
Ondrej Lukas (JIRA)
issues at jboss.org
Wed Sep 7 07:19:01 EDT 2016
Ondrej Lukas created SECURITY-956:
-------------------------------------
Summary: New behavior for empty string in rolesCtxDN in LdapExtLoginModule in EAP 7.1
Key: SECURITY-956
URL: https://issues.jboss.org/browse/SECURITY-956
Project: PicketBox
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Stefan Guilhen
In case when LdapExtLoginModule has option rolesCtxDN set to empty string then it has different behavior in EAP 7.0 (PicketBox 4.9.x) and 7.1 (PicketBox 5.0.x).
EAP 7.0 uses empty string as base search for LDAP.
* In case when LDAP server supports empty string search base (e.g. Apache DS allows it) it works as expected, all LDAP tree is searched for roles.
* In case when LDAP server does not support empty string search base (e.g. Active Directory or Red Hat Directory Server) it thrown exception authentication fails. However exception is expected since it is misconfiguration for those LDAP servers.
EAP 7.1 does not search any roles for empty string. That means:
* In case when LDAP server supports empty string search base it does not find any roles. However some roles could be found on that type of LDAP servers.
* In case when LDAP server does not support empty string search base it correctly returns no roles and authentication passes.
>From my PoV, behavior from EAP 7.0 is more correct, because it works correctly for LDAP servers where empty string is legal search base. However it can be decided that current EAP 7.1 behavior is intended. In that case please create Release Notes Jira (because it is change in behavior) and close this Jira.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list