[jboss-jira] [JBoss JIRA] (WFLY-5396) Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
Darran Lofthouse (Jira)
issues at jboss.org
Tue Dec 18 08:41:05 EST 2018
[ https://issues.jboss.org/browse/WFLY-5396?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse resolved WFLY-5396.
------------------------------------
Release Notes Text: Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
Assignee: Darran Lofthouse
Resolution: Won't Fix
> Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
> -----------------------------------------------------------------------------
>
> Key: WFLY-5396
> URL: https://issues.jboss.org/browse/WFLY-5396
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.0.0.CR1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Major
>
> Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
> LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.
> This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".
> You can reproduce it by following configuration:
> Security domain:
> {code:xml}
> <security-domain name="ldap">
> <authentication>
> <login-module code="AdvancedLdap" flag="required">
> <module-option name="bindDN" value="uid=admin,ou=system"/>
> <module-option name="bindCredential" value="secret"/>
> <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
> <module-option name="searchScope" value="OBJECT_SCOPE"/>
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(uid={0})"/>
> <module-option name="roleFilter" value="(member={1})"/>
> <module-option name="roleAttributeID" value="cn"/>
> <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
> <module-option name="java.naming.security.authentication" value="simple"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> LDIF for role:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=jduke,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: jduke
> cn: Java Duke
> sn: Duke
> userPassword: Password1
> dn: ou=Roles,dc=jboss,dc=org
> objectClass: top
> objectClass: organizationalUnit
> ou: Roles
> dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
> objectClass: top
> objectClass: groupOfNames
> cn: JBossAdmin
> member: uid=jduke,ou=People,dc=jboss,dc=org
> {code}
> It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list