[jboss-jira] [JBoss JIRA] (WFLY-11385) Referrals roles assignment for referral user does not work for AdvancedLdapLoginModule with Active Directory
Tomas Hofman (Jira)
issues at jboss.org
Tue Nov 20 10:24:00 EST 2018
[ https://issues.jboss.org/browse/WFLY-11385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomas Hofman moved JBEAP-15888 to WFLY-11385:
---------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-11385 (was: JBEAP-15888)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: (was: 7.0.0.ER4)
Fix Version/s: (was: 7.2.1.GA)
> Referrals roles assignment for referral user does not work for AdvancedLdapLoginModule with Active Directory
> ------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-11385
> URL: https://issues.jboss.org/browse/WFLY-11385
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Tomas Hofman
> Assignee: Jiri Ondrusek
> Priority: Minor
>
> Consider two MS Active Directory domains with configured crossRef to each other. EAP using AdvancedLdapLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
> If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
> Example:
> I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
> Part of ldif for Domain A:
> {code}
> ...
> dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> objectClass: groupOfNames
> objectClass: top
> cn: TheDuke
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
> ...
> {code}
> Part of ldif for Domain B
> {code}
> ...
> dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> objectclass: top
> objectclass: person
> objectClass: inetOrgPerson
> cn: jduke
> sn: Duke
> description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
> description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> userPassword: Password1
> dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
> objectClass: groupOfNames
> objectClass: top
> cn: Admin
> businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
> member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
> ...
> {code}
> EAP AdvancedLdapLoginModule is configured:
> {code:xml}
> <security-domain name="AdvancedLdapReferrals">
> <authentication>
> <login-module code="AdvancedLdap" flag="required">
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
> <module-option name="bindDN" value="BIND_DN"/>
> <module-option name="bindCredential" value="PASSWORD"/>
> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(CN={0})"/>
> <module-option name="roleAttributeID" value="description"/>
> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/>
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/>
> <module-option name="java.naming.referral" value="follow"/>
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(CN={0})"/>
> <module-option name="roleNameAttributeID" value="CN"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list