[jboss-jira] [JBoss JIRA] (ELY-1634) LDAPS referrals broken

Darran Lofthouse (Jira) issues at jboss.org
Mon May 20 11:17:00 EDT 2019 

    [ https://issues.jboss.org/browse/ELY-1634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13735598#comment-13735598 ] 

Darran Lofthouse commented on ELY-1634:
---------------------------------------

No test was included in the PR, I don't recall anything else being added.

> LDAPS referrals broken
> ----------------------
>
>                 Key: ELY-1634
>                 URL: https://issues.jboss.org/browse/ELY-1634
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Philippe Marschall
>            Assignee: Darran Lofthouse
>            Priority: Major
>             Fix For: 1.7.0.CR1
>
>
> We are having trouble getting LDAPS referrals working with an Elytron LDAP realm. The issue is the following stack trace.
> {code}
> javax.security.sasl.SaslException: ELY05012: Authentication mechanism server-side authentication failed [Caused by org.wildfly.security.auth.server.RealmUnavailableException: ELY01153: Direct LDAP verification failed with DN [redacted] and absolute DN [null]]
>         at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:121)
>         at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
>         at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
>         at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
>         at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
>         at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
>         at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
>         at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
>         at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>         at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01153: Direct LDAP verification failed with DN [redacted] and absolute DN [null]
>         at org.wildfly.security.auth.realm.ldap.DirectEvidenceVerifier$1.verifyEvidence(DirectEvidenceVerifier.java:104)
>         at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:609)
>         at org.wildfly.security.auth.realm.AggregateSecurityRealm$Identity.verifyEvidence(AggregateSecurityRealm.java:155)
>         at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
>         at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
>         at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
>         at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
>         at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
>         at org.wildfly.security.sasl.util.SSLQueryCallbackHandler.handle(SSLQueryCallbackHandler.java:60)
>         at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)
>         at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:117)
>         ... 12 more
> Caused by: javax.naming.CommunicationException: ldap.acme.com:636 [Root exception is java.lang.ClassNotFoundException: org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory from [Module "org.wildfly.extension.io" version 5.0.0.Final from local module loader @7586beff (finder: local module finder @3b69e7d1 (roots: redacted))]]
>         at com.sun.jndi.ldap.Connection.<init>(Connection.java:226)
>         at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
>         at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
>         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
>         at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2699)
>         at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2673)
>         at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2669)
>         at org.wildfly.security.auth.realm.ldap.DelegatingLdapContext.reconnect(DelegatingLdapContext.java:181)
>         at org.wildfly.security.auth.realm.ldap.DirectEvidenceVerifier$1.verifyEvidence(DirectEvidenceVerifier.java:97)
>         ... 22 more
> Caused by: java.lang.ClassNotFoundException: org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory from [Module "org.wildfly.extension.io" version 5.0.0.Final from local module loader @7586beff (finder: local module finder @3b69e7d1 (roots: redacted))]
>         at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
>         at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
>         at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
>         at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
>         at java.lang.Class.forName0(Native Method)
>         at java.lang.Class.forName(Class.java:348)
>         at com.sun.jndi.ldap.VersionHelper12.loadClass(VersionHelper12.java:72)
>         at com.sun.jndi.ldap.Connection.createSocket(Connection.java:281)
>         at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
>         ... 30 more
> {code}
> As you can see the Sun/Oracle LDAP classes try to load the class {{org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory}} using the TCCL which is the {{org.wildfly.extension.io}} module loader. This will not work as ThreadLocalSSLSocketFactor is in the module {{org.wildfy.security.elytron-private}}.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list